To summarise, when you shop online (or place a mail or telephone order) this is known as a Card Not Present transaction, in other words the card is not physically present at the merchant when the transaction takes place.

This means that the clever stuff in your card which authenticates it to the electronic Point of Sale machine can't actually work, hence if a fraudster gets all the numbers on your credit card they can commit fraud.

A number of years ago, the financial industry (led by Visa and MasterCard) introduced a couple of measures to stop Fraudsters just stealing the credit card details of others. One is CVV2 (the three digit Security Code on the back of the card), the other AVS or Address Verifcation Service looks at the numbers in the address the card is registered to and compares that to the mailing address for the goods. If they are different it is more likely to be a fraudulent transaction (i.e. a Fraudster using stolen credit card details to order and send goods to another address).

The Fraudsters worked out that the AVS only checks the numbers in an address and so have got around this by looking for addresses they can send the fraudulent goods to which have the same numbers in as the real address (i.e a house number of 12 and a post code of W4 2QR would be the same as a housenumber of 12 and post code of E4 2RT).

Obviously this is not a perfect "workaround" for the fraudster but the article mentions a number of occasions where this has worked.

Solving the Card Not Present fraud problem is a major priority for banks and vendors alike and I hope to post something soon about how VeriSign plans to stop this type of fraud....sorry to be cryptic, we have a solution we are very sure will stop this and most other types of CNP fraud, but until we have done our due dilligence am unable to say more...

Segmentation.

Now in marketing terms segmentation refers to finding similarities between members of your existing or targeted market and tailoring the offering to them to ensure you attract and retain the highest number of profitable customers possible.

It seems that the fraudsters have been doing the same:

http://www.theregister.co.uk/2008/05/28/id_fraud_trends/

Now no-one will be surprised to see this of course, especially if you are a security professional.

In fact you probably do "Segmentation" in a way when you assess the risk of fraud for particular systems or customer groups, tailoring the security to where the need is.

So I would suggest if you are a security professional reading this to think about two things.

1) Who within my customer base NEEDS the most security when they are accessing their account?

2) Who within my customer base WANTS more security when they are accessing their account?

As the recent survey from Abbey (Part of Santander banking group) in the UK that said 67% of their customers don't want added security, what about the other 33% that do WANT it? They will be more loyal customers if you are giving them additional benefit.

What percentage of those 100% are high net worth individuals who NEED additional security?

The Issue this raises is that the consumers accounts that have been compromised and are in fact being used for fraudulent transactions have to be detected faster (i.e. before they had 3 days foe the transaction to complete).

This gives the banks in the UK a big challenge to make extra sure that the consumer logging into the account is actually who they say they are.

My take is that risk based authentication can help in this area, looking at the nature of the consumers log in (i.e. have they logged in from this machine before, from this geolocation, is this there usual log in behaviour?) along with two factor authentication.

The bottom line is the UK banks have put a lot of work into making sure fraud does not shoot up with faster payments, I just hope that they are successful!

I only mention them as I read a story the other day that after the incident they are now looking at implementing biometrics to protect internal procedures.

I have followed the biometrics industry for many years and have heard many issues about usability. I truly hope that the latest generation of technology is robust enough as the false negative rates before had seemed to be too big a barrier.

I hope that their implementation is successful, they certainly have had enough problems. to deal with.

From a consumer authentication perspective, I think that biometrics still have a way to go.

Some biometrics are already creeping into consumer authentication (i.e. some sites monitor how fast you type your keystrokes or some companies have established voice biometrics for telephone banking). But these are usually used in conjunction with other authentication methods and I can see that not changing for a long time.

Anyway, the other day she pointed out that the Swedes have had 2 factor authentication for their online banking sites for about 10 years. Her bank gave her a calculator sized device smaller than a PINSentry or NatWest Card reader, which she is happy to use.

Whilst I have already blogged that I don't fully buy into the Barclays PINSentry or NatWest Card Reader implementation (too bulky and only usable at the bank that gave you it) or this particular device as (for the same reasons), I must say that Sweden did the right thing at the time.

