Mike Davies: Online Identity and Trust in EMEA

Great news today for anyone who uses PayPal in the UK.

They have announced that they are offering consumers an added layer of security when they log in. The UK rollout follows the successful implementations in Australia, Germany and the US, letting consumers either purchase a "PayPal Security Key" token for £3 (a small token that generates a One Time Password or OTP) or alternatively register their mobile phone with PayPal and receive an OTP through an SMS every time they log in for free.

I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly.

I thought it best if you heard it straight from PayPal on why they are doing it and what consumers can expect. So here is a guest posting from the guy who led the UK roll out...over to you Garreth!

"I am Garreth Griffith and I lead the Risk Management team at PayPal in the UK. At PayPal our main concern is for the security of all the buyers and sellers who use our product.

We work very hard in the background to stop fraud, and whilst our results show we are successful, we wanted to offer consumers the opportunity to adopt an additional layer of security to protect their PayPal account should they desire further reassurance.

And that is an important point, this product is not mandatory for any of our customers. It is up to the consumer to adopt this additional layer or not.

The constant challenge with any movement of money over the Internet is striking the right balance between security, convenience and ease of use. Unlike other clunky options available to us, we believe the PayPal Security Key provides the perfect balance, particularly the SMS version which works directly with your current mobile phone.

In a nutshell, the way it works is that any PayPal customer can go to www.paypal.co.uk/securitykey and either purchase a PayPal Security Key (a small key fob sized token) which generates a one time password from us, or alternatively register your mobile phone number with us.

If you select the PayPal Security Key, we post you the key and when you receive it, you simply log in as normal, adding the 6 digit one time password when prompted.

If you select the PayPal SMS Security Key, at the point of logging in we send you an SMS message with a one time password which you enter to access your account.

We believe the security key will appeal to a significant group of our customers and based on its successful rollout in other countries, we expect the same success in the UK."

Thanks Garreth, I am sure I will be posting mroe on this over the coming weeks and months.....

Posted by Mike Davies at 4:34 PM | Permalink | Comments (0)

This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info.

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

Now, I realise that Facebook et al are trying their best to educate their users not to accept invitations from people they don't know, but as per my earlier post about stealing log on details for a mail account / social network, what if the fraudster had the Facebook user name and password of someone who had a load of Facebook friends? They could then send out the malware to all their contacts. This would result in a much increased success rate for the fraudster as the reciever would be much more likely to trust them, not knowing it was really a fraudster at work.

I really don't think that the social networking sites understand the value of the trust that a connection between users engenders, and the associated risk when their accounts are compromised.

Posted by Mike Davies at 9:18 AM | Permalink | Comments (0)

This article covers two main points:

1) Passwords are not changed regularly

2) People give out too much personal information online

http://www.finextra.com/fullstory.asp?id=19374

Let's look at the first point....

We see these kind of articles related to password surveys about 3 times a year, and I am pretty sure VeriSign, my employer, have done our fair share!

The reason we see them is twofold. Firstly Passwords on their own are no longer secure enough. I think people are getting that.

The second reason, if you are feeling cynical, is that vendors want to sell more secure solutions.

Let's face it, both points are true but I am seeing a sea change in attitude recently. .

Why? Well I do not think it is because Vendors have honed their selling skills to the point when they are selling snake oil successfully. The reason is that the problem itself has grown to a point where the business case for adopting stronger authentication is here. This has been because of the increase in fraud, sure, but the also due to new solutions and business models which make it significantly cheaper.

Let's take PayPal. They charge for two factor authentication to consumers. Now I doubt that they are making money out of the solution by charging $5 for a token but I do know that they are reducing fraud considerably whilst proving that consumers will pay for this. Not all consumers of course, but those that do want better security are prepared, some of them even very happy to pay for additional security. And a happy customer is less likely to take their business elsewhere.

Now let's look at the second point made in the article...

This talks about publishing personal information online and how social networking site users are accepting invitations to connect with people they have never heard of before. By doing this they allow the person they connected to access to their more sensitive information that they have published.

