Online Identity and Trust

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

Posted by Fran Rosch, SVP of User Authentication, VeriSign

This article was also published in SC Magazine.

All too frequently, reports surface of high-profile hacks victimizing individuals using weak password protection. But, unlike the inconsequential account break-ins hitting Britney Spears, Ashton Kutcher or Sarah Palin, the consequences of some compromised accounts raises serious implications for cloud services security.

Your personal and professional security is only as strong as your weakest password. And for IT managers, the security of an organization's cloud-based resources is only as strong as your most careless employee's weakest password.

Personal information can be harvested many ways - and the viability of traditional usernames and passwords are undermined by the "forgot your password" processes employed by many sites today. Many hacks have been successful because of harvested information used to break the confidence of such "reset" measures and then scouring accounts for professional account login information.

The industry must move to stronger authentication technologies. After all, the strength of a password is meaningless if someone can reset your password. The primary mechanism for secure access to web services is embarrassingly inadequate. In fact, the migration of IT to the cloud may mark the death of the traditional username and password and drive the adoption of stronger internet security measures.

Stronger authentication is available in the form of two-factor authentication, such as one-time password solutions. These solutions can - literally -- put stronger security in the hands of every individual: Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices.

Such solutions have been available for years for enterprise implementations, but cost issues tied to scaling these solutions to large numbers of users have been prohibitive.

By delivering two-factor authentication through a managed service, however, the expensive infrastructure investments of on-premise models may not present as intimidating a barrier. Such a service can dramatically reduce fixed and operating costs of ownership. And a mobile device can dramatically simplify deployment.

Ironically, or not so ironically, Authentication-as-a-Service (AaaS) - strong authentication delivered through the cloud - could be a major solution for the cloud paradigm's most obvious security challenge.

Reckless human behavior is something you can influence but can't ultimately control. Additionally, people live their digital lives across personal and private online accounts. But two factor authentication can be implemented across professional and personal accounts - from the free email account to the cloud-based ERP account - to ensure that password vulnerabilities are a thing of the past and that cloud-based services are secure in the future.

Posted by Fran Rosch at 11:04 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

We are very excited to share that our VIP Access for iPhone downloads has reached a record high. Downloads grew three times more than our previous record high this week.

We appreciated all the constructive feedback from our VIP users. Many users also wish more online banks, gaming and social network sites would sign up with VIP Network, so they can use one VIP Access credential anytime anywhere to secure their online accounts and online identity.

 
We also have had many iPod touch users ask to be notified when we include support for the iPod Touch. Although in our first release, we leverage SMS as part of activation process, we are reviewing other alternatives to enable iPod Touch users in the near future. Stay tuned.

If you have any suggestions, please email to vipmobile@verisign.com. We love to hear from our users.

Posted by Erica Huang at 11:55 AM | Permalink | Comments (0)

What are the hottest applications you can get for your iPhone this week?

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

Posted by Erica Huang at 4:01 PM | Permalink | Comments (0)

Imagine this scenario. You have a couple of hours to kill, so you log onto the free wireless access at an Internet cafe and check your personal email, maybe even make sure your latest check won't bounce by logging on to your banking site. (Whoops, that's just me).

What if a fraudster had set up that free WiFi you just logged into? How much of your personal information was just compromised? Well, this nightmare scenario is coming true. It's so widespread that it has even earned its own nickname: The "Evil Twin." Fraudsters can easily set up a fake hub and even name it to look legitimate, by using the name of a nearby store or cafe. Some people have noticed this in airports.

But don't lose hope: the "good guys" at the WiMAX Forum have defined a security model using two-way mutual authentication and they are creating standards that will protect us from this kind of scam. WiMAX is one of the standards for mobile broadband. It's not fully adopted anywhere yet, because only some providers have adopted it as a standard. But some of the big chip makers will be baking it into devices in the coming years so it will become more widespread.

