Online Identity and Trust

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

CNET reported this morning that fraudsters phished thousands of email account passwords from multiple email providers.

You don't have to be a government official, political figure or celebrity to be the target of the phishing and password-reset hack. This latest incident demonstrates that hackers have moved beyond just the high and flighty to target ordinary people. With each security breach, the shortcomings of weak passwords and the need for stronger authentication solutions become more and more evident. One-time passwords via two factor authentication provides a critical layer of security to counter such threats. If you're an organization that has been on the fence on rolling out two-factor authentication, you're in luck. VeriSign is offering a 90 Day free trial of the VeriSign Identity Protection Service -- see more details at 90 Day Trial.

Posted by Jeff Burstein at 10:51 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

Posted by Fran Rosch, SVP of User Authentication, VeriSign

This article was also published in SC Magazine.

All too frequently, reports surface of high-profile hacks victimizing individuals using weak password protection. But, unlike the inconsequential account break-ins hitting Britney Spears, Ashton Kutcher or Sarah Palin, the consequences of some compromised accounts raises serious implications for cloud services security.

Your personal and professional security is only as strong as your weakest password. And for IT managers, the security of an organization's cloud-based resources is only as strong as your most careless employee's weakest password.

Personal information can be harvested many ways - and the viability of traditional usernames and passwords are undermined by the "forgot your password" processes employed by many sites today. Many hacks have been successful because of harvested information used to break the confidence of such "reset" measures and then scouring accounts for professional account login information.

The industry must move to stronger authentication technologies. After all, the strength of a password is meaningless if someone can reset your password. The primary mechanism for secure access to web services is embarrassingly inadequate. In fact, the migration of IT to the cloud may mark the death of the traditional username and password and drive the adoption of stronger internet security measures.

Stronger authentication is available in the form of two-factor authentication, such as one-time password solutions. These solutions can - literally -- put stronger security in the hands of every individual: Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices.

Such solutions have been available for years for enterprise implementations, but cost issues tied to scaling these solutions to large numbers of users have been prohibitive.

By delivering two-factor authentication through a managed service, however, the expensive infrastructure investments of on-premise models may not present as intimidating a barrier. Such a service can dramatically reduce fixed and operating costs of ownership. And a mobile device can dramatically simplify deployment.

Ironically, or not so ironically, Authentication-as-a-Service (AaaS) - strong authentication delivered through the cloud - could be a major solution for the cloud paradigm's most obvious security challenge.

Reckless human behavior is something you can influence but can't ultimately control. Additionally, people live their digital lives across personal and private online accounts. But two factor authentication can be implemented across professional and personal accounts - from the free email account to the cloud-based ERP account - to ensure that password vulnerabilities are a thing of the past and that cloud-based services are secure in the future.

Posted by Fran Rosch at 11:04 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

We are very excited to share that our VIP Access for iPhone downloads has reached a record high. Downloads grew three times more than our previous record high this week.

We appreciated all the constructive feedback from our VIP users. Many users also wish more online banks, gaming and social network sites would sign up with VIP Network, so they can use one VIP Access credential anytime anywhere to secure their online accounts and online identity.

 
We also have had many iPod touch users ask to be notified when we include support for the iPod Touch. Although in our first release, we leverage SMS as part of activation process, we are reviewing other alternatives to enable iPod Touch users in the near future. Stay tuned.

If you have any suggestions, please email to vipmobile@verisign.com. We love to hear from our users.

Posted by Erica Huang at 11:55 AM | Permalink | Comments (0)

What are the hottest applications you can get for your iPhone this week?

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

Posted by Erica Huang at 4:01 PM | Permalink | Comments (0)

Starting today, millions of iPhone users can now protect their online identities with VIP Access! A free download from the Apple app store, VIP Access turns your iPhone into a VIP credential, which adds an extra layer of security to your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

+ Read the New York Times Article

+ Read our press release

Download the app using iTunes or your iPhone here.

---Updated April 3, 2009---

Here is the latest coverage:

4/2/2009: Two-factor authentication using an iPhone: Killer security app? – Andrew Patrick

4/2/2009: How to turn your iPhone into unbreakable security token – TG Daily

4/2/2009: VeriSign release iPhone VIP Access security app – Geek.com

4/1/2009: VeriSign App Turns iPhone into Security Device – Mac Evangelism

4/1/2009: Move Over Token! My iPhone Can do The Trick – Celent Banking Blog

4/1/2009: VeriSign VIP Access for iPhone Provides Additional Authentication Security - Mobile Content Today

4/1/2009: VeriSign ships OTP generator iPhone app – Finextra.com

4/1/2009: New VeriSign app offers better online security – TECH.BLORGE

4/1/2009: VeriSign releases online security application for iPhone – The Paypers

4/1/2009: New iPhone App Reduces ID Theft by Unique Password - InfoPackets

4/1/2009: VeriSign Offers Two-Factor Authentication for iPhone – IT Business Edge

4/1/2009: VeriSign app turns iPhone into security device - MacWorld

4/1/2009: VeriSign Powers iPhone Two-Factor Authentication - InternetNews

4/1/2009: VeriSign's free iPhone app secures passwords - InfoWorld

3/31/2009: An iPhone App for Security - BusinessWeek

3/31/2009: VeriSign Brings Authentication Tokens to iPhone - TidBits

3/31/2009: A safer iPhone – SiliconBeat

3/31/2009: What’s the Password? Only Your iPhone Knows– The New York Times Technology Bits Blog

3/31/2009: VeriSign Launches Online Authentication App For iPhone- WebGuild

3/31/2009: VeriSign password generator app for Apple iPhone- RSS For Gadgets

3/31/2009: Verisign launches secure password app: VIP Access - Textually.org

3/30/2009: VIP Access - iGoApps

---Updated April 21, 2009---

Additional News Coverage of VeriSign's new iPhone App

Posted by Jeff Burstein at 6:11 AM | Permalink | Comments (3)

A quick update on the Broken Trust: when a criminal becomes your friend on Facebook story I posted a few days ago: as it turns out, it sounds like there are more victims of this scam other than my friend Beny and his friend Bryan. As you can see from this WPIX report Eileen Rodriguez also had her facebook account broken into and her friend Shaila lost $650 when she wired money to someone that she thought was her distressed friend.

Interesting to note that scam details were similar and the destination account was in the UK in both cases, which hints at the possibility that both scams were perpetrated by the same people. More troublesome was that Beny's case happened in Jan whereas Eileen's, according to WPIX, happened on Feb 8th which may show that Facebook was not able to block the attackers even after they got notice of the first incident.

The public tally so far is: 2 Facebook identities stolen, 2 friends scammed and $1793 stolen. I suspect there could be more, leave a comment here if you know of anyone else that may have been victimized by this scam.

Posted by Vicente Silveira at 2:13 PM | Permalink | Comments (0)