I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling
Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.
But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."
Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:
"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"
All good questions. But, the first thing we should ask is "why?"
"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"
When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?
A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.
Why?
A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.
Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.
Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.
Welcome to the VIP Developer Test Drive!
Today we announced that we're making the API to the VIP Authentication Service freely available to developers to try out on their own. No salespeople to call, new servers to install, or paperwork - just fill out a simple web form and download. We'll give you the API documentation, SOAP WSDL, and access to your own little corner of our pilot web service.
Why are we doing this? Well, because almost every time we meet with a company's technical team, they start out skeptical -- integrating the VIP Authentication Service can't be as easy as we say it is. So we send them the API, they check it out, and then reply back, "You're right, it really is that easy." Now we're cutting out the middleman and letting you download it on your own.
We're also looking to see what ideas the developer community has for this technology. Through our experience with OATH, we've been amazed at the innovation that can happen when technology building blocks are just put out there available for anyone to use. So let us know what you think!
Now let me be clear: the Test Drive is designed for developers. There's no point and click GUI or fancy installer - it's a SOAP web services API. If you've ever written a web services client, it should be very straightforward. If you haven't, that's cool too -- we've got sample code for Java (using Apache Axis 1.4) and C# (using .NET 2.0) to get you started.
Check it out at http://vipdeveloper.verisign.com. Comments or questions? Comment below or email us at vipdeveloper@verisign.com.
I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.
~Vijai
We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.
I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.
~Vijai
I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.
It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.
Last week a news headline from across the pond proclaimed:
Turns out Abbey, a major retail bank in the UK, did a survey on strong authentication. Turns out that two-thirds of those surveyed did not want the "hassle" of two-factor authentication. Turns out those surveyed even poo-pooed challenge questions.
So Abbey decided to act on the survey results. They decided to do nothing. And they decided to shout it out for all (including the fraudsters) to hear!
I question which business schools their marketing folks graduated from.
I wonder too what context the survey questions were raised (perhaps a brief explanation of how two-factor authentication protects against phishing would have been in order!). I wonder if the mere 1000 users surveyed really represented the fraud concerns of their overall user population. I wonder if they bothered to survey any of their customers who were not using their e-banking services- perhaps because of fraud concerns. And most importantly I wonder if the one-third of respondents who wanted stronger protection against fraud will take their business elsewhere...
Now here is a different survey. It is one we did last summer of customers who were using our VeriSign Identity Protection (VIP) Network. Those who were actually using two-factor authentication to protect one or more of their online accounts. Of those surveyed 81% thought it was easy to use. And over half wanted to use their same token at their broker, healthcare provider and gaming site.
If I were a marketing person at an online outlet- I would figure out a way to leverage those statistics to attract customers away from the Abbey banks of the world who are not taking customer's fraud concerns seriously. "Hey- you with a PayPal Security Key- come use it over here".
At minimum- what Abbey should do is to offer strong authentication to the users who want it. Isn't it a much better strategy to offer security as an option versus risking losing customers to those who do?
If you live in the UK, the answer would be a little over twenty thousand dollars (at current exchange rates) for the average adult internet user, a nice bounty for phishers, bot herders, malware coders and other cyber-criminals to go after.
This is based on highlights of a recent YouGov survey that estimates European Internet users are risking up to 1.6 trillion dollars by sharing personal and financial data with sites that are not adequately protected, with UK Internet users responding for a 731 billion chunk of the total amount.
What the research also suggests is that the ubiquity of social networking and other data sharing sites has increased dramatically the quantity and sensitivity of the information available on the web, with users volunteering more and more details in order to complete their profiles, make more friends or establish new connections. Many consumers are giving away their date of birth (75%), their home address (70%) and even their mother's maiden name (68%). People sharing such data may not realize that it is not too hard to aggregate all this information and use it to compromise internet banking accounts and other sensitive online applications.
