Online Identity and Trust

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Posted by VeriSign Identity Protection Blogger at 11:00 AM | Permalink | Comments (0)

Posted by Fran Rosch, VP of VeriSign Identity and Authentication Solutions

Living in California, I have tried to become as environmentally conscious as possible given the grim reports on climate change and rising sea levels. The major steps I have taken along with my family include installing brand new energy efficient appliances and significantly more insulation as part of our home remodel. We also implement smaller initiatives such as maximum recycling, eating organic and locally grown products and composting as much as possible. I have even given up coffee and my favorite Irish oatmeal because of the carbon required to ship these products such long distances. We also try (but usually fail) to restrict ourselves to bicycle-only transportation on weekends.

I know there is lots disagreement on whether these small actions actually make an impact but they do make us feel better. I also travel extensively for business which blows my personal carbon foot print sky-high regardless.

But, I have been thinking how VeriSign's VIP Consumer Authentication solution stands up against the competition as green or not. Traditional strong authentication companies sold by companies such as RSA and Vasco are software in-premise solutions based on proprietary solutions as compared to VeriSign Identity Protection ("VIP") which is network-based service driven by open standards.

For the software based solutions sold by our competition, an enterprise must purchase, install and manage a server infrastructure to validate the consumer's OTP (one-time password). There is a significant amount of energy used to manufacture these servers, ship them half way across the world and then power them 24x7. Never mind the energy use to develop the raw materials for the components. In contrast, VIP requires no infrastructure at the enterprise and uses a shared infrastructure installed at VeriSign's data centers. There is an immediate environmental savings by using shared infrastructure versus everyone operating their own. Using the VIP is like taking an electric high-speed train with hundreds of other happy passengers instead of each person getting in their own car by themselves and crawling along crowded highways.

Then I felt bad about all of those pesky plastic tokens that have been the staple of the traditional authentication solution market. Our competitors have manufactured and shipped over a hundred million of these devices which will eventually find their way to landfills across the globe. By using open standards and encouraging a diverse and creative ecosystem of credential providers, we can imagine strong authentication without any plastic tokens. By embedding an OTP generating into a device that a consumer already carries such as a credit card, mobile phone or PC, the industry can stop manufacturing security-only plastic tokens.

However, until all this innovation is fully ready for production, the VIP has another environmental benefit in that it allows the sharing of one credential across multiple websites. With traditional consumer authentication solutions, a consumer must have a separate token for each website requiring more materials, more manufacturing, more shipping and more eventual trash. This is commonly referred to as the "token necklace". With VeriSign, one device can be the key to many websites meaning the consumer will use it more and keep it longer resulting in less basura.

Finally, I thought what other environmental benefits could VeriSign encourage with our VIP product? Well, according to the survey results published by our friends in the analyst community, there are still millions of consumers who are too concerned with Internet fraud and security to use the Web for banking, shopping, healthcare, etc. If the VIP can help enterprises encourage these consumers to use more of the Internet for more of these activities and reduce their number of trips to the mall, that is a good thing for the environment.

Posted by Fran Rosch at 4:39 PM | Permalink | Comments (0)

It's now been about two months since we announced the VIP Developer Test Drive, and it's been a great success! Nearly 200 developers have downloaded the API, and many have already gone on to integrate it into their own applications. Over at Sun, Jeff Bounds has blogged about his integration of VIP with Sun Java System Access Manager/OpenSSO, and even posted step-by-step instructions on the Sun Wiki.

So, have you downloaded the API yet?

Posted by Jeff Burstein at 10:37 PM | Permalink | Comments (0)