How can my banking web site uniquely identify computers?

My online banking web site can uniquely identify computers (Windows OS) on my home LAN.

Identity confirmation is done for each web browser on the computer. That is, when I try to access their web site the first time from a specific computer, they ask me to confirm my identity by sending me a specific code that I have to enter on the web site. Once I have entered the code, the next time they remember my computer/web browser. This is an extra security measure in addition to supplying username/password.

How is it done?

It is not the IP addresses because the NAT hides them from outside. Cookies can also be ruled out. The banking web site claims that they use cookies for tracking, but I deleted cookies (tried it several times with different browsers) and it still worked.

Could it be a unique HTTP header that I am not aware of? Or is it something more sophisticated at the low level like MAC address? As far as I know, with IpV4, MAC addresses don't get outside of LAN.

It could also be some unique fingerprinting algorithm that uses a combination of parameters.

user2502844

Posted 2013-07-30T15:04:03.577

Reputation: 39

It may be taking into account the user agent string (http://www.whatsmyuseragent.com/) among other factors. The IP address is probably the most important thing. Also, web sites can store persistent data using methods other than cookies.

– James P – 2013-07-30T15:55:33.513

Are you shure you deleted cookies correctly? Most banks I know of use use plain old fashoned cookies. – Scott Chamberlain – 2013-07-30T18:12:11.733

Answers

It could be local storage. I thought that Firefox warns you when a website wants to use local storage. If a banking site does this to store a login session, that would be bad practise, so I don't think that this is what is happening. However, you can check the local storage with the following Firebug extension: https://addons.mozilla.org/en-US/firefox/addon/firestorage-plus/

Other than that, there are Flash cookies, which are maybe not deleted by your browser. You may need another addon for that.

Then there are ways to fingerprint you computer. There are scripts that can see what plugins and fonts you have installed. That plus some other settings are usually a good way to uniquely identify you, together with your IP-address.

Still I would be mad as hell if my bank would use this to let me login to my account. Using these techniques is good for webshops, that want to follow you around. More than that and it's a security issue.

NB: upon reading the question again, I see this is only an extra measure to identify the computer, not to let the user login. This will only make things safer if you're warned when somebody tries to login from another computer, by email, of with a warning after logging in on a known computer.

SPRBRN

Posted 2013-07-30T15:04:03.577

Reputation: 5 185

Regarding plugins and fonts: https://panopticlick.eff.org/

– slhck – 2013-07-30T17:26:04.330

@rxt, I believe local storage (web storage) is deleted when cookies are deleted. At least that is how IE8 works. If it is flash cookies, then disabling the flash plugin should make this unusable, right? I will need to try that. I checked panopticlick.eff.org, and it seems like a decent way to fingerprint but it is not 100% foolproof. – user2502844 – 2013-07-30T18:17:45.357

Believing is not enough. Cookies and web storage are separate things, and I can imagine that they are handled differently. Disabling the Flash plugin should disable flash cookies; test it to be sure! – SPRBRN – 2013-07-30T18:23:30.383

@slhck - thanks! I just tested and got this back: Your browser fingerprint appears to be unique among the 3,180,915 tested so far. Not good! – SPRBRN – 2013-07-30T18:24:37.280

@rxt, I confirmed that in IE web browser, web storage is deleted when cookies are deleted: http://webdevwonders.com/clear-dom-storage/

– user2502844 – 2013-07-31T13:42:26.557

The only other option which is available on almost every browser beside Cookies is Web storage. Since you say that cleaning cookies doesn't help, try cleaning local storage (and double-check that you really deleted all the cookies).

Petr Abdulin

Posted 2013-07-30T15:04:03.577

Reputation: 1 706