Today we are announcing that the WiMAX Forum has chosen VeriSign as the Certificate Authority to secure the certificates that will go on WiMAX-enabled servers and devices.

Our PKI Product Manager, Charul Sadwelkar took a few moments to answer some of my questions about VeriSign's role in the WiMAX ecosystem. Charul used to work in the mobile industry so he knows all the jargon and he explained all the competing standards.

Question: "Are there any competing standards to WiMAX today?"
Answer: "There are competitive technologies that are in various stages of evolution. The one most commonly cited is the "Long Term Evolution" (LTE) roadmap, which is the path taken by the GSM and the GPRS service providers. But we believe that they are a little bit behind WiMAX which is spearheading the high-speed mobile Internet access revolution."

Question: "As part of VeriSign's PKI service for WiMAX, are we using any proprietary technologies?"
Answer: "VeriSign takes pride in the fact that we are a standards-based PKI provider. For the WiMAX ecosystem, we are not doing anything proprietary, these are very standard certificates with profiles as specified by the forum."

Question: "When will WiMAX be widespread?"
Answer: "It is in pilot roll-out in a couple cities in the US and in some Asian countries where the landline infrastructure is not particularly strong. We expect that WiMAX will be available in a widespread in a year or two from now."

Listen to the interview with Charul

Learn More:
White Paper: Helping to Secure the WiMAX World: VeriSign WiMAX PKI
Service
Data Sheets: VeriSign WiMAX Public Key Infrastructure Service for Device
Manufacturers, and VeriSign WiMAX Public Key Infrastructure Service for Service
Providers

Posted by Karen Snyder at 5:53 AM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.

Posted by Yohai Einav at 1:00 PM | Permalink | Comments (0)

Posted by Jeff Burstein at 12:44 PM | Permalink | Comments (0)

Today PayPal launched mobile access for its Security Key. This means that along with the traditional token and credit card form factor, PayPal Security Key users can now get their one time password (OTP) texted to their mobile phone. This is very cool, especially if you're one of those people who use your cell phone for everything--phone, email, text, Internet, GPS, camera...and now you can use it to protect your accounts online.

The new SMS OTP for the PayPal Security Key is available to customers in the U.S., Australia, Austria, Canada and Germany. PayPal does not charge for the OTPs texted to mobile devices. To use the service, customers need a mobile device and wireless service set up to receive SMS text messages. It's that simple.

The PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network. As part of this network, consumers can use the OTPs to protect their accounts on a variety of financial services and e-commerce Web sites like eBay, AOL, Geico, U.S. Department of Education, American Bankers Association, and many others. To activate your PayPal Security Key SMS functionality, go to https://www.paypal.com/securitykey

Posted by VeriSign Identity Protection Blogger at 11:48 AM | Permalink | Comments (0)

Organizations around the world are deploying VeriSign® Identity Protection (VIP) services to stop fraudsters from tricking consumers into revealing sensitive private information. VeriSign Identity Protection service's one-time-passwords (OTP) are one element of a layered security approach. Other layers include Web site security brought by an Extended Validation (EV) SSL Certificate, fraud detection services to monitor anomalies on the back end, and consumer education.

The VeriSign Identity Protection Network allows consumers to use a single security device to authenticate themselves across any VIP-enabled Web site. So it's easier for all of us to stay safe online by integrating two-factor authentication into our online routine.

Our Newest "VIP" Members:
+ American Bankers Association (U.S.)
+ AWA Credit Union Ltd (Australia)
+ Central Murray Credit Union (Australia)
+ DocLocker (Australia)
+ Indusval Multistock (Brazil)
+ Joyo Bank (Japan)
+ Maitland Mutual Building Society (Australia)
+ Morgan Street Document Systems (U.S.)
+ South West Credit Union (Australia)
+ U.S. Department of Education (U.S.) + VietUnion (Vietnam)
+ Water ISAC (U.S.)

