IP addresses and their usefulness for identifying visitors?

[Lucan Unlordly]

Back in the day it was possible for us to identify a single IP address with an individual subscriber to our services. Any misbehaviour and we knew exactly who the culprits were.

This is still possible if users are only logging in from a home PC but now with mobiles and tablets is IP address identification completely random or can we in some way still draw some association with the users?

 

[Ozzy]

On the IP address on its own, no not really; but if you use a combination of sources linked with user behaviour that is possible. Depends on the tools you have available and how important it is.
Options could be any combination of; (all tied to use logged in activity to create that link ideally, or at least common behaviour patterns).

• Browser headers
• Geolocation
• Yep, IP address
• ASN number (for bunching dynamic IP address together)
• Times of day

 

[forevergroup]

Back in the day it was possible for us to identify a single IP address with an individual subscriber to our services. Any misbehaviour and we knew exactly who the culprits were.

This is still possible if users are only logging in from a home PC but now with mobiles and tablets is IP address identification completely random or can we in some way still draw some association with the users?

Connectivity from mobile networks is all going to be the address of an edge gateway at their mobile network. That won’t be directly attributable to any specific user.

You’ll need to find other persistence/cookie/reporting mechanisms to align the user with the user behaviour.

 

[Lucan Unlordly]

On the IP address on its own, no not really; but if you use a combination of sources linked with user behaviour that is possible. Depends on the tools you have available and how important it is.
Options could be any combination of; (all tied to use logged in activity to create that link ideally, or at least common behaviour patterns).

• Browser headers
• Geolocation
• Yep, IP address
• ASN number (for bunching dynamic IP address together)
• Times of day

Our database is password protected with ultimate responsibility for access afforded to one person. For a number of reasons to cover holidays, illness, or when two people are covering the same tasks, that access is sometimes shared with another, who will be appropriately assured - DBS checked etc., Although not in any way sinister, we are told that access has been given to somebody who falls outside of our terms who in turn has shared it with another.

We can identify unusual activity, i.e., multiple log ins at the same but this is a manual overview we use when prompted.

I've not heard of an ASN number?

 

[forevergroup]

Our database is password protected with ultimate responsibility for access afforded to one person. For a number of reasons to cover holidays, illness, or when two people are covering the same tasks, that access is sometimes shared with another, who will be appropriately assured - DBS checked etc., Although not in any way sinister, we are told that access has been given to somebody who falls outside of our terms who in turn has shared it with another.

We can identify unusual activity, i.e., multiple log ins at the same but this is a manual overview we use when prompted.

I've not heard of an ASN number?

The challenge here is that you are using legacy authentication mechanisms. Passwords don’t authenticate a user. They authenticate a password. That is a subtle but substantial difference. User (and preferably device) authentication needs to be built in to your access mechanisms.

Is the application web/browser based or is it a physical application?

 

[Ozzy]

I've not heard of an ASN number?

Here's a link for more info on it. We use it to block a few countries from accessing UKBF

Blog Archives

A behind-the-stack view of our product releases, recommended practices, and company updates.

blog.stackpath.com

authentication needs to be built in to your access mechanisms

Two factor authentication would be a good option. We're actually looking at implementing this more stringently on UKBF in the future.

 

[Hooble]

Here's a link for more info on it. We use it to block a few countries from accessing UKBF

Blog Archives

A behind-the-stack view of our product releases, recommended practices, and company updates.

blog.stackpath.com

Two factor authentication would be a good option. We're actually looking at implementing this more stringently on UKBF in the future.

ASN Numbers are useful for blocking networks that are causing problems, Robtex is good for analysing networks. Our cloud network for example is AS200552.

Two factor authentication would be a good option. We're actually looking at implementing this more stringently on UKBF in the future.

You may quite like Duo, it has a lot of integration and good integrations with all major programming languages.

 

[Kerwin]

Back in the day it was possible for us to identify a single IP address with an individual subscriber to our services. Any misbehaviour and we knew exactly who the culprits were.

This is still possible if users are only logging in from a home PC but now with mobiles and tablets is IP address identification completely random or can we in some way still draw some association with the users?

Using an IP address to identify a user is entirely pointless these days. First of all, 99% of people have dynamic IP addresses on their home and mobile internet. You usually need business internet to get a static IP address. Furthermore, IP address identification is trivial to avoid just by using a VPN.

The same is true of using a MAC address. You can change them dynamically, so you can't tell from that.

You might want to look into browser fingerprinting, but that is a rather large rabbit hole. It is how companies like Facebook and Google follow you around the web (along with cookies, but that is considered the old way of doing things and is also trivial to circumvent).

 

[tomdhu@outlook]

Isn't there a way to harvest and store the MAC address of the device being used?

 

[Ozzy]

Isn't there a way to harvest and store the MAC address of the device being used?

I don't actually know if there is or isn't, but I would imagine going to that level of specific hardware identification may require a pretty comprehensive Privacy Policy update

 

[SEODEV#338055]

GCHQ and the NSA seem pretty good at it

Why don't you ask them

 

[Kerwin]

Isn't there a way to harvest and store the MAC address of the device being used?

You can spoof your MAC address pretty easily so the only people you'll be able to track are people who are not very tech literate (which probably means they are the people you don't care about).

 

[Andres Ledezma]

Hi there,

My field is cybersecurity, I can tell that you that there are a lot of different ways to identify an user, even without the traditional authentication methods however every case is different and has different options.

If your subscribers type text in your application / website I suggest you to use a biometric keystroke signature, as every person has different hands, different ways to use their keyboard, etc. there is a unique way of typing on each of us that is useful to identify users.

 

[RayanW]

Ip address can be easily masked, with all that any IP address won't give you the exact address of the person who holds this IP address, it will give you a search radius of 250-500 meters. Using the cheapest VPN service will mask your IP easily, and I do not even say about Proxy or any other type of mask