Mike Davies: Online Identity and Trust in EMEA

This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info.

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

Now, I realise that Facebook et al are trying their best to educate their users not to accept invitations from people they don't know, but as per my earlier post about stealing log on details for a mail account / social network, what if the fraudster had the Facebook user name and password of someone who had a load of Facebook friends? They could then send out the malware to all their contacts. This would result in a much increased success rate for the fraudster as the reciever would be much more likely to trust them, not knowing it was really a fraudster at work.

I really don't think that the social networking sites understand the value of the trust that a connection between users engenders, and the associated risk when their accounts are compromised.

Posted by Mike Davies at 9:18 AM | Permalink | Comments (0)

This article covers two main points:

1) Passwords are not changed regularly

2) People give out too much personal information online

http://www.finextra.com/fullstory.asp?id=19374

Let's look at the first point....

We see these kind of articles related to password surveys about 3 times a year, and I am pretty sure VeriSign, my employer, have done our fair share!

The reason we see them is twofold. Firstly Passwords on their own are no longer secure enough. I think people are getting that.

The second reason, if you are feeling cynical, is that vendors want to sell more secure solutions.

Let's face it, both points are true but I am seeing a sea change in attitude recently. .

Why? Well I do not think it is because Vendors have honed their selling skills to the point when they are selling snake oil successfully. The reason is that the problem itself has grown to a point where the business case for adopting stronger authentication is here. This has been because of the increase in fraud, sure, but the also due to new solutions and business models which make it significantly cheaper.

Let's take PayPal. They charge for two factor authentication to consumers. Now I doubt that they are making money out of the solution by charging $5 for a token but I do know that they are reducing fraud considerably whilst proving that consumers will pay for this. Not all consumers of course, but those that do want better security are prepared, some of them even very happy to pay for additional security. And a happy customer is less likely to take their business elsewhere.

Now let's look at the second point made in the article...

This talks about publishing personal information online and how social networking site users are accepting invitations to connect with people they have never heard of before. By doing this they allow the person they connected to access to their more sensitive information that they have published.

As a security vendor I wish I could provide a silver bullet that would help here. I can't, but I can say that companies like mine are talking to the social networking organisations looking for long term solutions.

But one thing that can work in the short term is education. I am sure the guys from the social networking sites are doing this but it is a continual process. They must keep reminding their customers not to accept invitations or publish anything in their public profile that is sensitive.

Not a silver bullet, but sometimes you have to keep making a noise about a problem until people start listening. Did I mention that passwords are not strong enough anymore?

Posted by Mike Davies at 1:44 PM | Permalink | Comments (0)

A couple of months back I posted on a scam that had surfaced in Mexico where fraudsters managed to get hold of people's email User Name and Password, access the account and email the whole address book asking for money to be sent to a bank account to help them raise bail as they were in Jail.

Obviously the overwhelming majority of people would not expect anyone they knew to wind up in jail and ignored the email.

Well this new one in Australia takes the same principles and applies it to Facebook but is a little more feasible.

This time, the individual masquerading as your Facebook contact "needs $500 for a plane ticket".

If phishing in it's more traditional form has proved anything there is always someone who will fall for it.

This "Social Phishing", i.e. taking over an email or social networking account and preying on the trusted relationships the account holder has is much more targetted (i.e. not millions of emails aimed scattergun, but a smaller number preying on friends trusted relationships) but I would guess is much more likely to succeed.

Another example of passwords just not being enough anymore....

Posted by Mike Davies at 1:53 PM | Permalink | Comments (1)