Extending the Reach of VeriSign Identity Protection With Global Partnerships
Enhancements to VeriSign's sales and delivery channel for VIP also has extended the network's market presence worldwide. VeriSign recently added to its channel and strategic partner ranks:
+ Blitz IT Consultants Pte Ltd in Vietnam
+ Senior Solutions in Brazil
+ Scitum and Netrix in Mexico
+ Bharti Airtel in India
+ iTrusChina in China
+ MSCTrustgate in Malaysia
And in the Europe, Middle East and Africa (EMEA) region, we launched a new program aimed at recruiting at least one anchor partner for the UK, Germany, France, Spain and Italy. We're working to ensure that VIP is represented via a robust and far-reaching ecosystem, particularly within the financial, retail, social networking and gaming markets.

Let's Give People What they Want
Here's a quote from a user of the Security Key who sells sports memorabilia on eBay:

"Before I started using my token, someone was breaking into my account every four to six weeks...I previously had to change my password constantly to keep others out of my account, but since I started using the PayPal Security Key, I haven't had to change it once."

Posted by VeriSign Identity Protection Blogger at 12:42 PM | Permalink | Comments (0)

You may have read the news over the weekend that cyber thieves raided Sarkozy's bank account and began stealing small amounts of money frequently. This marks the second high-profile online account break-in in recent weeks where an e-criminal broke in through the user name and password security function (the Palin email hack was the other). Consumers need to take full responsibility and control of their online accounts by securing them with an added layer of security, beyond a username and password. With more and more consumers putting their identities online, this type of account break-in will continue if we continue to use simple usernames and passwords. One such way to strongly secure an online account is the use of one-time passwords, also referred to as two-factor authentication. Some banks have already started rolling such measures to their customers. The recent news about Sarkozy's account being raided serves as yet another example of why consumers should sign up or ask their financial institutions to offer two-factor authentication for their accounts.

~Vijai Shankar
Sr. Product Marketing Manager, VeriSign Identity Protection Services

Posted by Vijai Shankar at 10:19 AM | Permalink | Comments (0)

by Francis Castello, Product Manager, Identity and Authentication Services - APAC Region

According to recent research conducted by Datamonitor, around 27 per cent of 2000 respondents would never arrange any financial product online (ref. Aussies fear online fin services) . This percentage equates to around 4.2 million Australians.
The report noted that "Despite the introduction of more comprehensive security measures such as two factor authentication by the banks, there is still a significant proportion of consumers that does not use internet banking due to concerns about security,". According to Datamonitor financial services analyst Petter Ingemarsson, the issue boils down to "perceived security" rather than the actual security safety nets in place.

One group that represents a particular challenge in converting to the new medium is the over 45 years-of-age category, where there is a major drop-off in the medium's acceptance. It's this older consumer contingent that I'd like to address in this blog post.

So what do banks need to do to address this particular challenge? Now, I don't purport to be a psychological expert, but it seems to me that if we revert to some simple problem resolution basics we're on our way to finding a solution. Without conducting any detailed analysis, I think it would be fair to attribute the resistance by older consumers in embracing the online medium to two key contributing factors. The first is a fear of new technology. In general, the older we get, the more resistant we seem to become in adopting new technologies. The second factor is a fear of the insecurity associated with the Internet. The constant attention the topic of 'online identity theft' enjoys in the media does a great job in propagating the message of insecurity associated with transacting online.

Faced with this challenge, one might also ask, 'why bother with the older consumer segment anyway?' That's what I thought originally, until my 65 year old mum approached me one day and asked me "Son, I want to get connected to this Internet thing; can you help me?". And we're talking here about someone who struggled with the unconventional new-age shape of her brand new bread toaster! Clearly the desire is there. Well, from that point I was convinced. Yes, even the over 45s will convert but the rate of success will depend upon the approach and solution. So how can we address this challenge?

