The Internet isn't always anonymous; it's possible to

identify a user via the Internet Protocol address unique to each computer accessing the Internet or Media Access Control address of some hardware. However, both of these identifiers can be faked with the right software.

Now scientists have found another unique identifier that acts almost like a fingerprint for each individual computer: the

graphics card.

Researchers from Technische Universiteit

Eindhoven in the Netherlands, Technical University of Darmstadt in Germany,

Katholieke Universiteit Leuven in Belgium, and the Dutch security firm,

Intrinsic ID, discovered that there are physical differences between graphics

cards that can be detected by software.

How Do You Hack Into a Phone?

These differences can't be duplicated because they're a random result of producing

millions of processors. The researchers dubbed the differences "physically unclonable functions found in standard PC components," or PUFFIN.


"Such a "fingerprint" for a given piece of hardware would be most helpful to

online gaming companies and the players. Heavy gamers tend to have

high-end graphics cards and customized machines, so odds are they are

accessing an online game, such as World of Warcraft from their own computer. This is a different

situation than with a bank, which customers may access from a variety of machines such as their work computer or their personal laptop or even their smartphone.

An online gaming company would install the

PUFFIN software on its servers. When a customer logged into the game, the software would scan the gamer's graphics card for its unique "fingerprint," and match it against the known fingerprint on file. If the log in name and password didn't match the fingerprint, the online gaming company could ask for additional authentication and if that didn't match, the company could block the user.

Iran's Military Hacks U.S. Stealth Drone

The PUFFIN system isn't perfect. While it isn't possible to duplicate the hardware, it might

be possible to duplicate the small differences in behavior on the part of the

card. That's still a subject for further research. It's also worth noting that

the identification is of the machine being used; it says nothing about who is

using it. So someone might access a person's World of Warcraft account using the account holder's computer, and it would still look legitimate.  

The PUFFIN Project will run until 2015.