Fraud from Shared Passwords
Passwords and cookies are widely used to enforce web-based,
pay-for-service businesses. Whether the customer is paying $10,000
to subscribe to high-value research or downloading music at $9.99
a month, the subscriber receives a password or cookie that indicates
that the subscriber has paid for the service.
Unfortunately passwords are easily shared. So, one individual pays
for the service and shares the password with his friends or co-workers.
In this manner, many people can use the service even though only
one paid for it. This represents a significant loss of revenue for
the service provider. Sharing passwords is most prevalent in low-value
consumer services; yet the largest loss of revenue is in the high-value
research services (consultancies, professional services, and research
Cookies are somewhat more difficult to share. However, there are
widely available tools for examining cookies, exporting them, and
importing them to other machines. Cookies, too, can be shared; thereby
enabling shared pay-for-service accounts.
The WSA does not use passwords or cookies to authenticate subscribers.
Rather, the WSA identifies a subscriber through the subscriber's
digital certificate. A certificate is usually stored with the browser
on the computer's hard drive. In general, certificates can be exported
from one computer and imported to another, but it is not for the
faint of heart. However, certificates that are created by the WSA
are installed on the computer in such a manner that makes copying
Therefore, using a WSA to generate the certificates and authenticate
subscribers of a pay-for-service makes it virtually impossible to
share accounts. In order to share accounts the users must physically
share the computer.