A few years ago a financial company I deal with announced that they were putting enhanced security measures in place for access to their web site. Sounds good I thought. Until they said "if we don't recognize your PC we will ask you an extra security question..." My PC at the time was running Win XP and was situated behind two hardware firewalls and a software firewall running on the PC. Just how do you propose to identify my PC I asked their tech support folks.

It was explained to me that they were using Flash cookies and the tech showed me how to access the Flash configuration panel. I locked down Flash to only accept data ONLY from the financial institution, a local bank and a major credit card issuer who appeared to be using the same process. Some time later I happened to look into the Adobe and Macromedia directories and found that Flash was storing crap from all sorts of web sites contrary to my settings.

When I moved to Linux (Ubuntu 7.10 initially) I did the same Flash configuration and found again that Flash did not respect my settings. I emptied ~/.adobe and ~/.macromedia and issued a chmod -x on the directories rendering them unwritable. No more flash stuff! Interestingly the sites still "recognized" my computer except just after Firefox updated. I would then have to answer the extra question and indicate that it was a "private" computer. No more nags until the next Firefox update.

I am now on CentOS 6.4. At random occasions the nag question will come up without the benefit of a Firefox update. I have no idea why. As an experiment I indicated that I was on a "public" computer. The next time I accessed the site I was again asked the extra security question. This is as it should be.

Then I accessed the site from a virtual machine running in VMWare on the same physical machine as I had indicated was "public." I told the web site that the virtual machine was a private computer. When I accessed the site from the physical machine, which I had indicated was "public" the web site treated it as a "private" computer. No extra security question. This seems to be a failure in a non-conservative direction.

I might add that the virtual machine is running in bridged network mode. It receives its own IP address from my router. It has its own virtual NIC with a MAC distinct from the physical machine. It does NOT have Flash installed on it. Once it is set as private I have changed the MAC address. No difference. It is still recognized as a private computer.

So my question is... How can a web site uniquely identify my hardware?

It does not appear to be my Internet IP address as that is assigned to my router and I change it frequently.

I do not THINK it is the MAC address of the physical network card as the virtual machine is bridged. And if I create a brand new virtual machine on the same host it is treated as "public" the first time I access the web site.

It does not appear to be related to the Firefox profile. I just created a new Linux user on one of the virtual machines (which the web site thinks is a private machine) and I am not asked the extra security question when I login as the new user and first access the web site.

I am quite certain nothing is written to the computer as an identifier. I created a virtual machine, tried to access the site and it acted as a public computer - extra security question. I then shut down the virtual machine, copied the files comprising the machine to a backup drive. I loaded the virtual machine and accessed the site. I told the site it was a private computer. I shut down the VM, delete all of its files and replaced them with the backup. I loaded the VM and went to the site. It is still recognized as a private computer even though the state of the VM is from before I told the site it was private.

Several years back Intel caused a holy stink by announcing that they were going to put an accessible serial number on all processors. I do not recall that the idea went into production.

What is there unique about my computer, its operating system and/or its browser which can be identified by a web site?

I have contacted the tech support folks at the financial institution and at the local bank (which exhibits the same issue) and explained how their security process seems to be failing in a non-conservative direction. So far I have not found anyone with a clue.

TIA,

Ken

I was under the impression that these systems used IP address or reverse DNS to identify your location rather than a specific machine. I know I've had the same IP address from my (cable) ISP for at least 18 months possibly longer despite having reset the cable box at least twice in that period. Depending on how things are set up your ISP could give you the same name through DNS even if you do get new IP addresses every so often (you can go to www.grc.com and and see Shields Up to see what they get if they run a reverse DNS).
I think they also use cookies of some kind (don't know whether they'd be Flash, normal cookies or something else) to prevent problems when IP addresses change but if you're like me and you delete cookies on browser close they can fall back on IP anyhow.
The reason I say this is I think something like Google Mail detected I was "on another computer" when I was in a hotel room on the same netbook I use day-to-day.

