Mike Davies: Online Identity and Trust in EMEA

Great news today for anyone who uses PayPal in the UK.

They have announced that they are offering consumers an added layer of security when they log in. The UK rollout follows the successful implementations in Australia, Germany and the US, letting consumers either purchase a "PayPal Security Key" token for £3 (a small token that generates a One Time Password or OTP) or alternatively register their mobile phone with PayPal and receive an OTP through an SMS every time they log in for free.

I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly.

I thought it best if you heard it straight from PayPal on why they are doing it and what consumers can expect. So here is a guest posting from the guy who led the UK roll out...over to you Garreth!

"I am Garreth Griffith and I lead the Risk Management team at PayPal in the UK. At PayPal our main concern is for the security of all the buyers and sellers who use our product.

We work very hard in the background to stop fraud, and whilst our results show we are successful, we wanted to offer consumers the opportunity to adopt an additional layer of security to protect their PayPal account should they desire further reassurance.

And that is an important point, this product is not mandatory for any of our customers. It is up to the consumer to adopt this additional layer or not.

The constant challenge with any movement of money over the Internet is striking the right balance between security, convenience and ease of use. Unlike other clunky options available to us, we believe the PayPal Security Key provides the perfect balance, particularly the SMS version which works directly with your current mobile phone.

In a nutshell, the way it works is that any PayPal customer can go to www.paypal.co.uk/securitykey and either purchase a PayPal Security Key (a small key fob sized token) which generates a one time password from us, or alternatively register your mobile phone number with us.

If you select the PayPal Security Key, we post you the key and when you receive it, you simply log in as normal, adding the 6 digit one time password when prompted.

If you select the PayPal SMS Security Key, at the point of logging in we send you an SMS message with a one time password which you enter to access your account.

We believe the security key will appeal to a significant group of our customers and based on its successful rollout in other countries, we expect the same success in the UK."

Thanks Garreth, I am sure I will be posting mroe on this over the coming weeks and months.....

Posted by Mike Davies at 4:34 PM | Permalink | Comments (0)

This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info.

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

Now, I realise that Facebook et al are trying their best to educate their users not to accept invitations from people they don't know, but as per my earlier post about stealing log on details for a mail account / social network, what if the fraudster had the Facebook user name and password of someone who had a load of Facebook friends? They could then send out the malware to all their contacts. This would result in a much increased success rate for the fraudster as the reciever would be much more likely to trust them, not knowing it was really a fraudster at work.

I really don't think that the social networking sites understand the value of the trust that a connection between users engenders, and the associated risk when their accounts are compromised.

Posted by Mike Davies at 9:18 AM | Permalink | Comments (0)

This article covers two main points:

1) Passwords are not changed regularly

2) People give out too much personal information online

http://www.finextra.com/fullstory.asp?id=19374

Let's look at the first point....

We see these kind of articles related to password surveys about 3 times a year, and I am pretty sure VeriSign, my employer, have done our fair share!

The reason we see them is twofold. Firstly Passwords on their own are no longer secure enough. I think people are getting that.

The second reason, if you are feeling cynical, is that vendors want to sell more secure solutions.

Let's face it, both points are true but I am seeing a sea change in attitude recently. .

Why? Well I do not think it is because Vendors have honed their selling skills to the point when they are selling snake oil successfully. The reason is that the problem itself has grown to a point where the business case for adopting stronger authentication is here. This has been because of the increase in fraud, sure, but the also due to new solutions and business models which make it significantly cheaper.

Let's take PayPal. They charge for two factor authentication to consumers. Now I doubt that they are making money out of the solution by charging $5 for a token but I do know that they are reducing fraud considerably whilst proving that consumers will pay for this. Not all consumers of course, but those that do want better security are prepared, some of them even very happy to pay for additional security. And a happy customer is less likely to take their business elsewhere.

Now let's look at the second point made in the article...

This talks about publishing personal information online and how social networking site users are accepting invitations to connect with people they have never heard of before. By doing this they allow the person they connected to access to their more sensitive information that they have published.

As a security vendor I wish I could provide a silver bullet that would help here. I can't, but I can say that companies like mine are talking to the social networking organisations looking for long term solutions.

But one thing that can work in the short term is education. I am sure the guys from the social networking sites are doing this but it is a continual process. They must keep reminding their customers not to accept invitations or publish anything in their public profile that is sensitive.

Not a silver bullet, but sometimes you have to keep making a noise about a problem until people start listening. Did I mention that passwords are not strong enough anymore?

Posted by Mike Davies at 1:44 PM | Permalink | Comments (0)

A couple of months back I posted on a scam that had surfaced in Mexico where fraudsters managed to get hold of people's email User Name and Password, access the account and email the whole address book asking for money to be sent to a bank account to help them raise bail as they were in Jail.

Obviously the overwhelming majority of people would not expect anyone they knew to wind up in jail and ignored the email.

Well this new one in Australia takes the same principles and applies it to Facebook but is a little more feasible.

This time, the individual masquerading as your Facebook contact "needs $500 for a plane ticket".

If phishing in it's more traditional form has proved anything there is always someone who will fall for it.

