Online Identity and Trust

Network Products Guide just announced we won the Reader Trust Award for Best in Multi- and Second-Factor Security. We're putting it in our trophy case right next to the Product Innovation Award in the Consumer Application or Service category. This is great for companies making decisions about two-factor authentication for their customers -- they might want to know the industry thinks highly of VIP.  It's also great for the team here at VeriSign working on VIP to see all their efforts to create a great product payoff with an award like this. So thank you, Network Products Guide, from the team at VeriSign. Here is the press release.

Posted by Jeff Burstein at 4:29 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

What happened to good ol' fraud?

There's a new trend in online fraud today - it is getting more brutal.

A few years ago, when a fraudster wanted to get your online banking credentials, he would send you a phishing email, asking you kindly to send him your bank's login and password; today, he would simply infect your PC with malware, then take your details by force.

Fraudsters not believing in the goodness of mankind and taking things by force?! Yes - we live in crazy times.

The brutal trend doesn't end with phishing. The same evolution happens today in the online brokerage world with the "Pump and Dump" scam.

Pump and Dump 1.0
The classic Pump and Dump scam is one of the oldest tricks in the book. Its guiding principle is simple: if you can buy a worthless stock for a very low price (typically micro-cap companies), then sell it quickly for a much higher price, you can become rich (you probably haven't heard this principle before).

So, how do you turn something worthless into something valuable in a short period of time?

The answer, until recently, was - "persuade enough dupes to buy the stock, and make the market price to go up". How do you persuade enough people? Well, 200 years ago (when the Internet was still a secret known to few) you would spread false rumors about "a swell stock" in tea parties, or in a horse cart on the way to work. Today you would simply send a professional-looking spam email to millions, giving an expert recommendation on the stock.

Pump and Dump 2.0
But that classic, mainstream scam has changed. The "Brutal Pump and Dump" of the day is not about persuading people; it is about taking command over their trading accounts.

How does a brutal Pump and Dump work?
First, the fraudster buys shares of a penny stock through his personal account. At this point the share price is very low. The fraudster then logs into multiple compromised trading accounts in one or more brokerage firms. Once there, he liquidates the stock portfolio in these accounts and uses the free money to purchase shares of "his" penny stock. The rest of the process is quite obvious: the share price of the penny stock goes up (usually by 10's or 100's of percent), and it's time for the fraudster to capitalize on his investment.

Return on investment of 100%-200% for one hour of work? Not a bad deal.

One person's gain
We all know the old saying - "one person's gain is another person's loss"; but what can we do when it's "many persons' loss to one person's gain"? Can we stop this loss from happening? Is there a magical defense against these dark arts?

Well, defense exists, although it is not fully magical. It mainly consists of special rules, configurations, comparators and behavioral engines. And it can block most of the brutal Pump and Dump. Get further details about VeriSign's solution. If you still feel you need a magical addition to your Pump and Dump defense, kindly contact JK Rowling.

Posted by VeriSign Identity Protection Blogger at 5:35 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)