Online Identity and Trust

Whenever anyone talks about typical authentication use cases, they inevitably use a financial institution as an example. "The user logs into his bank to perform a transaction." or "The bank issues the user a credential to protect his account." We use financial institutions as an example because it's an easy situation to explain -- you have a place with a lot of money, criminals like money, so we protect the money from the criminals. Simple, right?

But we should look beyond the "obvious" places where additional security is needed. If someone breaks into your online bank account and steals your money, it's almost certain that your bank will eventually cover your losses. It may be a giant headache for you, take a ton of time and effort, and it probably reduces your faith in online banking, but you will most likely be made "whole." But now what if someone breaks into your online health record? Or your email account? Or your social networking profile? Or your blog? Who's going to make you "whole"? Is that even possible?

Last week there was a great anecdote being discussed on a C|Net blog about how someone's instant messenger account had been breached by a password stealing piece of malware. The attacker got the victim's IM username and password, then logged in as the victim. The attacker then tried social engineering all of the people on the victim's buddy list, pretending to be the victim who was in some dire financial/legal predicament and needed money wired immediately. While none of the targets took the bait, what would have happened if they did? Nobody's going to refund the money they send off to some scam artist -- their bank is just following their legitimate wire transfer instructions, the instant messaging provider is providing a free service and disclaims all liability. But these people are just as much a victim of a weak username and password as our typical bank example.

Who thinks these people are going to continue to trust IM as a communications medium? Shouldn't we be protecting our most private conversations, and our actual online identity with something better than an easily phished username and password?

Money can be refunded, but trust and privacy can't.

Posted by Jeff Burstein at 11:54 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager

Consumer Authentication has been around for over 10 years in other countries, but here in the USA, adoption has been slow due to a myriad of reasons... the main one seems to be the perceived high cost. As you've probably gathered by now, we don't think it has to be that costly, so we developed a new whitepaper on "5 strategies to reduce the cost of consumer authentication". I know you're thinking this has to be pure marketing fluff, but I think you'll find some nuggets of info in there that are worth exploring. After all, we must be doing something right, we just won the Network Products Guide 2008 Product Innovation Award.

Don't forget:, if you want to test drive VeriSign Identity Protection Authentication Service and see how easy consumer authentication can be, download the APIs for free and check it out. You can join the growing team of test drivers, which has now exceeded 100 within a few weeks of its inception.

~Vijai

Posted by Vijai Shankar at 4:06 PM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling

Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.

But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."

Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:

"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"

All good questions. But, the first thing we should ask is "why?"

"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"

When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?

A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.

Why?

Well, fraudsters constantly look for new hacks in banks' security, and once they find one they attack with full force (by the way, when I say "hack" I don't necessarily mean technological hack, but a "hack" in the bank's security procedures). This means that if you see your bank has a sudden increase in phishing attacks - start looking for loopholes in the bank's perimeter security.

A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.

Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.

Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.

Posted by VeriSign Identity Protection Blogger at 2:25 PM | Permalink | Comments (0)

We had a little fun with a whiteboard, magnets, some goofy voices and a video camera. Take a look at the premiere of "How VeriSign Identity Protection Keeps George Happy and Safe Online".

Posted by Jeff Burstein at 11:21 AM | Permalink | Comments (0)