3
1
My online banking web site can uniquely identify computers (Windows OS) on my home LAN.
Identity confirmation is done for each web browser on the computer. That is, when I try to access their web site the first time from a specific computer, they ask me to confirm my identity by sending me a specific code that I have to enter on the web site. Once I have entered the code, the next time they remember my computer/web browser. This is an extra security measure in addition to supplying username/password.
How is it done?
It is not the IP addresses because the NAT hides them from outside. Cookies can also be ruled out. The banking web site claims that they use cookies for tracking, but I deleted cookies (tried it several times with different browsers) and it still worked.
Could it be a unique HTTP header that I am not aware of? Or is it something more sophisticated at the low level like MAC address? As far as I know, with IpV4, MAC addresses don't get outside of LAN.
It could also be some unique fingerprinting algorithm that uses a combination of parameters.
1
It may be taking into account the user agent string (http://www.whatsmyuseragent.com/) among other factors. The IP address is probably the most important thing. Also, web sites can store persistent data using methods other than cookies.
– James P – 2013-07-30T15:55:33.513Are you shure you deleted cookies correctly? Most banks I know of use use plain old fashoned cookies. – Scott Chamberlain – 2013-07-30T18:12:11.733