In my opinion, the solution requires the following three key elements:

1. The security solution needs to offer something tangible for the consumer (something the consumer can see, touch, etc.);
2. The security solution must be simple and bullet-proof ; and
3. The security solution needs to offered via a targeted marketing campaign.

In my mind, the first two key elements above can be addressed via the new technology available in the form of a One Time Password generating card form-factor. Traditionally, tokens have offered this functionality but let's face it, these would appear as a foreign object to most of the older consumer generation. On the contrary, cards have been in widespread use for decades (eg. Pensioner Card, Medicare Card, Driver's Licenses, Credit/Debit Cards). Most importantly, the card form-factor generates the OTP code on demand (thereby offering the simplest two-factor authentication experience). This is in stark contrast to the alternative out-of-band solution such as SMS wherein network delays in delivering the access passcode (or which in the worst case scenario never arrive), can lead to a very disconcerting experience for anyone, let alone the older consumer generation.

This leaves us with the last key element for success, which involves a targeted marketing campaign. And clearly any campaign intended to draw consumers into the online realm needs to commence in the physical realm. One option here is via a physical mail-out campaign. A flyer which illustrates and describes the security benefits of an OTP card would offer an excellent draw card to the online medium.

To conclude, I don't believe banks should be abandoning any ambitions to drive the older consumer generation towards the online banking medium. Let's not write them off just yet. I belong to that consumer segment; I'm actually 45!

Posted by VeriSign Identity Protection Blogger at 4:23 PM | Permalink | Comments (0)

The recent news about how Vice Presidential candidate Sarah Palin's Yahoo email account was hacked makes it clear as day that we need better security for web based email, and we need to close the giant loophole of "password reset". Web email often gets lumped into the bucket of "low value" accounts, so system designers pay little attention to the security of its authentication systems, but it often contains our most personal details. How many more high-profile account takeovers are we going to see before people take account security seriously? Come on folks, usernames and passwords just don't cut it anymore, and the problem isn't just limited to financial sites.

This incident also makes it abundantly clear that system designers need to take a holistic, layered approach to security. Palin's Yahoo account was compromised not because the hacker guessed her password, but because the "password reset" function was easy to get through. There's no sense in locking down the front door tight if you're going to leave the side door open, and that's what you get when you use simplistic "secret questions" as a password reset mechanism. So-called "secret" questions are never secret -- and even if you're not a national public figure, it's pretty likely that more than a few people know your dog's name, your birthday, or where you went to high school.

If you're a user stuck with a site that uses one of these bad "secret" question schemes, Veracode and Lifehacker have some good tips on what to do (besides threatening to take your business elsewhere if the site doesn't implement real security). If you're a system designer, you should use true two-factor authentication for the front door, and an out-of-band scheme for credential recovery.

Posted by Jeff Burstein at 5:47 PM | Permalink | Comments (0)

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Posted by VeriSign Identity Protection Blogger at 9:49 AM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Posted by VeriSign Identity Protection Blogger at 11:00 AM | Permalink | Comments (0)

Posted by Fran Rosch, VP of VeriSign Identity and Authentication Solutions

Living in California, I have tried to become as environmentally conscious as possible given the grim reports on climate change and rising sea levels. The major steps I have taken along with my family include installing brand new energy efficient appliances and significantly more insulation as part of our home remodel. We also implement smaller initiatives such as maximum recycling, eating organic and locally grown products and composting as much as possible. I have even given up coffee and my favorite Irish oatmeal because of the carbon required to ship these products such long distances. We also try (but usually fail) to restrict ourselves to bicycle-only transportation on weekends.

I know there is lots disagreement on whether these small actions actually make an impact but they do make us feel better. I also travel extensively for business which blows my personal carbon foot print sky-high regardless.

But, I have been thinking how VeriSign's VIP Consumer Authentication solution stands up against the competition as green or not. Traditional strong authentication companies sold by companies such as RSA and Vasco are software in-premise solutions based on proprietary solutions as compared to VeriSign Identity Protection ("VIP") which is network-based service driven by open standards.

