Online Identity and Trust

Posted by Jen Gilburg

Last week a news headline from across the pond proclaimed:

"Abbey wary of two-factor authentication. Bank decides against password verification devices because customers consider them a hassle."

Turns out Abbey, a major retail bank in the UK, did a survey on strong authentication. Turns out that two-thirds of those surveyed did not want the "hassle" of two-factor authentication. Turns out those surveyed even poo-pooed challenge questions.

So Abbey decided to act on the survey results. They decided to do nothing. And they decided to shout it out for all (including the fraudsters) to hear!

I question which business schools their marketing folks graduated from.

I wonder too what context the survey questions were raised (perhaps a brief explanation of how two-factor authentication protects against phishing would have been in order!). I wonder if the mere 1000 users surveyed really represented the fraud concerns of their overall user population. I wonder if they bothered to survey any of their customers who were not using their e-banking services- perhaps because of fraud concerns. And most importantly I wonder if the one-third of respondents who wanted stronger protection against fraud will take their business elsewhere...

Now here is a different survey. It is one we did last summer of customers who were using our VeriSign Identity Protection (VIP) Network. Those who were actually using two-factor authentication to protect one or more of their online accounts. Of those surveyed 81% thought it was easy to use. And over half wanted to use their same token at their broker, healthcare provider and gaming site.

If I were a marketing person at an online outlet- I would figure out a way to leverage those statistics to attract customers away from the Abbey banks of the world who are not taking customer's fraud concerns seriously. "Hey- you with a PayPal Security Key- come use it over here".

At minimum- what Abbey should do is to offer strong authentication to the users who want it. Isn't it a much better strategy to offer security as an option versus risking losing customers to those who do?

Posted by Jen Gilburg at 03:48 PM | Permalink | Comments (0) | TrackBacks (0)

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

The never ending parade of consumer data leakage and the inevitable fraud that follows added another participant this week with the Hannaford incident. This time, the damage amounts to 4.2 million credit and debit cards being compromised. It is early to tell all the ramifications of this incident, but the unraveling already started with the first salvo of class-action lawsuits against Hannaford.

When I see something like this happen, I'm always left to wonder: what is the true cost of a fraud incident ?

Looking back to some of the high-water mark incidents of the past we can have some hints of what the direct cost involved may look like. Take TJ Maxx for example: back in January 2007 TJ reported a 45 million (or 94 million) card compromise, which was followed by an estimated $68 million to $83 million in fraud losses on Visa cards alone. All this damage led to legal action and a settlement last September with TJ reserving more than $120 million to cover for it. Fast forward to the beginning of this week, and TJ is still in the news with a massive notification campaign that has been kicked off with mailings, magazine and newspaper adds to try to reach customers that may have had their cards compromised.

Based on all of this, it shouldn't be unreasonable to think that the direct costs associated with this fraud incident are north of $100 million dollars, specially when you include legal costs, advertising and G&A overhead to manage all the mess. All the urgent security assessments, patching and fixing shouldn't have come cheap either.

The indirect costs are harder to access but in my view even more dramatic: one can only imagine the amount of brand damage when you have to engage tens of millions of your customers repeatedly over more than one year, reminding them you didn't manage to keep their sensitive data safe. The cost goes up and is shared with all of us with the broader backlash against e-commerce and online businesses in general, where consumer confidence is melting away faster than I can say Global Warming. We are already seeing that in the polls: according to a recent YouGov survey in the UK almost half of the women in Great Britain would be ready to stop shopping and banking online in order to reduce their risk of ID fraud.

It got to a point where even corrective and preventive measures are becoming vectors for data leakage, such as this bank's attempt to notify one customer about a fraud issue in his account ending up compromising information on other people's accounts.

Sooner or later we will have to implement pro-active, stronger security measures for the broader online infrastructure, the only question is how much organizations and consumers will have to pay until that day arrives.

Posted by Vicente Silveira at 02:12 PM | Permalink | Comments (1) | TrackBacks (0)

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

If you live in the UK, the answer would be a little over twenty thousand dollars (at current exchange rates) for the average adult internet user, a nice bounty for phishers, bot herders, malware coders and other cyber-criminals to go after.

This is based on highlights of a recent YouGov survey that estimates European Internet users are risking up to 1.6 trillion dollars by sharing personal and financial data with sites that are not adequately protected, with UK Internet users responding for a 731 billion chunk of the total amount.

