PRESS RELEASE

Stamford, Conn., April 22, 2010 — Online service providers, such as online banks and e-commerce sites, should start planning to phase out their reliance on Flash local storage (also referred to as local shared objects and Flash cookies) for device identification-based fraud detection, according to Gartner, Inc. Mounting global regulatory concerns over consumer privacy, and Adobe's responses with new privacy settings in its Flash player, are driving this transition.

"The days of tagging customer PCs to identify 'good' customers logging into user accounts are numbered, as regulatory privacy concerns and privacy settings in Adobe Flash Player 10.1 give end users explicit control over information downloaded to their PCs using Flash Player," said Avivah Litan, vice president and distinguished analyst at Gartner. "Service providers who depend on Flash to identify client devices — such as PCs — in order to prevent fraud should evaluate and implement alternative technologies."

Local shared objects (LSOs) are used widely by banks and other online service providers to tag good customer PCs and to prevent unauthorized and fraudulent access to customer accounts. However, this model will become obsolete during the next three years due to privacy concerns and new software privacy settings. Ms. Litan said that clientless device identification is a good — and sometimes better — substitute for identifying fraudsters and preventing unauthorized account access. Gartner predicts that by year-end 2012, 70 percent of applications that rely on customer PC tagging will be using clientless device identification.

"Enterprises have two basic alternatives to cookies when it comes to using client device identification (CDI) to help authenticate legitimate authorized users," said Ms. Litan. "These include special software installed on a client PC, or server-based CDI that does not rely on any software stored on a PC."

PC inspection software provides richer information than server-based clientless CDI software. It can read information from the operating system registry, serial numbers off a hard drive or the Media Access Control ID from an Ethernet card. The barrier to using this setup is that banks and other online service providers are strongly averse to managing and supporting desktop software, even if they can delegate most of the support function to a third party. They don't want responsibility for user desktops and computing devices due to liability, privacy and support concerns.

Server-based clientless CDI programs are less reliable than LSOs when it comes to identifying good customers but can be more reliable in identifying fraudsters who are posing as first-time or spontaneous customers, or who have figured out how to get around cookie identification (for example, by using man-in-the-browser attacks). Server-based CDI identifies a user's machine by reading information from the user's browser.

"CDI is a useful tool in fraud detection and gives even the savviest enterprises that already use a host of other fraud detection tools a 15 to 25 percent lift in fraud detection rates and should not be discarded just because Flash local storage as a CDI tool needs to be phased out," said Ms. Litan. "A layered security approach is always the best, and CDI plays an important role in these layers. Even two-factor-strong authentication has been beaten by the crooks lately, so the more security, fraud detection and user authentication layers, the better."

Gartner advises service providers to also consider explicit and secure downloads of tagging software that legitimate customers want on their PCs and other devices. Some customers will be willing to opt in to these downloads in order to partake of device-tagging benefits, such as customized surfing navigation or being able to avoid redundant entry of information, such as a billing address, each time a purchase is made.

Additional information is available in the report "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," which is available on the Gartner's website at http://www.gartner.com/resId=1297620.

Ms. Litan will provide more commentary on the future of identification-based fraud detection at Gartner's Security & Risk Management Summit, June 21-23 in Washington D.C. This Summit is the premier conference and meeting place for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management. Members of the media can register for the Summit by contacting Christy Pettey, Gartner PR, at [email protected]. For further information on the Security & Risk Management Summit, please visit www.gartner.com/us/itsecurity.

Additional information from the event will be shared on Twitter at http://twitter.com/Gartner_inc and using #GartnerSecurity.

About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for its clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, Gartner is the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 4,000 associates, including 1,200 research analysts and consultants in 80 countries. For more information, visit www.gartner.com.