Online Identity and Trust

Han Dong, Senior Product Marketing Manager, User Authentication

One great thing about blogging for a company like VeriSign, which happens to have so many cool tools in its bag, is that it's so easy to find several blogs on the net that mention you. And in this case I'm referring to a Wall Street Journal blog: "Under Surveillance: Big Brother Stocks", by James Altucher. In this blog, Altucher talks about all of the various measures (and money spent - to the tune of $200 billion in the U.S.) taken to automate the monitoring and protection of your banking transactions, checking in at the airport, and even your simple ATM cash withdrawal.

Here Altucher mentions VeriSign and our VIP Fraud Detection Service for risk-based authentication and detection of unscrupulous user activity. Fraud detection is the key to enabling risk-based authentication, where an enterprise can deploy authentication based on the commensurate risk of a given transaction. The VIP Fraud Detection Service provides an "invisible means" of delivering proactive protection to consumers. Using advanced anomaly detection technology, the service detects fraudulent logins and transactions in real-time without affecting legitimate user's web experience. The solution also takes a self-learning approach to fraud detection, adapting to customer usage habits unique to that individual. Using policies and pattern recognition technology, the service can flag potentially fraudulent activities based on known types of fraud and behaviors not associated with the user. Because the service is self-learning, it can adapt to changing criminal behavior without manual intervention. This non-intrusive approach does not require any change to a Web site and remains invisible to the consumer until a fraud is detected.

And this whole scenario is completely customizable by VIP Fraud Detection Service customers. By using the provided rules or rules you set up, and by comparing current user transaction behavior to historical and live data, the system rates fraudulent transactions and alerts you to possible risks. Once alerted, you can investigate these fraudulent transactions as cases within the Fraud Detection Service Investigation Console. As the system logs a number of transactions for each user, it can learn user behaviors to better assess subsequent transactions for fraud, and it can use feedback from rules to build lists of fraudulent and legitimate transaction information.

Going back to Altucher's article, to clarify, there is one specific optional module known as the ATM Module. This is the additional component to the VIP Fraud Detection Service that evaluates and analyzes thousands of transactions per second to detect compromised cards and ATM locations used for fraudulent activity. When the risk score generated at the time of the transaction exceeds your threshold, an instant alert notifies your fraud team. Then fraud investigation and management tools provide sophisticated analysis to efficiently resolve scams. And banks can even choose to block an activity in real time.


Rest assured, VeriSign is watching your assets...

Posted by Han Dong at 4:09 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

It's a good thing that people much smarter than me are thinking about the future of the internet, cloud computing, and ensuring I'm properly indoctrinated on the right social networking sites du jour. More importantly, these same smart people are constantly thinking about really critical things, like 'standards', 'interoperability', and 'security'. Guys like Tim Berners-Lee, the inventor of the Web and HTML, Paul Mockapetris, the inventor of DNS, and Vinton Cerf, the father of the internet and co-designer of TCP/IP, are constantly analyzing what's happening today and thinking about what's coming in the future. These people are part of the founding fathers of the web, the internet, and how all the intricate pieces work together seamlessly - just so you can download your tunes, update your tweet/blog, and get the latest NFL scores.

Whew, I'm glad these guys are on top of things.

Of course, anytime a paradigm shift occurs in the world of computing, there's bound to be an outgrowth of new issues and problems. And some of these new issues related to cloud computing, are exactly what Vinton Cerf has been thinking about. Mamoon Yunus' article "Vint Cerf and Multi-Cloud Mayhem of cloud Computing" and Paul Krill's InfoWorld article "Cerf urges standards for cloud computing", both cover a number of issues Cerf sees that are created by the "cloud" and how the situation is very similar to the way things were in the wild west days of early computer networks.

One issue in particular is in the area of cloud security and authentication. "Strong authentication will be a critical element in the securing of clouds," said Cerf. Multi-tenant cloud environments and ensuring that the properly authorized user is permitted to access the right services, creates a critical need for strong authentication in the cloud. Now I bring this issue to your attention because this is precisely an area that VeriSign has given a great deal of thought and attention to in delivering our goal of providing trust on the internet and in the cloud.

From Extended Validation SSL, to VeriSign Identity Protection for Two-factor authentication and Fraud Detection Services, to PKI Digital Certificates for authentication, every weapon in VeriSign's arsenal is designed to deliver a secure, trusted experience in the cloud and on the net. And just as I discussed in my last post, VeriSign knows just how to deliver a multi-layered security strategy for anyone who's moving to the cloud.

Whew, I'm glad Vinton Cerf (and VeriSign) has got your back.

Posted by Han Dong at 3:13 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

Some thoughts on a couple of recent articles, one from Gartner Research: Where Strong Authentication Fails and What You Can Do About It, by Avivah Litan and a similar article by Jaikumar Vijayan in Computerworld, which also references Ms. Litan's article.

The basic idea presented in these two articles is that "one-time passwords...are no longer enough to protect online banking transactions against fraud." These one-time password (OTP) token-based two-factor authentication methods may be compromised by man-in-the-browser malware that overwrites the user transactions to steal their assets. So the general recommendation from Avivah Litan is "A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats."

We agree that OTP is not the end-all, be-all of security for the internet. In fact, VeriSign was recently recognized as a "best in class authentication technology solution" by Javelin Strategy & Research, primarily because VeriSign espouses a layered security approach to our customers for protecting online transactions. This approach includes Extended Validation SSL to authenticate the website to a user, with an easily identifiable green address bar. Plus the VeriSign Identity Protection Fraud Detection Service, which delivers risk-based authentication to monitor particular user behavior and trigger authentication when abnormal patterns or behavior are noted. And additionally, the VeriSign Identity Protection Service, one-time password (OTP) authentication to mitigate account takeover and require an additional factor the user must present, in addition to username and password for accessing critical accounts. OTP in and of itself is not a panacea, but it is part of a multi-layered security approach that anyone conducting business online should consider to protect its customers and business.

