Online Identity and Trust

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

Posted by Vijai Shankar at 02:32 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 08:50 AM | Permalink | Comments (0) | TrackBacks (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 01:38 PM | Permalink | Comments (0) | TrackBacks (0)

Posted by Kerry Loftus, Vice President of Consumer Authentication

I am constantly evaluating our offerings and other technology solutions, asking: will this really play in my hometown of Erie, PA? The challenge for security vendors has always been there but have we delivered solutions that provide a broad spectrum of security for our customers depending on their needs, risks and users? Two years ago, when the FFIEC guidance around multifactor authentication came out, our customers told us we hadn't. Companies like VeriSign quickly innovated to find that right balance between security, usability, and convenience. Device IDs, images, networked authentication and a whole host of convenient 2-factor credentials emerged and the race is on to find that next game- changing security solution.

We at VeriSign believe there are two critical pieces to this moving forward:

1. Open standards. In other words: two-factor authentication solutions from multiple vendors allowing customers to mix and match and price shop depending on their risks and user profiles. Meet OATH, openauthentication.org. Created in 2003, OATH came together to publish specifications that a whole host of vendors can innovate around.

2. Convenience and lower costs. 75 members in OATH later, we have SMS OTP, flash drives with OTP capability, mobile phone applications that can generate authentication credentials, credit card sized devices, etc.

No one can dispute that consumers spend more money at places they trust. Convenient, low-cost security solutions will play in Erie, PA. If your security vendor can't show you that they comply with open standards and deliver cost effective, convenient solutions its probably time to move on.

Read more: "OATH: One Token To Rule Them All" by Avi Baumstein of InformationWeek

Posted by Kerry Loftus at 01:45 PM | Permalink | Comments (0) | TrackBacks (0)

My name is Jen Gilburg and I am the Director of Business Development for the Identity and Authentication Solutions team here at VeriSign.

Google's announcement of the launch of a new program that allows users to post their medical records online caught my attention. While there are obvious benefits to having a centralized store of historical health information, medications, test results, etc., my first inclination was to be concerned about the security of such personal information.

Naturally I am inclined to believe that everything should have strong authentication. However, not wanting to be overly paranoid, I thought I would investigate just what the exposure is should one gain access to my medical records. I mean -- just how much damage could be done should someone discover that I have hay fever and a rather bizarre allergic reaction to arugula? Is there value in gaining access to my epi-pen prescription?

So I did some simple research. I first went to my insurer who has a portal for which I had previously registered for an online account. Once I logged in with what I will admit was a weak userID and password, I was actually surprised to see the ability to view my name, Group ID # and Member # -all in clear text! I could review my benefits, and should I have entered them previously- my online medical records. Additionally I could order online prescriptions, check claim status, and file pre-authorization forms for any medical procedure covered by my plan.

My paranoia was starting to feel justified.

I then went to my healthcare provider which is a regional medical foundation and also has an online portal. I was able to request appointments, book labs, renew prescriptions and see test results all by gaining access via a weak user name and password.

Alright so access is easy- a little more information than I care to admit is readily available- but what really is the risk of personal damage?

According to 2006 National Health Interview Study- 14.8% or 43.6 million Americans are without health insurance. That was a 2.2M increase over the prior year and this number no doubt is even higher once 2007 reports. With that there has been an increase in medical insurance fraud. It would be relatively easy to hijack an account, make appointments, order tests, and see the results all online using someone else's insurance and identity. Beyond the initial visit when asked to provide the insurance card, have you ever been asked for any validation of identity when visiting your doctor or for that matter when picking up a prescription?

Continue reading "Security of Online Medical Records?" »

Posted by Jen Gilburg at 03:14 PM | Permalink | Comments (1) | TrackBacks (0)