When I access my bank account, it asks extra security questions if it doesn’t “recognize” my computer. However, it seems that the bank computer isn’t going by my IP address, because the IP address changes regularly.
How does this work? And is every web site I visit able to track me like this?
Probably cookies. That’s a small file on your computer that identifies you.
Not cookies in my case, because I use a script when I quit my browser that deletes the cookes and a bunch of other stuff.
I have to punch in or paste in my client card/user name and a password, and because there are no bank cookies from any previous session, I have to answer one of three questions the bank has on file (that I can change whenever I want to).
So the bank allegedly knows it’s me from all three entries.
I think the point is that if you did allow the cookie it wouldn’t tell you that it doesn’t recognize you on your next visit and you wouldn’t have to answer the extra security questions next time.
But in general some other things they could also look at are your operating system and browser and versions. I think I have triggered this with my online banking before after doing a browser update (but that might have also somehow changed cookies). I’m not positive but I think they can look at your MAC address (the hardware identification number of your network card or router). They might look for a change in pattern from the times you normally log in to the account and trigger the security questions if it’s an odd time.
I don’t think it’s cookies, since I periodically delete them but the bank computer still recognizes my computer.
The Adobe Flash plugin supports cookies of its own. Clearing the browser’s cookies doesn’t affect these. The web app could be using them instead or in addition to regular browser cookies.
This site will let you see what unique identifiers you are sending to web sites via all kinds of things you might not think about. They include time zone and regional settings on the computer, what plug-in’s are installed, screen size and resolution, default system fonts, etc. The browser is actually privy to all kinds of information that can, when all combined, provide a pretty unique fingerprint.
So I changed my time zone, went to my bank’s web site, and lo and behold I got the message that my computer was not recognized. Sneaky bastards!!
Thanks Crazyhorse.
I see something similar. TDAmeritrde recognizes me no matter how I purge my cookies or flash cookies. Yet, when I clean my registry and defrag, it can no longer recognize me. But Crazyhorse: , that link is very impressive. I thought possibly sites were checking hardware installed, like Microsoft’s old installation verification.
Although that might get used for nefarious purposes, I very much doubt whether institutions like banks would be using to recognize clients. It would be unreliable and a security risk.
In my experience, any sites, including my bank, that are open about recognizing me, no longer do so after I have cleared my regular cookies.
I’m pretty confident they are using it. I believe it because my bank’s computer repeatedly recognized me even though I cleared cookies (including flash cookies). Then I changed the time zone and it no longer recognized me. (Note that even if it recognizes you, it still asks for your password.)
If you say so. As I said, for my bank, and for every other site I can think of (Yahoo, Hotmail etc.) that will tell me if it recognizes me, a simple cookie clearing is enough to make me at least ostensibly anonymous again. I think most of this sort of tracking, for legitimate purposes like this, is done by cookies. It is, basically, what cookies were meant for, and, unless the site is trying to do something behind the users back (and even then, a lot of the time), they are adequate to the purpose.
Crazyhorse’s site found my computer to be unique amongst 1,842,744, which is plenty scary, but it hardly guarantees unique recognition. It is perfectly possible that some other computer somewhere would have the same signature. I hope your bank is not relying on recognition on that sort of basis.
I never thought about this. Thanks for posting!
Why? As I said above, it still asks for your password even if it recognizes your computer.
I realize other institutions may do things other ways, but here is an excerpt from the FAQ for ING Direct Canada:
Well, when my bank remembers me, it automatically fills in my username and knows which state my account is in, both things I otherwise have to enter. That is two security issues right there. My password is the only remaining protection. I used to have a fairly simple username and a while back I was told that there was evidence that someone had been trying to hack my account (unsuccessfully, thankfully). The bank advised me to switch to a less obvious username.
I see. It’s not like that with my bank. Even if it recognizes your computer, you still have to put in your user id and password. It never asks what state the account is in, although anyone who has seen one of my checks would know.
It can’t be the MAC address, your bank’s server cannot reliably determine your MAC address - the only thing passed all the way along with the packet would be IP. As soon as the packets travel through a switch or router they will be updated with that devices’ MAC.
Another thing they might use is reverse DNS lookup (although I don’t think it can be this in brazil84’s case, as changing the time zone blocked the identification). This would enable them to identify your ISP and, depending on how your ISP sets things up, it might also enable them to identify your account (not by name, but by a code or number of some sort that your ISP uses). As I understand it, if you reverse DNS string does not contain your IP address, it probably contains an account identifier.
Mind you, there days, when most people are on broadband, just your IP address can probably be used to track you pretty well. Back in the days of dialup, your ISP would randomly assign you a different IP address for every session, and this may sometimes happen with a broadband account, but in my experience my IP address generally remains the same for months if not years at a time. (That has been with three different cable providers. Maybe DSL or satellite is different.)
I have the opposite problem with iTunes. Every time I buy something from the iTunes store it thinks I’m using it from a new computer, so I have to verify my identity again. Then, a few hours after my purchase, I get an email from Apple warning me that my iTunes account was accessed from a new computer and used to purchase – whatever it was that I just purchased. There’s never any unauthorized purchases.
And yet I have only ever accessed iTunes from that one computer. I don’t know what the problem is.