Good old Steve Gibson! I have used this tool before. My Linux systems have always tested 100% even without any fancy tweaking. And I remember SpinRite. I used to use it back in the days when a hard drive/controller which could support a 1 to 1 interleaf was hot stuff

Thanks 273 for the input. I examined my reverse DNS with Shields Up. It showed to be nc-71-1-25-28.dyn.embarqhsd.net which is basically my state + IP address of my router + dyn(amic I guess) + the ISP. I did a release/renew on my router as I do every evening. I now get a different lookup to reflect the new IP address. This does not change the recognition of a PC on my network by the web sites in question.

The system used by the sites is more granular. My wife can access her accounts from her PC without the extra question. If I try to access MY accounts from her PC it is treated as a public PC - even if she is logged into Linux on the PC and I invoke the browser as her. (I am pretty sure, need to verify)

The company's claim to be using cookies. However, I do not save cookies between sessions, delete cookies manually etc. and have driven a stake through the heart of Flash. When I restored the VM from backup files there is no way a cookie could have been placed by the site and retained by the VM as the entire VM was zapped and replaced with a clean copy.

A couple of further observations...

I accessed one of the sites using the tor browser bundle. Not the smartest thing to do perhaps and I would not do it routinely. In this case the "recognition" did not persist between tor sessions. That is a good thing. If it had I would be filing a bug on a heck of a hole in tor.

I had experience some years back with a coupon printing site. It required me to install a "coupon printing" program (Windows only). Not so fast... I tried to install it as a test in an XP VM. It detected the virtual environment and would not install. Suspicious.

A little research came across a discussion of a fellow who figured out that they were placing some hidden files and/or registry keys on the PC which were not removed when the program was uninstalled. The fellow had published instructions as to how to really remove their software completely and they sued him etc. So now I have a really bad feeling about this company.

Not to belabor the story but I determined that they were not leaving any hidden files nor registry entries (with the current version of their program at least.) What the were doing was to generate a hash based in part on the MAC address of the network card and the Windows serial number. The hash was generated when the coupon printer was installed. The site kept track of the hash and the number of times a coupon was printed. After a number of days or weeks the counter resets and more of the coupons can be printed. Fair enough.

I also discovered that VMWare's virtualization tool could convert the test XP installation, complete with the installed coupon printer, into a virtual machine image which I could launch in VMWare Player on my Linux machine. No need to have a physical XP machine just to print coupons for my favorite pepper sauce

Ken

Have you made absolutely sure to both delete all cookies (of all kinds, check out ghostery?) and change your IP address at the same time on the same hardware?
Of course it is possible to "fingerprint" a browser https://panopticlick.eff.org/ but I don't see anything on there that relates to a machine directly.
I'll keep on digging though as I wonder how much hardware detection it is possible to do from a web server.
Oh, another thing which occurs is whether it is possible some of this code is client side (I know that would be stupid, but you never know).

Thanks again 273. I have ghostery installed but I had not looked at it for a while. There was a bunch of crap listed. I do not know if it lists what has been encountered or what is present. I blocked EVERYTHING shown. No difference.

Based on Gibson's analysis I changed the user agent string. No impact.

I will do some more testing tomorrow. I am watching the Canadian Grand Prix at the moment.

Ken

As I mentioned, you will need to both remove all cookies of all types and change IP and, possibly, change user agent also if my theory is correct.
My theory being that what is used is a combination of cookies, IP address and (though I'm not so sure about this) user agent. These could be used in any combination with any weighting.

This may help:

http://www.zdnet.com/tracking-pcs-an...et-1139183346/

I have my browser set to "delete all new cookies on exit." Then I configured the two or three cookies I want to keep. Plus I use script control plugins in both Firefox and Opera. That at least reduces my paranoia.

I have read, but I can't find the citation, that these days it's relatively easy to develop a hardware profile using cookies and user agent strings that can accurate identify an individual computer. If I can find a citation, I will post it.

The ip and route used to get to your computer is more likely the public IP on your modem.

Thanks again 273. I am going to do a test with some live CDs this AM. No hard drive, no flash drive, nothing to write anything to unless it rewrites BIOS.

