Online Identity and Trust

Organizations around the world are deploying VeriSign® Identity Protection (VIP) services to stop fraudsters from tricking consumers into revealing sensitive private information. VeriSign Identity Protection service's one-time-passwords (OTP) are one element of a layered security approach. Other layers include Web site security brought by an Extended Validation (EV) SSL Certificate, fraud detection services to monitor anomalies on the back end, and consumer education.

The VeriSign Identity Protection Network allows consumers to use a single security device to authenticate themselves across any VIP-enabled Web site. So it's easier for all of us to stay safe online by integrating two-factor authentication into our online routine.

Our Newest "VIP" Members:
+ American Bankers Association (U.S.)
+ AWA Credit Union Ltd (Australia)
+ Central Murray Credit Union (Australia)
+ DocLocker (Australia)
+ Indusval Multistock (Brazil)
+ Joyo Bank (Japan)
+ Maitland Mutual Building Society (Australia)
+ Morgan Street Document Systems (U.S.)
+ South West Credit Union (Australia)
+ U.S. Department of Education (U.S.) + VietUnion (Vietnam)
+ Water ISAC (U.S.)

Extending the Reach of VeriSign Identity Protection With Global Partnerships
Enhancements to VeriSign's sales and delivery channel for VIP also has extended the network's market presence worldwide. VeriSign recently added to its channel and strategic partner ranks:
+ Blitz IT Consultants Pte Ltd in Vietnam
+ Senior Solutions in Brazil
+ Scitum and Netrix in Mexico
+ Bharti Airtel in India
+ iTrusChina in China
+ MSCTrustgate in Malaysia
And in the Europe, Middle East and Africa (EMEA) region, we launched a new program aimed at recruiting at least one anchor partner for the UK, Germany, France, Spain and Italy. We're working to ensure that VIP is represented via a robust and far-reaching ecosystem, particularly within the financial, retail, social networking and gaming markets.

Let's Give People What they Want
Here's a quote from a user of the Security Key who sells sports memorabilia on eBay:

"Before I started using my token, someone was breaking into my account every four to six weeks...I previously had to change my password constantly to keep others out of my account, but since I started using the PayPal Security Key, I haven't had to change it once."

Posted by VeriSign Identity Protection Blogger at 12:42 PM | Permalink | Comments (0)

You may have read the news over the weekend that cyber thieves raided Sarkozy's bank account and began stealing small amounts of money frequently. This marks the second high-profile online account break-in in recent weeks where an e-criminal broke in through the user name and password security function (the Palin email hack was the other). Consumers need to take full responsibility and control of their online accounts by securing them with an added layer of security, beyond a username and password. With more and more consumers putting their identities online, this type of account break-in will continue if we continue to use simple usernames and passwords. One such way to strongly secure an online account is the use of one-time passwords, also referred to as two-factor authentication. Some banks have already started rolling such measures to their customers. The recent news about Sarkozy's account being raided serves as yet another example of why consumers should sign up or ask their financial institutions to offer two-factor authentication for their accounts.

~Vijai Shankar
Sr. Product Marketing Manager, VeriSign Identity Protection Services

Posted by Vijai Shankar at 10:19 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
Greg Pierson of iovation recently wrote an interesting blog postabout the idea that the more places your identity information resides, the greater the chance of your identity actually getting stolen. It reminded me of an incident that happened to me recently. I live in a condo and our neighbor's sprinkler system had gone off. There was so much water that it seeped through the walls and ceiling and flooded one of our rooms, which happened to be carpeted. Our landlord, along with the condo association, arranged to have the carpet replaced. When the workers arrived, they insisted on taking my wife's credit card number even though they weren't going to charge us. They took an impression of the card, and then insisted on writing down the CVV2 number (the three digit number on the back of the card, often called a "security code"), not to charge anything, but because it was policy or they couldn't start the work. Of course, recording both numbers is totally unnecessary. It's actually pretty dumb, and most likely against the rules that merchants have to sign up to to be able to take credit cards as payment.

Credit card transactions can be "card present" transactions, when the card is physically present, like at a gas station or when you are physically at the store, or "card not present" (CNP), when the card is not present like when you make a transaction online or over the phone. The presence of the card is usually established by reading the magnetic strip or by taking an impression of the card. Clearly, the risk of fraud is greater for CNP transactions because all a fraudster may need is the card number (something you know). Card companies started to combat this by using CVV2 to validate CNP transactions, so you, in theory need to physically have the card or else you wouldn't be able to turn it over to read those three extra digits. Of course, those three digits are just something else you know, and can easily be compromised along with your card number, especially when written down by unscrupulous or clueless merchants. In practice, it does provide a little more security because those extra digits aren't supposed to be stored with your card number. Of course, when the carpet guys are holding your new carpet hostage and they insist on writing both pieces of information on the same piece of paper, that extra security goes out the window. To make matters worse for me, these particular carpet guys spoke with Russian accents. I don't want to launch a discussion about the merits of profiling cyber-criminals, but it didn't do much to ease my suspicion.

After my wife told me what happened, I considered canceling our credit cards, but then we would be faced with the hassle of updating every subscription and service that has our card stored somewhere for auto-renewal. On the one hand, that's not such a bad idea. Who knows what auto-renewals we'd forgotten about and didn't need anymore. On the other hand, who wants to deal with all that, especially when your liability for any fraudulent charges is capped at $50? The real fear wasn't the charges themselves but of someone establishing a new credit line in one of our names using the credit card. Ultimately, we decided just to keep an even more vigilant eye on our statements and rely on our Equifax Credit Watch to alert us of any suspicious behavior.