Fraud may be on the rise, so whom do you turn to for trust in the online world? Easy, look for the check.

Posted by Han Dong at 12:53 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

I just read an article in CNET, by Jonathan Eunice, Character limitations in passwords considered harmful. And immediately after reading the story I thought to myself, Jonathan (may I call you Jonathan), we have the answer to your troubles. It's called VeriSign Identity Protection (VIP) Authentication Service and it's precisely what you need to address your goal to have strong authentication for your "4,000 web services."

Jonathan's article described the issue of how various websites will frequently restrict your ability to create 'stronger' passwords that use symbols (i.e. !@#$%^&), and thus relegate the user to simple (and easy to steal) phrase or nickname passwords. So he is thwarted from his attempt to use a password like "Ga9i)t|Z" by the fact that the website in question, is not allowing the use of these special character passwords. And he's forced to use "easy-to-remember, easy-to-hack passwords." Not an ideal solution.

So here's where VIP comes in. VIP is an easy to implement two-factor authentication service that employs an open standards-based one-time password credential that strengthens your existing userid and password. The VIP Authentication Service provides a cloud-based second-factor authentication, integrated to your favorite web service via Web Services-based API. The VIP credential is available as a small hardware token or can reside as a client application on your mobile phone (always available, regardless of wireless network coverage). This VIP credential generates a 6-digit code (which changes every 30-seconds). The credential is registered with a relying party web service - and every time you initiate a login session to your web service, in addition to entering your easy to remember userid and password, you also enter the 6-digit code from your credential as a "second" password.

Now Jonathan has essentially a password for his password. And better yet, that password for his password is uniquely generated (based on OATH standards) and constantly changing, every 30-seconds. Someone would have to physically steal Jonathan's mobile phone or VIP token IN ADDITION to stealing his userid and password to hack into his favorite websites. Jonathan can combine something he knows (userid & password) with something he has (VIP credential) to add strong password protection. Now he can login, safely and securely.

So Jonathan, feel free to use "goofdog" as your password - just be sure to add VIP Authentication and you're good to go.

Posted by Han Dong at 3:55 PM | Permalink | Comments (0)

Han Dong, 'Blogger of Light'

Did you catch it on the tube last night?
Did you see the VeriSign Identity Protection Access for Mobile credential in action?



In case you missed it, check out the link on YouTube (0:21)

As for how this relates to you, me and your everyday secret agent, I think this fun video demonstrates the need for leveraging One-Time Passwords for strong authentication of your mobile applications. Yes, we have an "app" for that.

Kudos to our esteemed Product Manager, Erica Huang, and her efforts to have VeriSign included in the AT&T commercial.

Posted by Han Dong at 1:36 PM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Getting noticed is a hard thing. But when you do get recognized by adoring fans, it's like living the life of a beauty queen.

And just look at who noticed us: CrackBerry.com and BlackBerry Cool

So you ask, what's the news?
We all know that VeriSign Identity Protection (VIP) Access for mobile has already been available for free on Blackberry® smartphones and downloadable from the BlackBerry App World and the VeriSign Identity Protection Mobile Center sites for some time now.

What is new (or what you may have not noticed until now) is that with the VIP Access 3.0 release of September 2009, users can easily copy-n-paste the security code and credential ID into a mobile browser to complete VIP Access registration. Two-factor authentication has never been easier for the 'power' mobile-user.

So where can you use VIP Access for two-factor authentication to websites?
Simple. Register and use your VIP Access credential at participating VIP network member sites, such as eBay, PayPal, AOL, GEICO, or any participating VIP network site.

Posted by Han Dong at 9:33 AM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Greetings VIP Blog fans,

In the way of introductions, I'm a new member of the Product Marketing organization at VeriSign. Seems like I'm already an old vet (time spent in the technology industry always seems to be measured in "dog years"). To give you some additional background on my IT curriculum vitae, 5 years of UNIX systems sales; 2 years of business development in Linux and Wireless; and 10 years in product marketing and management in Data Storage, Linux, and Networking. So as a long time marketer, I'm excited about the opportunity to share my experiences through 'new' social media vehicles, like this blog site.

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. While this is my 1st Gartner IAM event, it certainly is not my 1st analyst or technology industry event. Having seen the ups and downs of the tech industry for the last 17 years, and having attended similar events like IDC Forums, CES, SNW, LinuxWorld Expos, Oracle OpenWorlds - you name it, I've been there.

The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Posted by Han Dong at 4:01 PM | Permalink | Comments (0)

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

CNET reported this morning that fraudsters phished thousands of email account passwords from multiple email providers.

You don't have to be a government official, political figure or celebrity to be the target of the phishing and password-reset hack. This latest incident demonstrates that hackers have moved beyond just the high and flighty to target ordinary people. With each security breach, the shortcomings of weak passwords and the need for stronger authentication solutions become more and more evident. One-time passwords via two factor authentication provides a critical layer of security to counter such threats. If you're an organization that has been on the fence on rolling out two-factor authentication, you're in luck. VeriSign is offering a 90 Day free trial of the VeriSign Identity Protection Service -- see more details at 90 Day Trial.

Posted by Jeff Burstein at 10:51 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)