I do think that it is time for banks in Sweden and elsewhere to consider more user friendly consumer security devices like the credit card device (see post below) or a security device in the consumers mobile phone.

By the way, apparently Sweden has better hospitals, better sports facilities, better maternity rights (18 months split between the mother and father as you see fit at 90% pay!!!), more Olympic medallists per capita, lower cost of living, healthier food, better designers, closer family units, more beautiful countryside and no Page 3 in newspapers (sorry you will only get the last one if you English)!

First off, want to congratulate Barclays and Natwest for introducing more security for their consumers.

The Barclays PINSentry device and the NatWest Card Reader have been shipped to over 1 million UK consumers.

I think the adoption of two factor authentication in the UK is a real step forwards to making consumers feel more secure when they online bank. It follows moves in other countries around Europe which have had a positive effect on reducing fraud.

(And here is the "but" you were probably waiting for....)

But....I can't say I like the implementation for the following reasons;

1) The card reader is bulky. I can't see many people wanting to carry it around during their work / personal life. (There are a number of sites where consumers are complaining about this, just Google "PINsentry")

2) The implementation only allows consumers to protect their online bank account. What about other online sites? Are consumers expected to carry around a token for every site they want to protect online? Will they end up with 7 or 8 tokens for each of their online relationships they value?

The debate goes back to a previous post I made about usability vs cost vs security. The card readers that have been implemented, I would humbly suggest, are security solutions which are not user friendly and as such some customers will continue to rebel against them.

I think we will see more and more consumer authentication implementations but they must be able to be shared across all aspects of a consumer's online life and be in a format that is acceptable to consumers.

I believe we will start to see banks and other organisations giving out more appropriate security devices like this one over time:

What is a federated consumer online Identity?
The general idea is that a consumer would have the ability to log on to one site and then automatically be able to log on to the different site with the same credentials (i.e. his or her identity would be transferable across multiple sites without the need to prove who that person was all over again). This of course makes the whole online commerce experience much easier and safer for the consumer and reduces the fraud that online companies experience.

Why don't we have it now?
I was involved in consumer authentication as far back as 1999. We were going to change the world with "federated consumer online identities" based on Public Key Infrastructure (PKI) technology. We didn't.

The reasons that my organisation at the time, and others since, failed are multiple but the major reason I think is something called Identity Proofing.

Identity proofing
Identity proofing refers to the process for deciding that the person who wants to start an online account at a site is really who they say they are. Think about an online book reseller such as Amazon. They "ID proof" a consumer by asking for valid credit card details with accompanying address data. That is fine for Amazon, but if that consumer then wanted to apply for a loan at an online bank they had no previous relationship with, the details provided to Amazon would not be enough for that bank to approve the loan.

In other words the ID proofing needed for consumers at different sites varies. And ID proofing is expensive / time consuming. Imagine buying that book at Amazon, would you want to have to go through the same process that you did for an online loan to buy a book?

What isn't different at the online book reseller and the online bank is the way that account is accessed after the account has been set up. Usually a username and password, sometimes referred to as a 1st factor of authentication.

At sites such as online banking companies, the consumer might also be asked for second factor of authentication such as a password which can only be used once generated from a token (i.e. PinSentry from Barclays in UK) or a password from a number grid (i.e. TAN system in Germany).

This second factor adds another layer of security which makes it very hard for a consumer to have his or her account taken over by a fraudster through techniques like "Phishing".

As the banks around the world have started to introduce second factor authentication the fraudsters have started to move towards other easier phishing targets like national tax revenue agencies, online gaming / gambling and even motorists associations!

This trend will continue as fraudsters go for the sites with the weakest security.

So given that, I think it is fair to say that almost any online site where there is a value to the fraudster in gaining access to an account will start to experience phishing.

This means that although the ID proofing element on each site may be different, the authentication methods used to access that account are starting to be a shared problem.

Now when we take ID proofing out of a federated online identity, we can start to see that the remaining authentication elements can actually be "federated".

Look at Open ID. This federates the first factor of authentication (user name and password) across any site a consumer interacts with.

Look at OATH (openauthentication.org) which federates the second factor of authentication across any site a consumer interacts with.

