100 Posted February 11, 2012 Report Posted February 11, 2012 (edited) Here is a PDF that explains the principles:http://www.antiphishing.org/sponsors...whitepaper.pdfIn short, they ID your device no matter of socks, cookies deletion or browsers used.It works by fingerprinting the device using unorthodox methods.Some say:- they can read MAC- they can read Windows Registry UID- they can read other UID's Windows useFor those of you who are wondering, why did PayPal limit account access? Why did my bank login request additional security questions? etc. The answer is a relatively new technique called Device ID Fingerprinting. It exploits information leaks especially in Javascript and Flash, such as Browser, Javascript/Flash Version, OS, clock time, screen resolution, etc. to formulate a users "digital ID". When these variables change, the system depending on how it is setup, will flag the account for further scrutiny. Much of this is not new, what is though, is how sophisticated these models have become over the past several months. Most importantly, "True-IP", will use a variety of methods to determine whether the IP is a proxy or the users actual IP. In conjunction with IP-Geo, the culmination of these techniques results in a considerably effective technique to prevent unauthorized access. What does this mean for you? Username & password authentication is no longer enough to prove validity. Somewhat related, but more from a law enforcement perspective, is the use of hardware identifiers to track 'cyber-criminals' online. For example, FBI CIPAV, collects unique hardware & software identifiers. If you are using a computer you purchased on your credit card, or connect through a router that is your own, then you are at risk should you be targeted. Currently, their are two known investigate tools available to federal agencies to track you online, little is known about either, the first being CIPAV, the second was only acknowledged but information on how it works was redacted from any public documents. Lesson Summary: Anonymity of your IP should be part of an overall multi-layer approach to protecting your security. Edited February 11, 2012 by 100 Quote