That is why consumer education plays a key role in making sure users understand what is appropriate to share and where to share it. And believe it or not some of it is working, as the YouGov research shows that consumers are becoming more aware of security symbols such as the padlock (69 percent) or a security mark like the VeriSign® Secured Seal (41 percent).
Moving forward, tools such as Microsoft IE7 and EV certificates will ease the learning curve, but at the end of the day good old common sense continues to be key when deciding whether to share sensitive data online.
I have a confession to make. I was almost a victim of fraud.
It involved Craig's List, the selling of a refrigerator, a random check for $3000 over the amount being sent for payment, the panic of the buyer for overpaying and them begging me to 'Western Union' them the erroneous overpayment once I cashed the check. I was even 'offered' $200 of the overpayment for my troubles.
I am embarrassed to admit- I got all the way to the bank. I actually deposited the check- then in a last minute of "this doesn't seem right" had them run the check and low and behold...
Truth is I was taken off guard, in the middle of a move, not really paying attention-- just happy to have the refrigerator out of my garage.
What is mortifying is that I have been working in security sector of high tech for the last 20 years. The fact I didn't immediately rip up the check shows how even the most security minded of consumers can fall prey.
Last week there was a phishing report by California Berkeley Law School researcher Chris Hoofnagle. The report shows the increase volumes of reported identity theft and highlighted the most frequently phished sites -- the numbers were incredible. The chatter around the report in the press and on other blogs put the stress on consumer awareness. I would argue (from experience!) that is not the answer.
The answer lies in fool proofing websites. Making it so that even if someone did get a hold of your userID and password- they cannot gain access to your accounts. A layered approach including second factor authentication is indeed the answer.
Ironically- many financial institutions that we talk to about two-factor authentication often take the stance that "their customers don't want it". Conversely every member of our VIP network who is providing opt-in second factor authentication has exceeded expectation of the amount of users who indeed opt-in.
Hoofnagle advocates that identity theft information be made available so consumers can make educated decisions on whom to bank with based on security risk. If consumers took his advice banks and ecommerce sites might actually be forced to take action.
I will look forward to the day that my bank protects me should my guard ever drop again.
Our team develops products that help businesses and individuals transact securely on the internet. Needless to say we have a lot of work to do.
I just spent some time in Europe talking to financial institutions and comparing notes on fraud trends here and there. One of the quick conclusions is that online criminals are sharing tools and methods on a global basis and on a scale that we haven't seen before.
One example is a modern variation of an old stock touting technique known as "Pump and Dump" , where fraudsters use e-mail spam to falsely promote a thinly traded instrument (such as a penny stock) hoping that enough people will buy it and drive the price up. The way they make money is by buying the penny stock before sending the spam and selling when the stock goes up (and before it crashes down).
Now if one feels like following investment tips from an e-mail with an anonymous robotic voice that is one thing. A different thing altogether is when criminals take "Pump & Dump" to the next level and steal your username and password, hijack your online brokerage account, sell all your blue chip stocks and use the proceeds to buy the penny stock, leaving you with some worthless equity in a tiny and obscure company. Play the video below for a CNBC report on Pump & Dump aired last year.
Over the last two years, the SEC has filed charges against several individuals in the US and abroad that used this enhanced technique to defraud online brokerage users. Since 2007 the same technique started to show up in Europe and China, as fraudsters realize they can repeat the scam throughout the globe.
While the authorities are arresting some of the suspects, the sustainable solution is for brokerages to continue monitoring suspicious trading behavior and investing in better authentication credentials.
Vicente Silveira
I am constantly evaluating our offerings and other technology solutions, asking: will this really play in my hometown of Erie, PA? The challenge for security vendors has always been there but have we delivered solutions that provide a broad spectrum of security for our customers depending on their needs, risks and users? Two years ago, when the FFIEC guidance around multifactor authentication came out, our customers told us we hadn't. Companies like VeriSign quickly innovated to find that right balance between security, usability, and convenience. Device IDs, images, networked authentication and a whole host of convenient 2-factor credentials emerged and the race is on to find that next game- changing security solution.