For the software based solutions sold by our competition, an enterprise must purchase, install and manage a server infrastructure to validate the consumer's OTP (one-time password). There is a significant amount of energy used to manufacture these servers, ship them half way across the world and then power them 24x7. Never mind the energy use to develop the raw materials for the components. In contrast, VIP requires no infrastructure at the enterprise and uses a shared infrastructure installed at VeriSign's data centers. There is an immediate environmental savings by using shared infrastructure versus everyone operating their own. Using the VIP is like taking an electric high-speed train with hundreds of other happy passengers instead of each person getting in their own car by themselves and crawling along crowded highways.

Then I felt bad about all of those pesky plastic tokens that have been the staple of the traditional authentication solution market. Our competitors have manufactured and shipped over a hundred million of these devices which will eventually find their way to landfills across the globe. By using open standards and encouraging a diverse and creative ecosystem of credential providers, we can imagine strong authentication without any plastic tokens. By embedding an OTP generating into a device that a consumer already carries such as a credit card, mobile phone or PC, the industry can stop manufacturing security-only plastic tokens.

However, until all this innovation is fully ready for production, the VIP has another environmental benefit in that it allows the sharing of one credential across multiple websites. With traditional consumer authentication solutions, a consumer must have a separate token for each website requiring more materials, more manufacturing, more shipping and more eventual trash. This is commonly referred to as the "token necklace". With VeriSign, one device can be the key to many websites meaning the consumer will use it more and keep it longer resulting in less basura.

Finally, I thought what other environmental benefits could VeriSign encourage with our VIP product? Well, according to the survey results published by our friends in the analyst community, there are still millions of consumers who are too concerned with Internet fraud and security to use the Web for banking, shopping, healthcare, etc. If the VIP can help enterprises encourage these consumers to use more of the Internet for more of these activities and reduce their number of trips to the mall, that is a good thing for the environment.

Posted by Fran Rosch at 4:39 PM | Permalink | Comments (0)

It's now been about two months since we announced the VIP Developer Test Drive, and it's been a great success! Nearly 200 developers have downloaded the API, and many have already gone on to integrate it into their own applications. Over at Sun, Jeff Bounds has blogged about his integration of VIP with Sun Java System Access Manager/OpenSSO, and even posted step-by-step instructions on the Sun Wiki.

So, have you downloaded the API yet?

Posted by Jeff Burstein at 10:37 PM | Permalink | Comments (0)

Whenever anyone talks about typical authentication use cases, they inevitably use a financial institution as an example. "The user logs into his bank to perform a transaction." or "The bank issues the user a credential to protect his account." We use financial institutions as an example because it's an easy situation to explain -- you have a place with a lot of money, criminals like money, so we protect the money from the criminals. Simple, right?

But we should look beyond the "obvious" places where additional security is needed. If someone breaks into your online bank account and steals your money, it's almost certain that your bank will eventually cover your losses. It may be a giant headache for you, take a ton of time and effort, and it probably reduces your faith in online banking, but you will most likely be made "whole." But now what if someone breaks into your online health record? Or your email account? Or your social networking profile? Or your blog? Who's going to make you "whole"? Is that even possible?

Last week there was a great anecdote being discussed on a C|Net blog about how someone's instant messenger account had been breached by a password stealing piece of malware. The attacker got the victim's IM username and password, then logged in as the victim. The attacker then tried social engineering all of the people on the victim's buddy list, pretending to be the victim who was in some dire financial/legal predicament and needed money wired immediately. While none of the targets took the bait, what would have happened if they did? Nobody's going to refund the money they send off to some scam artist -- their bank is just following their legitimate wire transfer instructions, the instant messaging provider is providing a free service and disclaims all liability. But these people are just as much a victim of a weak username and password as our typical bank example.