That was an interesting article frankbell. Many thanks. I have downloaded the source paper but have not yet read it. I do not think the issue at hand is strictly hardware. When I create a new VM on the same host it is seen as a public computer until I state otherwise. Even a couple of VMs running simultaneously. My live CD testing may shed some light.

Sorry jefro but I do not understand your comment. Can you please clarify?

Ken

They may not know your computer as such. They may have a "confidence" rating based on the route to your home computer. If that confidence level falls low enough then they issue a challenge.

Thanks jefro. That is a possibility. However, here is my latest experience and the results of some more experimenting...

I connected to one of the web sites in question this AM from my normal CentOS 6 machine using Firefox. I got the extra security question. I indicated that I was on a PUBLIC computer. I answered the question, provided my password and continued to the site. While I was connected I invoked another instance of Firefox. A truly separate instance, different user profile etc. on the same physical PC. The site believed this instance to be a private computer. NO extra question. I completed the logon. I closed the first browser (which I had stated was public) and called up Firefox again with the original profile. It now became a private computer as far as the site was concerned.

According to documentation on one of the web sites New experiment - I booted an old test PC with no writable storage from a Ubuntu 12.04 live CD. I connected to the site, told it I was on a private computer and then shut down and unplugged the PC power cable. I then powered up the PC again with the Live CD. It was believed to be a private computer!

I installed a hard drive and installed Win XP. I forgot what a pain that was but I got it installed, drivers found and installed, anti-malware software installed, updated etc. About 3 hours. I cloned the hard drive with Norton Ghost in preparation for further testing. I connected to the site - I was seen as a public computer and I left it so.

By this time I had downloaded a knoppix CD image in ENGLISH (having already downloaded on in German by mistake). I removed the hard drive from the test PC and booted knoppix. It believed the PC to be private!

I did come testing with Win XP. NO flash installed. If I manually delete cookies (the default Private Browsing in FF 21 is not enough) the site will set me back to a public computer. This is the conservative action which I would expect.

The issue appears to be with non-Windows operating systems. I do not have a Mac to try. It appears that the site is gathering some sort of information from me (which is not disclosed in their privacy documents) to identify my computer. I think I now have enough data to hit them over the head with and see what falls out

Ken

Doesn't that suggest that if you tell them you're on a private computer they mark that IP as private? On the other hand, if you're on another IP but have the cookie then they still mark it private? Not the best, but I think it explains what happened without resorting to any other technology.

I told them that the Ubuntu Live CD on my test PC was "private"

NO cookies browser, flash or Sony music CD rootkit. Period! (unless they are rewriting the BIOS)

Did a release/renew of my router - new IP address from my ISP

Boot Ubuntu Live CD and the web site says (drum roll please) - It still recognizes my PC!

I just changed the reserved IP LAN address for the test PC - it is a private, non-routable 192.168.1.xxx address, now a new one. Rebooting Live CD

There will be a minor delay - I just changed the reserved IP address for THE PC I AM WRITING THIS ON rather than the test PC

Back up with a new LAN address and the new Internet address as described above. I am still recognized.

If I get motivated I will install a new network card in the test PC. Perhaps they are recording the MAC address. On the other hand I recall that Windows Genuine Advantage or one of their anti-piracy schemes inventoried the CPU, RAM, hard drives, video card etc. If you changed too many things at one time Windoze would barf and you would have to beg forgiveness from Bill Gates to get it to run again.

That identification was generated at OS install time. I was not aware that a web browser had enough access to do such a thing.

Please keep the ideas coming. I will keep testing. And I am firing off a letter to the CIO at one of the institutions.

Ken

I just added another NIC to the test PC and disabled the on-board NIC. Booted the Ubuntu Live CD with the Ethernet cable in the new NIC. Connected to the web site. I am still recognized.

Ken

I don't understand what is going on in your case, but it is interesting, so I hope you'll continue to test and post results.

Meanwhile, all of the banking and financial web sites I use recognize me only if I have previously visited the site and logged into it since the last time I cleared my cookies. If I clear my cookies, which I do upon exit from Firefox, the site always fails to recognize me upon my next visit.