Online banking ID tech equals privacy threat?

A widely used technology to authenticate users when they log in for online banking may help reduce fraud but it does so at the expense of consumer privacy, a civil liberties attorney said during a panel at the RSA security conference on Thursday.

When logging into bank websites, users are typically asked for their username and password. But that's not all that is happening. Behind the scenes, the server is taking measures to identify the device being used in an attempt to verify that the person logging in is the person whose account is being accessed under the assumption that most people use the same computer for banking.

Wachovia, which recently merged with Wells Fargo, tags the consumer's computer with a unique identifier, said Chris Mathes, an information technology specialist in online customer protection at the bank.

The technology not only can be used to allow legitimate customers into websites but also to block computers that have been targeted as "bad actors", said Todd Inskeep, a senior vice president for the Center for the Future of Banking at Bank of America.

Another device fingerprinting technology provided by 41st Parameter is similar but doesn't tag the computer. Instead, the technology figures out the degree of probability that the computer accessing the site is the one that should be accessing it by querying the computer for things like time zone, language, browser type, Flash ID, cookie ID and IP address, said Ori Eisen, founder of the company. If enough of the answers match, the account can be accessed.

The 41st Parameter technology is being used by 120 large e-commerce companies, including the top five banks in the US, US Airways and Continental Airline, Eisen said in an interview.

Even though none of the information gathered during a login is personally identifiable, the bank shouldn't have to collect regular data on when, how often and from where a consumer accesses a bank account, said Jennifer Granick of the Electronic Frontier Foundation. Such information can be compiled with other more sensitive information to create profiles and cross referenced to learn more about consumers, she said.

For instance, the bank could learn who a consumer's roommate is if the same computer is used regularly to access different accounts, Granick said. Consumers also could be deemed suspicious for breaking with their patterns on deposits or withdrawals or the information could be sold to advertisers, she added.

"There is very little privacy protection in the US for this type of information," Granick said. "We don't want it shared with affiliates that do advertising." There should be restrictions on how long the bank will keep the data, who it can share it with and for what purposes, she added.

Eisen said his technique was more "privacy friendly" because it doesn't assign identification numbers to devices. The questions posed to computers by his technology are akin to what WebTrends and Google Analytics find out from computers for web analytics purposes, he said.

Granick wasn't convinced, noting that even without a unique device identifier, the bank is still able to monitor consumer transactional patterns.

Original article: Device identification in online banking is privacy threat, expert says from CNET News.com