We at VeriSign believe there are two critical pieces to this moving forward:
1. Open standards. In other words: two-factor authentication solutions from multiple vendors allowing customers to mix and match and price shop depending on their risks and user profiles. Meet OATH, openauthentication.org. Created in 2003, OATH came together to publish specifications that a whole host of vendors can innovate around.
2. Convenience and lower costs. 75 members in OATH later, we have SMS OTP, flash drives with OTP capability, mobile phone applications that can generate authentication credentials, credit card sized devices, etc.
No one can dispute that consumers spend more money at places they trust. Convenient, low-cost security solutions will play in Erie, PA. If your security vendor can't show you that they comply with open standards and deliver cost effective, convenient solutions its probably time to move on.
Read more: "OATH: One Token To Rule Them All" by Avi Baumstein of InformationWeek
Google's announcement of the launch of a new program that allows users to post their medical records online caught my attention. While there are obvious benefits to having a centralized store of historical health information, medications, test results, etc., my first inclination was to be concerned about the security of such personal information.
Naturally I am inclined to believe that everything should have strong authentication. However, not wanting to be overly paranoid, I thought I would investigate just what the exposure is should one gain access to my medical records. I mean -- just how much damage could be done should someone discover that I have hay fever and a rather bizarre allergic reaction to arugula? Is there value in gaining access to my epi-pen prescription?
So I did some simple research. I first went to my insurer who has a portal for which I had previously registered for an online account. Once I logged in with what I will admit was a weak userID and password, I was actually surprised to see the ability to view my name, Group ID # and Member # -all in clear text! I could review my benefits, and should I have entered them previously- my online medical records. Additionally I could order online prescriptions, check claim status, and file pre-authorization forms for any medical procedure covered by my plan.
My paranoia was starting to feel justified.
I then went to my healthcare provider which is a regional medical foundation and also has an online portal. I was able to request appointments, book labs, renew prescriptions and see test results all by gaining access via a weak user name and password.
Alright so access is easy- a little more information than I care to admit is readily available- but what really is the risk of personal damage?
According to 2006 National Health Interview Study- 14.8% or 43.6 million Americans are without health insurance. That was a 2.2M increase over the prior year and this number no doubt is even higher once 2007 reports. With that there has been an increase in medical insurance fraud. It would be relatively easy to hijack an account, make appointments, order tests, and see the results all online using someone else's insurance and identity. Beyond the initial visit when asked to provide the insurance card, have you ever been asked for any validation of identity when visiting your doctor or for that matter when picking up a prescription?
My initial concern was justified. The importance of providing strong authentication for such online services to prevent hijacking is equal to the value such online access provides for better medical care. California has seen the risk strong enough to extend the landmark breach notification laws to include notification of any compromise of a medical record in its recently passed Assembly Bill 1295.
I hope that Google, Microsoft and other vendors who provide medical record storage will take the threat seriously and offer strong authentication. We have plenty of room for them in the VIP Authentication Services Network.
And to you patients out there...it is within your patient bill of rights to demand that extra layer of protection.
In good health,
Jen
* The BA flight leaving from Tel Aviv to London was the highest risk with the maximum security. As you would expect, the security in Tel Aviv was very tight with about 5 layers of screening including in-depth personal interviews, bag checks that open every compartment, dogs, etc.
* However, the security for the flight from Bangalore to Delhi was not high because internal country flights are not as sensitive.
* The flight from London to SFO had tighter security...you couldn't take liquids even though that is OK at other airports.
This reminds me of the point that we make to our customers - use layers of security to catch different types of fraud, security that maps to different types of risk. And here are examples in the off-line world where it already works!!
OpenID Gets Star Power By Kenneth Corbin of InternetNews.com
Tech heavyweights join OpenID Foundation board By Deborah Gage of The San Francisco Chronicle
OpenID gains support for online single sign-on By Shane Schick of ComputerWorld Canada