As a security vendor I wish I could provide a silver bullet that would help here. I can't, but I can say that companies like mine are talking to the social networking organisations looking for long term solutions.

But one thing that can work in the short term is education. I am sure the guys from the social networking sites are doing this but it is a continual process. They must keep reminding their customers not to accept invitations or publish anything in their public profile that is sensitive.

Not a silver bullet, but sometimes you have to keep making a noise about a problem until people start listening. Did I mention that passwords are not strong enough anymore?

Posted by Mike Davies at 1:44 PM | Permalink | Comments (0)

A couple of months back I posted on a scam that had surfaced in Mexico where fraudsters managed to get hold of people's email User Name and Password, access the account and email the whole address book asking for money to be sent to a bank account to help them raise bail as they were in Jail.

Obviously the overwhelming majority of people would not expect anyone they knew to wind up in jail and ignored the email.

Well this new one in Australia takes the same principles and applies it to Facebook but is a little more feasible.

This time, the individual masquerading as your Facebook contact "needs $500 for a plane ticket".

If phishing in it's more traditional form has proved anything there is always someone who will fall for it.

This "Social Phishing", i.e. taking over an email or social networking account and preying on the trusted relationships the account holder has is much more targetted (i.e. not millions of emails aimed scattergun, but a smaller number preying on friends trusted relationships) but I would guess is much more likely to succeed.

Another example of passwords just not being enough anymore....

Posted by Mike Davies at 1:53 PM | Permalink | Comments (1)

For clarification, I should mention that I mean Nicolas Sarkozy, Jeremy Clarkson, and Sarah Palin, but the question remains what have they got in common?

The answer is they have all had high profile identity theft issues in the past 6 months.

Now granted, Jeremy Clarkson (a British TV presenter and Journalist) deserved it. He deliberately published in a UK national newspaper personal information to prove that the whole identity theft problem was overhyped.

Having briefly met Clarkson, a man who in the two minutes I chatted to him used more swear words than I normally use in a year, I can only imagine that his wife had to put her hands over her childrens ears when he found out someone had used the information he published to transfer £500 from his bank account to a charity, proving how dumb he had been.

Sarah Palin had her Yahoo email account compromised. This was more a cantakerous prank than malicious fraud but it proved how easy it can be if you know some information about the cardholder. The fraudster got in by guessing correctly (or more accurately researching Sarah Palin on Wikipedia and Google) the password reset questions.

And finally Sarkozy. A man who I can only presume given his position as President of one of the leading world economies is an intelligent man, fell for a phishing scam.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117548&source=rss_topic17

Each one of these could have been prevented with some form of stronger authentication:

1) Clarkson: With stronger authentication the reader would not have been able to transfer money.

2) Palin: Password reset functionality would not result in a compromise if the account was protected by some kind of token.

3) Sarkozy: If his account had been protected by Stronger Authentication, even if he had responded to a phishing email, it would be unlikley (but not impossible) for the fraudster to have completed a real time attack.

There are some positives to take out of this:

1) The general consumer becomes more wary of publishing data or phishing

2) The more these things happen, the more likely we will adopt stronger authentication technologies to help protect online accounts. This is not just because a high profile person such as Sarkozy says so, more that the general population will demand better security the more they realise they are under threat.

3) Jeremy Clarkson got scammed for £500.

I know the last one sounds a but malicious but I really didn't like him when I met him...

Posted by Mike Davies at 8:24 AM | Permalink | Comments (0)

In the first post in this series I mentioned I would touch on some of the more obvious affects of the credit crunch...no surprises but the fraudsters have changed their tactics to try and exploit the uncertainty. Even if you are not based in the UK, I am sure you will have seen the main banks who have been affected by this are RBS, LloydsTSB and HBOS.

http://www.timesonline.co.uk/tol/money/consumer_affairs/article4965394.ece

Well it seems that the malicious people who are determined to get your money have started sending out phishing emails hoping they snare a few of their customers.