Who thinks these people are going to continue to trust IM as a communications medium? Shouldn't we be protecting our most private conversations, and our actual online identity with something better than an easily phished username and password?

Money can be refunded, but trust and privacy can't.

Posted by Jeff Burstein at 11:54 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

Posted by Vijai Shankar at 2:32 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 8:50 AM | Permalink | Comments (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 1:38 PM | Permalink | Comments (0)

Posted by Kerry Loftus, Vice President of Consumer Authentication

I am constantly evaluating our offerings and other technology solutions, asking: will this really play in my hometown of Erie, PA? The challenge for security vendors has always been there but have we delivered solutions that provide a broad spectrum of security for our customers depending on their needs, risks and users? Two years ago, when the FFIEC guidance around multifactor authentication came out, our customers told us we hadn't. Companies like VeriSign quickly innovated to find that right balance between security, usability, and convenience. Device IDs, images, networked authentication and a whole host of convenient 2-factor credentials emerged and the race is on to find that next game- changing security solution.

We at VeriSign believe there are two critical pieces to this moving forward:

1. Open standards. In other words: two-factor authentication solutions from multiple vendors allowing customers to mix and match and price shop depending on their risks and user profiles. Meet OATH, openauthentication.org. Created in 2003, OATH came together to publish specifications that a whole host of vendors can innovate around.

2. Convenience and lower costs. 75 members in OATH later, we have SMS OTP, flash drives with OTP capability, mobile phone applications that can generate authentication credentials, credit card sized devices, etc.

No one can dispute that consumers spend more money at places they trust. Convenient, low-cost security solutions will play in Erie, PA. If your security vendor can't show you that they comply with open standards and deliver cost effective, convenient solutions its probably time to move on.

Read more: "OATH: One Token To Rule Them All" by Avi Baumstein of InformationWeek

Posted by Kerry Loftus at 1:45 PM | Permalink | Comments (0)

My name is Jen Gilburg and I am the Director of Business Development for the Identity and Authentication Solutions team here at VeriSign.

Google's announcement of the launch of a new program that allows users to post their medical records online caught my attention. While there are obvious benefits to having a centralized store of historical health information, medications, test results, etc., my first inclination was to be concerned about the security of such personal information.

Naturally I am inclined to believe that everything should have strong authentication. However, not wanting to be overly paranoid, I thought I would investigate just what the exposure is should one gain access to my medical records. I mean -- just how much damage could be done should someone discover that I have hay fever and a rather bizarre allergic reaction to arugula? Is there value in gaining access to my epi-pen prescription?

So I did some simple research. I first went to my insurer who has a portal for which I had previously registered for an online account. Once I logged in with what I will admit was a weak userID and password, I was actually surprised to see the ability to view my name, Group ID # and Member # -all in clear text! I could review my benefits, and should I have entered them previously- my online medical records. Additionally I could order online prescriptions, check claim status, and file pre-authorization forms for any medical procedure covered by my plan.

My paranoia was starting to feel justified.

I then went to my healthcare provider which is a regional medical foundation and also has an online portal. I was able to request appointments, book labs, renew prescriptions and see test results all by gaining access via a weak user name and password.

Alright so access is easy- a little more information than I care to admit is readily available- but what really is the risk of personal damage?

According to 2006 National Health Interview Study- 14.8% or 43.6 million Americans are without health insurance. That was a 2.2M increase over the prior year and this number no doubt is even higher once 2007 reports. With that there has been an increase in medical insurance fraud. It would be relatively easy to hijack an account, make appointments, order tests, and see the results all online using someone else's insurance and identity. Beyond the initial visit when asked to provide the insurance card, have you ever been asked for any validation of identity when visiting your doctor or for that matter when picking up a prescription?

Continue reading "Security of Online Medical Records?" »

Posted by Jen Gilburg at 3:14 PM | Permalink | Comments (0)