We had gotten a year free of the credit watch because of a SNAFU by a holder of my own personal information, and I've committed to calling the credit bureaus and freezing our credit once it expires. I've heard that's an easy way to make sure no one is opening credit lines you don't know about, and the bureaus have to do it for free. We'll see how easy they make it.

Even though we had decided to not cancel the card, I wanted to do something. I naively thought I would go on a little crusade and let the credit card company know that one of their merchants was being so careless about sensitive data and almost certainly breaking some rule in their agreement. When I called Visa, they pretended to be interested but referred me to the issuing bank, who of course didn't have any interest in whether the merchant was breaking Visa's rules and only wanted to know if I wanted a new card. The banks and credit card companies don't ultimately care if merchants are playing fast and lose with card holder's information because actually doing something about it might mean fewer credit card transactions and less money in fees and interest. Instead, they place measures that appear to be helpful on the surface but don't wind up doing too much. A good case in point is the credit card industry's PCI guidelines, which I'm sure TJX, Office Max, Barnes and Noble, etc. were all in compliance with when the news broke about the largest identity theft case in history (actually, it sounds like the largest loss of credit card numbers in history, but identity theft makes a better headline).

Just a few months later, I lost my wallet on a business trip, so the card got canceled anyway. It was a good exercise in really understanding where our cards were being used and what you need to do after something like that happens. I had to cancel and reissue everything that was in my wallet, and some things could not be recovered (like my Caltrain monthly pass) and are still causing problems. It means having to go beyond just looking at statements now to having to order and look closely at my credit reports.

All of this, and Greg's post, makes me wonder about how closely the Bear Sterns and AIGs and WaMus of the world are guarding customer data during the various buyouts and takeovers that are happening. My guess is that protecting my personal information isn't as high on their list of priorities (not that it ever was) as staying in business so they can continue to loan us money to buy things we probably don't need. That's a post for a different blog though, the moral for this one is, as usual, watch out for your own data because you can't be sure anyone else is.

Posted by VeriSign Identity Protection Blogger at 4:00 AM | Permalink | Comments (0)

by Francis Castello, Product Manager, Identity and Authentication Services - APAC Region

According to recent research conducted by Datamonitor, around 27 per cent of 2000 respondents would never arrange any financial product online (ref. Aussies fear online fin services) . This percentage equates to around 4.2 million Australians.
The report noted that "Despite the introduction of more comprehensive security measures such as two factor authentication by the banks, there is still a significant proportion of consumers that does not use internet banking due to concerns about security,". According to Datamonitor financial services analyst Petter Ingemarsson, the issue boils down to "perceived security" rather than the actual security safety nets in place.

One group that represents a particular challenge in converting to the new medium is the over 45 years-of-age category, where there is a major drop-off in the medium's acceptance. It's this older consumer contingent that I'd like to address in this blog post.

So what do banks need to do to address this particular challenge? Now, I don't purport to be a psychological expert, but it seems to me that if we revert to some simple problem resolution basics we're on our way to finding a solution. Without conducting any detailed analysis, I think it would be fair to attribute the resistance by older consumers in embracing the online medium to two key contributing factors. The first is a fear of new technology. In general, the older we get, the more resistant we seem to become in adopting new technologies. The second factor is a fear of the insecurity associated with the Internet. The constant attention the topic of 'online identity theft' enjoys in the media does a great job in propagating the message of insecurity associated with transacting online.

Faced with this challenge, one might also ask, 'why bother with the older consumer segment anyway?' That's what I thought originally, until my 65 year old mum approached me one day and asked me "Son, I want to get connected to this Internet thing; can you help me?". And we're talking here about someone who struggled with the unconventional new-age shape of her brand new bread toaster! Clearly the desire is there. Well, from that point I was convinced. Yes, even the over 45s will convert but the rate of success will depend upon the approach and solution. So how can we address this challenge?

In my opinion, the solution requires the following three key elements:

1. The security solution needs to offer something tangible for the consumer (something the consumer can see, touch, etc.);
2. The security solution must be simple and bullet-proof ; and
3. The security solution needs to offered via a targeted marketing campaign.

In my mind, the first two key elements above can be addressed via the new technology available in the form of a One Time Password generating card form-factor. Traditionally, tokens have offered this functionality but let's face it, these would appear as a foreign object to most of the older consumer generation. On the contrary, cards have been in widespread use for decades (eg. Pensioner Card, Medicare Card, Driver's Licenses, Credit/Debit Cards). Most importantly, the card form-factor generates the OTP code on demand (thereby offering the simplest two-factor authentication experience). This is in stark contrast to the alternative out-of-band solution such as SMS wherein network delays in delivering the access passcode (or which in the worst case scenario never arrive), can lead to a very disconcerting experience for anyone, let alone the older consumer generation.

This leaves us with the last key element for success, which involves a targeted marketing campaign. And clearly any campaign intended to draw consumers into the online realm needs to commence in the physical realm. One option here is via a physical mail-out campaign. A flyer which illustrates and describes the security benefits of an OTP card would offer an excellent draw card to the online medium.

To conclude, I don't believe banks should be abandoning any ambitions to drive the older consumer generation towards the online banking medium. Let's not write them off just yet. I belong to that consumer segment; I'm actually 45!

Posted by VeriSign Identity Protection Blogger at 4:23 PM | Permalink | Comments (0)