Difference between revisions of "Digital Fingerprint"
From MgmtWiki
(→Problems) |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 10: | Line 10: | ||
* If the data that is used in the fingerprint is publicly available, then any hacker that can access the data can create the fingerprint. | * If the data that is used in the fingerprint is publicly available, then any hacker that can access the data can create the fingerprint. | ||
* In the original use of the fingerprint of a public key, this is no problem. In the case where the fingerprint is used in [[Fraud Detection]] it devastates the purpose of the fingerprint. | * In the original use of the fingerprint of a public key, this is no problem. In the case where the fingerprint is used in [[Fraud Detection]] it devastates the purpose of the fingerprint. | ||
+ | * [https://twitter.com/campuscodi/status/1134958433243926530?lang=en The Genesis store that sells "digital browser fingerprints" now has a competitor.] A new site called RichLogs launched in April and provides similar services. It sells browsers fingerprints so hackers can hijack victims accounts without triggering account fraud alerts. Shutting one of these sites down will just encourage others to fill the void. | ||
==Solutions== | ==Solutions== | ||
− | * The best fingerprint is actually an encrypted cookie placed by the browser on the user's device. This is not 100% | + | * The best fingerprint is actually an encrypted cookie placed by the browser on the user's device. This is not 100% fool-proof, but would require a clone of all the user data on the device to enable the attack. |
* As long as [[Digital Fingerprint]]ing remains a "cat and mouse" game, there will be a new generation of hackers to find an attack that works. So the secure solutions should be employed which can only be hacked when quantum computing becomes available. Even then we expect to see quantum-resistance ciphers approved by NIST. | * As long as [[Digital Fingerprint]]ing remains a "cat and mouse" game, there will be a new generation of hackers to find an attack that works. So the secure solutions should be employed which can only be hacked when quantum computing becomes available. Even then we expect to see quantum-resistance ciphers approved by NIST. | ||
+ | * For completely secure connections the only known solution today is a private credential stored in a secure storage location as the only truly secure [[Credential]] is one with a secret that the [[Subject]] owns and can securely control. | ||
==References== | ==References== |
Latest revision as of 11:42, 21 August 2019
Full Title or Meme
A Digital Fingerprint is a collection of data that is likely to be invariant about some digital object that can be used as an Identifier of that object.
Context
- The original Digital Fingerprint is a hash of a digital object, like a user's public key, that can be used as an Identifier of the object.
- Internet web servers have long kept logs on activities of data flowing over the wire in the HTTP web protocol. That has been used for some time to establish a pattern of data about a user that can be used in Fraud Detection. We have most likely experienced some Web Site complaining that they device we are using has not been used before based on data in the HTTP log, specifically on the IP addressed to to access the site.
- Now that site can run JavaScript programs in any browser, there is a new trove of data that they can collect and used in Fraud Detection.
Problems
- Use of Digital Fingerprints of data that can be spoofed by an attacker is simple part of the game of "cat and mouse" between the fraud detection services and the hackers. Eventually the hackers learn what data is requested and create programs that can supply data data to the Web Site on demand. The owner of a computer can still take complete control of all of the resources of the computer if they have the talent to do so.
- If the data that is used in the fingerprint is publicly available, then any hacker that can access the data can create the fingerprint.
- In the original use of the fingerprint of a public key, this is no problem. In the case where the fingerprint is used in Fraud Detection it devastates the purpose of the fingerprint.
- The Genesis store that sells "digital browser fingerprints" now has a competitor. A new site called RichLogs launched in April and provides similar services. It sells browsers fingerprints so hackers can hijack victims accounts without triggering account fraud alerts. Shutting one of these sites down will just encourage others to fill the void.
Solutions
- The best fingerprint is actually an encrypted cookie placed by the browser on the user's device. This is not 100% fool-proof, but would require a clone of all the user data on the device to enable the attack.
- As long as Digital Fingerprinting remains a "cat and mouse" game, there will be a new generation of hackers to find an attack that works. So the secure solutions should be employed which can only be hacked when quantum computing becomes available. Even then we expect to see quantum-resistance ciphers approved by NIST.
- For completely secure connections the only known solution today is a private credential stored in a secure storage location as the only truly secure Credential is one with a secret that the Subject owns and can securely control.