Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/4/2010
05:29 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Adobe's New Privacy Feature For Flash Clashes With Online Fraud Detection

Financial institutions, ecommerce sites will no longer be able to rely on Flash objects, cookies to help ID legitimate users, experts say

When Adobe releases Flash Player 10.1 in the next couple of months, users of the application will have clearer, easier-to-set privacy options for their browser cookies. But more user privacy comes at the expense of fraud detection processes: The upgraded software is likely to disrupt some ecommerce and online banking sites that rely on cookies as another layer to authenticate their customers.

The new version of Adobe's Flash, currently in beta, makes its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines.

Adobe says it added these features due to concerns that some websites were using Flash's local storage features to store machine IDs without the user's consent or knowledge. For example, even if a user had cleared his cookies, these sites would keep a backup of them in Flash's Local Storage so he could restore the deleted cookies -- without the user knowing or realizing it.

Many ecommerce and online banking sites use these so-called user "tags" to confirm the user is legitimate and to prevent unauthorized access to legit user accounts on their sites. But Adobe's move to let users wipe Flash cookies clean signals the end of this practice, security experts say, making it obsolete in the next three years.

Adobe maintains that its existing local storage features in Flash weren't meant for storing machine IDs without the user's permission or knowledge. "Protecting end-user privacy is an important issue to Adobe, and we are continuously investigating new ways to help ensure that our customers can control their own information," an Adobe spokesperson said.

But industry analysts say regulatory pressure from the European Union's new privacy laws, as well as the possibility of U.S. Federal Trade Commission rules aimed at companies that track customers online without their consent or knowledge, were the main reasons for Adobe's privacy features in Flash. "This is basically Adobe moving in this direction in response to EU rules and regulations," says Avivah Litan, vice president and distinguished analyst Gartner.

In a letter (PDF) to the Federal Trade Commission earlier this year, Adobe said it will continue to take actions to stop the "misuse of Local Storage to re-spawn cookies after the user has deleted them" and that it has contacted "major browser companies" to figure out how users can easily control their Flash Local Storage when they configure their privacy settings in their browsers.

Meanwhile, Gartner's Litan says the fallout from the new Flash privacy features is another example of how privacy and fraud protection often clash. "A lot of rules protecting consumer privacy are bad for fraud protection," says Litan, who recently wrote a research note regarding the conflict between privacy and fraud detection.

If Flash's new privacy features are widely adopted by users, then it will have a major ripple effect on online banking, she says. "Not only does it make the settings [more prominent], but whenever a website tries to drop a Flash object on a PC...an ominous message comes on the screen and asks, 'Do you really want this code on your PC?' Most users are going to say no," Litan says.

Legitimate users, too, could also feel the pinch if the site can't use their cookies. Ori Eisen, founder and chief innovation officer for 41st Parameter, says it could degrade the user experience. "Up until now, you were a customer for 10 years that was never challenged...you were recognized by your cookie they placed on your [machine] or in Flash. When you invoke this new Flash [privacy] technology, we have to challenge you at the door" if the website doesn't deploy a new form of fraud detection, Eisen says. That will affect both the user experience and the call center that must field complaints, he says.

Eisen predicts that the arrival of the new version of Flash will result in about 5 percent of legitimate customers being challenged: "After June, they're going to have a customer service issue on their hands," he says of websites that still rely on Flash objects.

And businesses will be forced to adopt different fraud prevention approaches, which Litan says is good news for fraud detection: "Banks and others will have to rely on more sophisticated technologies," she says. "Flash objects and cookies are good at identifying good people, but they do nothing to identify bad people. Bad people aren't going to have these objects on their PCs."

Some of the largest financial institutions and ecommerce players already are starting to implement alternative authentication methods, she says. She suggests clientless device identification as well as secure downloads of tagging software users can be prompted to execute.

41st Parameter's Eisen, meanwhile, says it all comes down to the Web's inherent lack of security. "We've been patching it nicely since 1995, but the house of cards is beginning to shake," he says. "We may start to think...about what to do to solve the security problems as an industry."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.