This "Social Phishing", i.e. taking over an email or social networking account and preying on the trusted relationships the account holder has is much more targetted (i.e. not millions of emails aimed scattergun, but a smaller number preying on friends trusted relationships) but I would guess is much more likely to succeed.

Another example of passwords just not being enough anymore....

Posted by Mike Davies at 1:53 PM | Permalink | Comments (1)

I'm Back

Sorry for not posting, but I'm back now

It's been a really busy summer for me, here is the reason.....

I am very happy to say that I am now a father, a beautiful baby girl and things have settled down well enough now for me to start blogging again, regularly.

She also blogs herself, and I am afraid I won't be sharing a link to her blog or her name as you would probably be able to find the blog if you knew my surname and her first name. Why don't I want you to find her blog? Well when my wife set up the blog she asked what she should or shouldn't publish, from a security perspective.

We defined a policy for the new persons blog as such:
- Only first names
- No surnames
- No details of where we live
- No plans for holidays

Maybe I am being paranoid, but I know that is a part of my duty as a father to prepare her for for life, online or offline.

If I made public her full name, the day she was born, the town we live in and other personal details like her mother and fathers name, I am already setting her up for an online fall. The amount of information that is being published by people on Facebook and other similar sites is manna from heaven for fraudsters. If you analyse what you need to take over a consumers identity the above information is a significant part.

And what about if we published when we were going on holiday? It would only take a bad guy a little time to find out where we live, and know when is the best time to pay me a visit to relieve me of my treasured possessions.

Just put it down to new parent paranoia...

Posted by Mike Davies at 8:54 AM | Permalink | Comments (1)

As a marketer and a security professional, I think I am well placed to make a comment on an area I think this blog will repeatedly come back to.

Segmentation.

Now in marketing terms segmentation refers to finding similarities between members of your existing or targeted market and tailoring the offering to them to ensure you attract and retain the highest number of profitable customers possible.

It seems that the fraudsters have been doing the same:

http://www.theregister.co.uk/2008/05/28/id_fraud_trends/

Now no-one will be surprised to see this of course, especially if you are a security professional.

In fact you probably do "Segmentation" in a way when you assess the risk of fraud for particular systems or customer groups, tailoring the security to where the need is.

So I would suggest if you are a security professional reading this to think about two things.

1) Who within my customer base NEEDS the most security when they are accessing their account?

2) Who within my customer base WANTS more security when they are accessing their account?

As the recent survey from Abbey (Part of Santander banking group) in the UK that said 67% of their customers don't want added security, what about the other 33% that do WANT it? They will be more loyal customers if you are giving them additional benefit.

What percentage of those 100% are high net worth individuals who NEED additional security?

Posted by Mike Davies at 10:35 AM | Permalink | Comments (0)

Lots of newsfeeds this week talking about the move to faster payments in the UK and the welcome news that consumers (and business) will not have to wait up to 3 days for money to transfer between accounts.

The Issue this raises is that the consumers accounts that have been compromised and are in fact being used for fraudulent transactions have to be detected faster (i.e. before they had 3 days foe the transaction to complete).

This gives the banks in the UK a big challenge to make extra sure that the consumer logging into the account is actually who they say they are.

My take is that risk based authentication can help in this area, looking at the nature of the consumers log in (i.e. have they logged in from this machine before, from this geolocation, is this there usual log in behaviour?) along with two factor authentication.

The bottom line is the UK banks have put a lot of work into making sure fraud does not shoot up with faster payments, I just hope that they are successful!

Posted by Mike Davies at 10:36 AM | Permalink | Comments (0)

So this post is aimed at pointing out something that affects every online organisation who has account based relationships. I believe there is a disconnect between what the sites think their consumers want and what they actually want...anyway, here goes...

When looking at consumer authentication for online accounts there are three things an organisation usually considers:

Security: How much security should I apply to protect that account?

Cost: How much can I afford to spend to prevent accounts being taken over?

Usability: How can I minimise the impact on the consumer?

This diagram summarises the debate form an online organisations point of view:

As you can see the online bank might take security as the primary consideration. I am not saying they would not be concerned about cost or usability, just that they would likely put security first.

An online social networking site might look at it differently. The account is unlikely to be targeted by a fraudster so security is not the biggest concern, instead because their business model means they are effectively giving the service away for free the social networking site will probably be more worried about cost.

Similarly, the online retailer would probably worry most about usability for the consumer, reasoning that the more "clicks" that a consumer has to make the more unlikely they are to make it to the checkout basket.

These are generalisations and as such are generally true but not every consumer thinks the way an online organisation does.

Some consumers who go to online social networking sites are worried about security.

Some online banking customers are more worried about the usability than the security

Some online retailing customers are happy to sacrifice an element of usability for more security...you get the picture.

So how do consumers actually think? Well this diagram summarises the debate from a consumer's point of view:

If online organisations approach their consumer relationships from their own viewpoint they are not servicing all their customer needs. By offering security to those that want it, and not mandating it for everyone, they will be making their online relationships stronger and more profitable.

Posted by Mike Davies at 1:32 PM | Permalink | Comments (0)