Need to obtain unique values via a web page
-
I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing!
-
I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing!
Paul Charles wrote: I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing! (Heh, isn't this a programming question? :-)) Short answer: No (although maybe the MAC address could probably be figured out from the IP you're coming from and the ARP table?) Long answer: No, but you probably could write an ActiveX control or something to get that info and force the user to install it in order to use the site. Note that this is very evil and if you tried it on me I'd go find the rubber hose and use it on you (or your boss?) repeatedly until the evil was stopped :-D HTH -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
-
Paul Charles wrote: I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing! (Heh, isn't this a programming question? :-)) Short answer: No (although maybe the MAC address could probably be figured out from the IP you're coming from and the ARP table?) Long answer: No, but you probably could write an ActiveX control or something to get that info and force the user to install it in order to use the site. Note that this is very evil and if you tried it on me I'd go find the rubber hose and use it on you (or your boss?) repeatedly until the evil was stopped :-D HTH -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
Don't worry it's not to hack your pc :) It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims
-
I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing!
-
then whats the use of it? I think MAC address is changebale with some softwares,isn't it? Mazy No sig. available now.
True, however this is to reduce the vast number of cases.
-
True, however this is to reduce the vast number of cases.
-
Paul Charles wrote: I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing! (Heh, isn't this a programming question? :-)) Short answer: No (although maybe the MAC address could probably be figured out from the IP you're coming from and the ARP table?) Long answer: No, but you probably could write an ActiveX control or something to get that info and force the user to install it in order to use the site. Note that this is very evil and if you tried it on me I'd go find the rubber hose and use it on you (or your boss?) repeatedly until the evil was stopped :-D HTH -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
-
I have been asked if there is a way that a web page could obtain the volume id of the harddisk or the MAC address of the machine and submit this information as part of a standard post. This information should be obtained without the end user knowing!
this won't work - the mac address would be the gateway they were using not the pc's, so you would end up with the same address for people using the same ISP...
"When the only tool you have is a hammer, a sore thumb you will have."
-
Don't worry it's not to hack your pc :) It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims
Paul Charles wrote: It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims OK. Well, the IP address can usually be traced back to a particular ISP or IP block anyway (and most broadband users keep the same IP address for a while too), so you'll be able to use that information, and just ask their ISP to verify who was signed on at that time (after all, fraud is a criminal offence). I don't think you need to go down to the level of MAC and HD identifier to find the majority of "fraudulent" fraud claims - just logging the IP and ISP will probably be enough. A persistent cookie which can be used for tracking *might* help too (but don't rely on it, as it's not a reliable mechanism either) -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
-
Its not that evil in a closed system, preferably an intranet. Memes don't exist - tell your friends
ProffK wrote: Its not that evil in a closed system, preferably an intranet. True, but in a closed environment that sort of information is available anyway - you don't need to log MAC addresses or HD idents because you know what they are - you put the machines there :-) -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
-
ProffK wrote: Its not that evil in a closed system, preferably an intranet. True, but in a closed environment that sort of information is available anyway - you don't need to log MAC addresses or HD idents because you know what they are - you put the machines there :-) -- Ian Darling "The moral of the story is that with a contrived example, you can prove anything." - Joel Spolsky
In an intranet yes, but what I was thinking of is not quite closed, but rather where, for instance, a client subscribes to a service, and part of the subscription implies them either installing a control, or trusting your web site and allowing the control download. Memes don't exist - tell your friends
-
Don't worry it's not to hack your pc :) It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims
There will be various information that comes across with the HTTP request. For instance: http://www.webyield.net/domainquery.html[^] will return lots of information about an IP address. If I put my home IP address in it gives me the name of my ISP, my work IP address gives me the name of my company. This information can be displayed at log-in time to remind the user the fraud tracking features are being used. There are lots of other things that can be looked at when assessing possible fraudulent transactions - like the IP address that requests are coming from. For myself this would mostly be two IP Addresses You don't want to have the user download and ActiveX control because if they need to access their account in an emergency (e.g. on holiday they may go to an internet cafe which may not allow such things.) --Colin Mackay--
-
this won't work - the mac address would be the gateway they were using not the pc's, so you would end up with the same address for people using the same ISP...
"When the only tool you have is a hammer, a sore thumb you will have."
I think what I'm getting at is I need code that executes on the client and obtains this information.
-
I think what I'm getting at is I need code that executes on the client and obtains this information.
the only way to do this is to have some code execute on the client pc, this would require the user to ok this. you can either use and applet or an activex control. applet - http://forum.java.sun.com/thread.jsp?thread=444747&forum=45&message=2009694[^] activex/wmi - http://www.faqts.com/knowledge_base/view.phtml/aid/9005[^]
"When the only tool you have is a hammer, a sore thumb you will have."
-
Don't worry it's not to hack your pc :) It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims
Paul Charles wrote: Don't worry it's not to hack your pc I don't believe it: how can you prove me this? This is what (some of) your customers will say. Paul Charles wrote: It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims Security is a topic for experienced people as newbies will only come up with flawed, pathetic solutions. If you need to secure your bank against frauds, call someone experienced and work with him, or a disaster awaits for you. In your case, what you probably need is a client certificate, probably generated by the bank and installed on your customer’s browser. This way you can safely and uniquely identify your customer. Surely, you’ll need a safe channel to deliver the client certificate. But all I can say is probably because I'm not a security expert. A security expert will be able to create a solution that is both unobtrusive and secure. We (me and you) won’t. Trying to make bits uncopyable is like trying to make water not wet. -- Bruce Schneier By the way, dog_spawn isn't a nickname - it is my name with an underscore instead of a space. -- dog_spawn
-
Don't worry it's not to hack your pc :) It is quite legitimate and is being request by a highstreet bank, who have online banking. It seems customers are attempting frauds by claiming that transaction carried out by them where indeed not. By attaching semi-unique information to transactions it will be possible to tell if the claimed transaction is carried out on the same machine as legitimate transactions. This reduce the level of bogus claims
Legitimate by Bank? Funny that a Bank would have placed an EFT type app online without it being reviewed by the security group, and that the authentication part was somehow overlooked...