The Internet isn't always anonymous; it's possible to
identify a user via the Internet Protocol address unique to each computer accessing the Internet or Media Access Control address of some hardware. However, both of these identifiers can be faked with the right software.
Now scientists have found another unique identifier that acts almost like a fingerprint for each individual computer: the
Researchers from Technische Universiteit
Eindhoven in the Netherlands, Technical University of Darmstadt in Germany,
Katholieke Universiteit Leuven in Belgium, and the Dutch security firm,
Intrinsic ID, discovered that there are physical differences between graphics
cards that can be detected by software.
These differences can't be duplicated because they're a random result of producing
millions of processors. The researchers dubbed the differences "physically unclonable functions found in standard PC components," or PUFFIN.
"Such a "fingerprint" for a given piece of hardware would be most helpful to
online gaming companies and the players. Heavy gamers tend to have
high-end graphics cards and customized machines, so odds are they are
accessing an online game, such as World of Warcraft from their own computer. This is a different
situation than with a bank, which customers may access from a variety of machines such as their work computer or their personal laptop or even their smartphone.
An online gaming company would install the
PUFFIN software on its servers. When a customer logged into the game, the software would scan the gamer's graphics card for its unique "fingerprint," and match it against the known fingerprint on file. If the log in name and password didn't match the fingerprint, the online gaming company could ask for additional authentication and if that didn't match, the company could block the user.
The PUFFIN system isn't perfect. While it isn't possible to duplicate the hardware, it might
be possible to duplicate the small differences in behavior on the part of the
card. That's still a subject for further research. It's also worth noting that
the identification is of the machine being used; it says nothing about who is
using it. So someone might access a person's World of Warcraft account using the account holder's computer, and it would still look legitimate.
The PUFFIN Project will run until 2015.