It amazes me that Phishing must still be working after so much consumer education about the problem through news stories such as this, but I guess they wouldn't be doing it if there was not money to be made.

I remember being told 3 years ago that Phishing had peaked and since then the quantity and variety of attacks has continued to rise, and my guess is this trend will continue.

Posted by Mike Davies at 11:51 AM | Permalink | Comments (0)

The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.

There seems to be a pattern that you can follow when we have major incidents like this:

1) Panic
2) Attempts at a solution (which either individually or combined) eventually works
3) Assessment of how things have changed and what we should be doing now

I think we are edging towards number 3 now.

And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.

And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:

http://www.computerweekly.com/Articles/2008/10/10/232612/fraud-survey-highlights-business-security-failures.htm

As in banking, if you don't trust you don't do business.

So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.

I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.

Posted by Mike Davies at 1:35 PM | Permalink | Comments (0)

I think most of us are quite surprised about how deep the financial crisis is becoming.

More and more of us are sitting here and wondering how it will affect us in our personal or business lives over the coming months, and I thought I would try and take a look at how it affects consumer authentication.

I will cover the more obvious ones in later posts, like potentially smaller security budgets and the cost savings of using the internet as a channel, but a little gem from the BBC website really caught my eye.

The upshot is that all of a sudden banks aren't lending as much money as they used to. Ok so how does that affect fraudsters? Well obviously less money available to lend manifests as tighter controls on the acceptance of applications for new credit agreements, which are falling rapidly. So with an overall decrease in credit applications then naturally that means an overall decrease in the number of fraudulent claims that get through the system. With the notable exception of Whaling, targeting high wealth individuals for nefarious gains, if you are stealing an identity you are less likely to get an application fraud accepted because the individual is less likely to be credit worthy.

So as a fraudster what do I do? I need to make my money, so I target those people who already have an established relationship with the organisation. In other words I target the people with an existing account. This is where consumer authentication really becomes important.

The more I follow fraudsters the more I get back to the idea of "the rational man". This is one of those stating the obvious theories hidden behind psychobabble which means if it makes financial sense everyone will do it.

According to this article, which I believe, Fraudsters will switch their focus to account based relationships away from application fraud as they are unable to make money through that channel.

But what is most interesting here is that the UK banking industry looked like it was winning the account takeover war. Fraud in this area had reduced from £33m to £22m from 2006 to 2007. This was mainly due to better Risk based Authentication being conducted in the back office as consumers (and yes fraudsters) try to access accounts.

And then in the first half year of 2008, APACS release fraud figures showing that account takeover fraud is increasing again.

Some questions, with my opinion as answers:

1) Is the rise in account takeover fraud a direct result of the credit crunch and the associated switch to account takeover from application fraud? I doubt it, the credit crunch hadn't really bit by the release of these figures.

2) Didn't the security implementations of EMV CAP (i.e. PINSentry et al) mean that Account Takeover fraud was decreasing? Well I am sure that these initiatives had a positive impact on fraud but what I guess has happened is that those who have implemented stronger authentication are experiencing less fraud but those that haven't are seeing exponential growth in fraud in this area. And this fraud is only going to get worse as fraudsters follow the rational man hypothesis and go for the easiest money route, account takeover at those banks who have not implemented more secure authentication.

3) So should all banks follow the EMV CAP model? I don't think so, I love the security benefits of PINSentry et al but hate the usability issues which are well documented (just google PINsentry and you will see what I mean), but there are other more consumer friendly devices that can achieve similar results to EMV CAP, especially when combined with Risk Based Authentication and I believe that they will become more prevalent.

vipcard.tif

4) Will fraudsters following the rational man model keep targeting the account based relationships in the banking sector? Yes, increasingly so. Do nothing and your fraud will rise. Tell me I am wrong.

5) If application fraud decreases and account takeover fraud increases will that only be in the financial sector? Absolutely not. Any account based relationship is a potential money spinner for a fraudster...see earlier post about Mexican bail bonds.