I usually sum the situation up in the following picture:

I don't believe we will see a federated consumer online identity anytime in the near future, but like any problem, by breaking it down into smaller chunks we can start to see some major progress towards our goal of making it easy for a consumer to have secure online relationships which are easy for them to manage.

http://news.bbc.co.uk/1/hi/business/7334249.stm

When you read the article it becomes clear that the data lost is not that significant and (as with the HMRC lost CDs) probably has not got in the hands of Fraudsters. It is also very clear that the loss has nothing to do with peoples online accounts.

But all the general public reads is "HSBC loses customers' data disc", and that again adds fuel to the fire for those consumers that don't want to do banking online.

Consumer online trust is being eroded by any adverse news such as this, unfortunately I am guessing that this is a topic that I will be coming back to again and again on this blog.

RSA really kicks off properly tomorrow, and I hope to post a couple of times this week on anything new that catches my eye.

Our definition:
"Taking data from many different online sources to build up the identity of a consumer to commit identity theft".

You can compare it to someone in the real world going through your garbage to find banks statements and the like (called Dumpster Diving in the US).

It has been becoming more and more relevant as social networking sites have exploded and internally, we use this slide picture to highlight it:

To explain:

Anything to the left of the "Privacy line" - Things that you post on public sites that you are happy to share with anyone. The problem that sites like Facebook give us is that the privacy line (i.e. things that you are happy to share with people) is moving to the right.

Anything to the right of the privacy line and left of the security line - Things you might share when you register for an event or ask for a brochure from a web site. If a fraudster has a key logger on your machine or has set up a fake site to capture these details can get even more data on you.

Anything to the right of the Security line - things that you would be unwilling to share with anyone.

What the diagram shows is that as the "Phorager" builds up more information about you he or she is more able to get past the "Security Line" potentially stealing your identity.

Started as a bit of fun bit of fun really, but I did notice that there are now three pages of sites if you Google "Phoraging" :-)

A great example of a "consumer's view" of the problem, and should help the techie community take a step back to understand the real problems consumer face.

Of course what we know, and she doesn't, is that if she had an Open ID (and it was widely accepted), problem would be solved!

http://online.wsj.com/article/SB120587753685946459.html?mod=googlenews_wsj

In other word's it's not an easy read.

Sure there are enough amusing stories to keep you involved, but at times it goes a bit heavy on the statistics and technicalities of his argument. If I was being over critical I would also say the author uses it as a platform to have a pop at some of his critics.

But given the above caveat I would strongly recommend "the Black Swan" by Nassim Nicholas Taleb.

Someone sent me a Haiku (a minimalist form Japanese poetry) the other day, and after a couple of glasses of wine on a flight I thought I would sum up the book in Haiku form, it seemed to work at 30,000ft:

Our world is random
Expect and prepare for change
But do not predict

A Black Swan, as Taleb defines it s a large-impact, hard-to-predict, and rare event beyond the realm of normal expectations which has a major effect on things we do.

Here is some more info from Wikipedia: http://en.wikipedia.org/wiki/Black_swan_theory

Some general examples:
- The birth and growth of the internet
- September 11th 2001
- 1995 Kyoto earthquake in Japan (knocked out 1/3 of Japan's export capacity)

So what has this to do with Consumer Authentication and trust on the internet? Well it might help if I outline a few examples which I would class as Black Swans that are relevant:

- HMRC data breach in UK (25 million consumer records missing)
- T. J. Maxx in US (having 46 million credit card records stolen)
- Estonia's internet sites overwhelmed in cyber terrorist attacks

Why are these Black Swans in our world? Well firstly, no-one saw them coming.

Secondly they had a profound and deep affect on consumer trust on the internet.

I don't think anyone could have predicted any one of those particular "Black Swans" but I am pretty sure I can make a prediction which will hold up over time (and I do so without contradicting the Black swan theory).

"I predict that before the end of 2008 there will be a similar size to the aforementioned "scandal" that is related to Identity, trust or consumer authentication within Europe."

Doesn't take a rocket scientist to make that kind of prediction, but what I am trying to say is that as these rare but ultimately game changing events come about in the online world, consumer trust will continue to be eroded.

