On Wed, Oct 1, 2014 at 11:27 PM, Kevin Wayne Williams kwwilliams@kwwilliams.com wrote:
Focusing on what signature we can obtain from (or plant on) the device and how to make that signature available to and manageable by admins is the key.
I used to do this for a living in the name of "credit card fraud prevention". Not only is it a difficult problem, but it is also evil.
You will not find a method that is fool proof. It is completely possible to partition the browser space into 90% known good and 10% "looks funny". Separating the wheat from the chaff in that 10% is the hard problem however. In the retail space this grey area ends up being managed by heuristics, ad hoc rules that only apply for a brief period of time and labor intensive manual review. Ultimately in the retail space it comes down to letting in enough bad actors that you don't exclude more sales than necessary. You figure out what your acceptable loss rate is and manage the real time transaction approval stream to maximize sales while keeping losses at or below an acceptable threshold. That threshold is typically something between 1% and 1.5% of your total sales volume by both transaction count and dollar value.
In a space where we are actually arguing that there is a potential of loss of life for exposed actors, I don't think that it is reasonable at all to discuss ways to increase the risk of exposure by creating and publishing (oh yeah, we are open source and open config for most things here) a recipe for tracking users in a durable fashion based on device fingerprints and other sticky token techniques.
Bryan