So, here are a few questions which I will leave for you to answer:

1) As a bank do you believe that you should be doing more to stop account takeover fraud, given that the overall fraud is rising but competitor organisations have already implemented technology to reduce fraud making you the easier target?

2) As a non financial sector organisation do you believe that fraudsters are not looking at you as potential targets as online banking gets more secure?

3) Do you not think as fraud rises and confidence amongst your consumers is falling, threatening the cost effective internet channels you want to grow, that your business does not need to consider stronger authentication?

In my opinion, Account takeover fraud will continue to rise, with or without the credit crunch, but perhaps this crisis and the associated fraud losses incurred will be a catalyst for organisations to act.

Posted by Mike Davies at 8:59 AM | Permalink | Comments (0)

This is priceless. No really, this is a new fraud I had never heard about (OK the principles are nothing new, but the implementation is).

According to the Guadalajara reporter, I presume a respected voice in the land of Tequila, fraudsters have come up with an innovative way to defraud Joe Public and it goes something like this.

Step 1 - Fraudster gains control of an individuals personal email account
Guess you are not surprised by this so far, it could have been Phishing, Trojan delivering key logger or guessing password reset questions.

Step 2 - Fraudster emails all personal contacts stored in the address book of taken over account
OK still nothing new...what happened next?

Step 3 - Email contains an appeal for funds as stolen account individual is in Jail and needs money for bail
So I guess you have got this by now, but to explain fully just in case, perhaps the email looks like this:

"Hi friends, I need your help. Unfortunately I am in jail (again), of course I didn't do it but try persuading the Guadalajara police that. I need your help to post bail, please send whatever you can (at least 1000 pesos) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. Jose."

You might think that you would never have friends that would ask you for contribution to help them out of jail and would dismiss it as a scam, so how can his be relevant to me?

Well let's substitute the "bail" request for something closer to home, remember, this is an email you receive from someone you know and probably receive emails from regularly:

"Hi friends, I need your help. I am running the London Marathon this year and I promised to raise £1000, so far I am only at £300 If I don't get the full £1000 there are going to be a lot more homeless children so please donate (at least £10 ) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. John."

Sounds more feasible?

How many times do you ignore spam from people you have never interacted with before? Probably always, you don't trust the sender, you don't trust the content.

How many times do you ignore an email from a trusted friend? You may be wary of a opening a file supposedly sent from a friend, but would the above call for help go equally ignored?

There is a level of trust you have established with your contacts which can be so easily abused by fraudsters, Why? Well a user name and password are so easily stolen, we need stronger authentication in the consumer space, but unfortunately it will require scams like this to occur before some businesses and consumers realise that.

Posted by Mike Davies at 8:58 AM | Permalink | Comments (0)

I'm Back

Sorry for not posting, but I'm back now

It's been a really busy summer for me, here is the reason.....

I am very happy to say that I am now a father, a beautiful baby girl and things have settled down well enough now for me to start blogging again, regularly.

She also blogs herself, and I am afraid I won't be sharing a link to her blog or her name as you would probably be able to find the blog if you knew my surname and her first name. Why don't I want you to find her blog? Well when my wife set up the blog she asked what she should or shouldn't publish, from a security perspective.

We defined a policy for the new persons blog as such:
- Only first names
- No surnames
- No details of where we live
- No plans for holidays

Maybe I am being paranoid, but I know that is a part of my duty as a father to prepare her for for life, online or offline.

If I made public her full name, the day she was born, the town we live in and other personal details like her mother and fathers name, I am already setting her up for an online fall. The amount of information that is being published by people on Facebook and other similar sites is manna from heaven for fraudsters. If you analyse what you need to take over a consumers identity the above information is a significant part.

And what about if we published when we were going on holiday? It would only take a bad guy a little time to find out where we live, and know when is the best time to pay me a visit to relieve me of my treasured possessions.

Just put it down to new parent paranoia...

Posted by Mike Davies at 8:54 AM | Permalink | Comments (1)