How many people remember the Big Brother scare surrounding the Processor Serial Number (PSN) embedded in Pentium 3s way back in 1999-2000? Despite the technical community stating that the PSN was not a solid identifier, as it could be easily masked, Intel created quite a scare among large groups of people.

Eventually, in April of 2000, the company announced that they would not include the PSN in the forthcoming 1.5GHz Willamette chip. An anonymous Intel engineer was quoted telling Wired magazine, “The gains that it could give us for the proposed line of security features were not sufficient to overcome the bad rep it would give us.”

Nine years later I noticed an announcement by ThreatMetrix touting an opposite reaction to the idea of tracking a device.

Evidently, a study done by Ponemon Institute found positive consumer reaction to the concept of Client Device Identification (CDI) or device ID or device fingerprinting as part of a consumer protection strategy.

The article stated that a significant percentage of surveyed individuals were more amicable to having their computer profiled than to remember a password or submit to other security standards.

If the attitude expressed by the respondents in the Ponemon study is representative of the popular sentiments, could it mean the idea of device identification is no longer a scare to consumers?

The key may rest upon the question of whether or not Personally Identifiable Information (PII) is associated with the device IDs being created.

The Ponemon study revealed that consumers were comfortable with a device ID concept as long as personal information was not tied to it.

This is pretty much what today’s device identification vendors are marketing.

The technology is intended to create a unique identifier surrounding a device, without the need to collect any PII.

A few of the device ID elements may be used to tell the technology vendors specific information that is critical to judge the threat level of a transaction.

This information can be stored in some way or forwarded directly to a client company to assist them with filtering suspicious transactions.

Since the client company often has individual account information of its visitors, it may combine device fingerprinting information with its own customer data to provide an even deeper profile.

Critics of device ID complain that a unique fingerprint is not always attainable, and savvy users can spoof, change, or substitute a device ID.

In response to the first concern, how many fraud prevention technologies are 100 percent accurate? And wouldn’t the absence of a device ID be cause for concern in itself, depending on the application? As far as the second concern goes, which fraud prevention technologies are immune to user tampering of any kind?

Add to this the fact that most CDI vendors have the ability to tell when a device ID has been tampered with in some way and the confidence level is not degraded significantly.

As is frequently stated by fraud prevention professionals, “there is no silver bullet.” The same holds true for CDI. As always, the winning solution is the combination of various technologies in a layering effect.

Despite the fact that CDI has inherent weaknesses, as do all of the prior fraud prevention technologies, it is providing tremendous benefit to many companies, ranging from credit and loan issuers to social networking sites to online retailers.

This is especially true when layering it with other effective technologies. As online business continues to expand, it is heartening to see consumer fear of new technologies, including device fingerprinting, beginning to diminish.

I believe that CDI, and other related technologies that tie into the actual devices being used, will become one of the most effective, powerful tools in preventing online fraud and abuse.

As long as CDI is used responsibly, including maintaining concern for where and how, PII elements fit in to the picture, consumers and businesses alike will see significant benefits from this technology.

Michael O’Connor has been working in various operational management positions since 1994, and with online payment in particular since 2000. Michael was also fortunate enough to have served on the advisory board of the Merchant Risk Council and assist in the training of an FBI CyberCrimes unit. This article is published with prior permission from www. information-security-resources.com.