I am not a doomsayer, I don't believe that the online commerce world is broken, I just think that as more and more of these things happen many consumers will shy away from using the internet to it's maximum potential.

We should be preparing for Black Swann's in our own little world of online consumer authentication as each time an event comes along, consumers leave the building.

But as I say, read the book!

http://www.finextra.com/fullstory.asp?id=18250

I think this is for two main reasons:

1) Some people just don't want additional security
I totally understand that not every customer wants additional security from the hassle point of view but I really think Abbey (and other organisations) are missing a major point.

If 32% of your customers want something is that not reason enough to offer it to them?

Leave the other 68% without any 2nd factor for the time being and see what happens. I bet that a significant proportion of them will move over time to want more security, especially if they themself have fraud issues on their Abbey or other online acocunts.

2) The form factor they were offered was the Chip and PIN reader

I am not surprised that when shown the Chip and PIN style device that people do not want it, people just don't want to carry around another device with them. There are however other devices, such as credit card style tokens with an LCD which generates a OTP which are much more user friendly. There are even ones with a Challange and response functionality available totally replacing the need for a seperate Chip and PIN reader.

When looking at consumer authentication for online accounts there are three things an organisation usually considers:

Security: How much security should I apply to protect that account?

Cost: How much can I afford to spend to prevent accounts being taken over?

Usability: How can I minimise the impact on the consumer?

This diagram summarises the debate form an online organisations point of view:

As you can see the online bank might take security as the primary consideration. I am not saying they would not be concerned about cost or usability, just that they would likely put security first.

An online social networking site might look at it differently. The account is unlikely to be targeted by a fraudster so security is not the biggest concern, instead because their business model means they are effectively giving the service away for free the social networking site will probably be more worried about cost.

Similarly, the online retailer would probably worry most about usability for the consumer, reasoning that the more "clicks" that a consumer has to make the more unlikely they are to make it to the checkout basket.

These are generalisations and as such are generally true but not every consumer thinks the way an online organisation does.

Some consumers who go to online social networking sites are worried about security.

Some online banking customers are more worried about the usability than the security

Some online retailing customers are happy to sacrifice an element of usability for more security...you get the picture.

So how do consumers actually think? Well this diagram summarises the debate from a consumer's point of view:

If online organisations approach their consumer relationships from their own viewpoint they are not servicing all their customer needs. By offering security to those that want it, and not mandating it for everyone, they will be making their online relationships stronger and more profitable.

Open ID has been around now for a couple of years and with any jump in technology we shouldn't expect adoption by large commercial organisations immediately, so the fact the Yahoo have gone for it is a sign that this technology is reaching an early level of maturity. Other large US based online consumer organisations are expected to follow over time.

It is great to see Yahoo taking the plunge on this and I am fully supportive as this will mean the consumer nightmare of having to remember a different user name and password for every site will disappear.

The challenge for the Open ID community is getting more traditional and risk-averse businesses like the banking community on board.

The reason for this is that banks will be worried that if a consumer's Open ID is compromised at another site then their banking relationship will be compromised. A fair point I must say.

The solution to this? Well 2nd factor authentication, which the banks are rolling out in the UK and is already established in many markets means that the banks retain control of the customer relationship, even if the Open ID account is compromised.

For those of you that don't know about 2nd factor authentication, it is usually achieved with a small token (such as this one) which provides a unique one time password for every time a consumer logs into the site.

Bottom line is that Open ID will be adopted by many other businesses and their consumers, but it will only be adopted by the banks in conjunction with 2nd factor authentication.

This Blog will...

1) ...highlight activities related to Online Identities and Trust for consumers, and businesses which interact with consumers online in Europe

2) ...be my opinion NOT my employer's at VeriSign and will shy away from any post which I feel looks like shameless publicity. Any posts that do, I will highlight clearly as such

3) ...focus on European issues, but highlight related issues on other continents

4) ...not become a "General Security" blog, there are enough of them already

5) ...not get too technical, I want to highlight trends in consumer and business experience in this area rather than get weighed down in technical details

6) ...be updated no less than once a week

7) ...attempt to entertain as well as inform

Mike