What the research also suggests is that the ubiquity of social networking and other data sharing sites has increased dramatically the quantity and sensitivity of the information available on the web, with users volunteering more and more details in order to complete their profiles, make more friends or establish new connections. Many consumers are giving away their date of birth (75%), their home address (70%) and even their mother's maiden name (68%). People sharing such data may not realize that it is not too hard to aggregate all this information and use it to compromise internet banking accounts and other sensitive online applications.

That is why consumer education plays a key role in making sure users understand what is appropriate to share and where to share it. And believe it or not some of it is working, as the YouGov research shows that consumers are becoming more aware of security symbols such as the padlock (69 percent) or a security mark like the VeriSign® Secured Seal (41 percent).

Moving forward, tools such as Microsoft IE7 and EV certificates will ease the learning curve, but at the end of the day good old common sense continues to be key when deciding whether to share sensitive data online.

Posted by Vicente Silveira at 02:15 PM | Permalink | Comments (0) | TrackBacks (0)

Posted by Jen Gilburg, Director of Business Development for Identity and Authentication Solutions

I have a confession to make. I was almost a victim of fraud.

It involved Craig's List, the selling of a refrigerator, a random check for $3000 over the amount being sent for payment, the panic of the buyer for overpaying and them begging me to 'Western Union' them the erroneous overpayment once I cashed the check. I was even 'offered' $200 of the overpayment for my troubles.

I am embarrassed to admit- I got all the way to the bank. I actually deposited the check- then in a last minute of "this doesn't seem right" had them run the check and low and behold...

Truth is I was taken off guard, in the middle of a move, not really paying attention-- just happy to have the refrigerator out of my garage.

What is mortifying is that I have been working in security sector of high tech for the last 20 years. The fact I didn't immediately rip up the check shows how even the most security minded of consumers can fall prey.

Last week there was a phishing report by California Berkeley Law School researcher Chris Hoofnagle. The report shows the increase volumes of reported identity theft and highlighted the most frequently phished sites -- the numbers were incredible. The chatter around the report in the press and on other blogs put the stress on consumer awareness. I would argue (from experience!) that is not the answer.

The answer lies in fool proofing websites. Making it so that even if someone did get a hold of your userID and password- they cannot gain access to your accounts. A layered approach including second factor authentication is indeed the answer.

Ironically- many financial institutions that we talk to about two-factor authentication often take the stance that "their customers don't want it". Conversely every member of our VIP network who is providing opt-in second factor authentication has exceeded expectation of the amount of users who indeed opt-in.

Hoofnagle advocates that identity theft information be made available so consumers can make educated decisions on whom to bank with based on security risk. If consumers took his advice banks and ecommerce sites might actually be forced to take action.

I will look forward to the day that my bank protects me should my guard ever drop again.

Posted by Jen Gilburg at 12:27 PM | Permalink | Comments (0) | TrackBacks (0)

Hi there! My name is Vicente Silveira and I'm responsible for the VIP Fraud Detection Service , or as we call it, VIP FDS, product at VeriSign.

Our team develops products that help businesses and individuals transact securely on the internet. Needless to say we have a lot of work to do.

I just spent some time in Europe talking to financial institutions and comparing notes on fraud trends here and there. One of the quick conclusions is that online criminals are sharing tools and methods on a global basis and on a scale that we haven't seen before.

One example is a modern variation of an old stock touting technique known as "Pump and Dump" , where fraudsters use e-mail spam to falsely promote a thinly traded instrument (such as a penny stock) hoping that enough people will buy it and drive the price up. The way they make money is by buying the penny stock before sending the spam and selling when the stock goes up (and before it crashes down).

Now if one feels like following investment tips from an e-mail with an anonymous robotic voice that is one thing. A different thing altogether is when criminals take "Pump & Dump" to the next level and steal your username and password, hijack your online brokerage account, sell all your blue chip stocks and use the proceeds to buy the penny stock, leaving you with some worthless equity in a tiny and obscure company. Play the video below for a CNBC report on Pump & Dump aired last year.

Over the last two years, the SEC has filed charges against several individuals in the US and abroad that used this enhanced technique to defraud online brokerage users. Since 2007 the same technique started to show up in Europe and China, as fraudsters realize they can repeat the scam throughout the globe.

While the authorities are arresting some of the suspects, the sustainable solution is for brokerages to continue monitoring suspicious trading behavior and investing in better authentication credentials.

Vicente Silveira

Hacker Pump and Dump Stock Scam www.IDTheftSecurity.com

Posted by Vicente Silveira at 07:09 AM | Permalink | Comments (0) | TrackBacks (0)