Online Identity and Trust

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

It's about time Hollywood produces a blockbuster about identity management.

No, I'm kidding. No producer would never even read a script which includes the term "identity management" in its title (except, perhaps, "Harry Potter and the Identity Management Prince"). But there is a new Bruce Willis movie that deals with the issue of identities, among other things, and, well, that's a start.

The movie is called "Surrogates" (watch trailer), and it tells the story of a futuristic world in which humans live in isolation while only communicating with their fellow man through robots that serve as social surrogates and are better-looking versions of their human counterparts.

Now isn't that kind of what happens today in our own world? When we go to the web we have a virtual identity through which we communicate with our fellow man, fellow banks, fellow stores: we send our virtual identity (user name) to the bank, it "shakes hands" with the web embodiment of the bank (using a password), and then starts communicating with it. Our online identity may not be a better-looking version of us, but it still gets the job done.

In "Surrogates" Bruce Willis is an FBI agent who enlists the aid of his own surrogate to investigate the murder of a genius college student. As the case grows more complicated, however, Willis's surrogate is destroyed and he discovers that in order to actually catch the killer he will have to venture outside the safety of his own home for the first time in many years.

Sadly enough, in our real world, our online identity "surrogate" can also be destroyed. If a deadly killer (a nerdy hacker in our case) takes over our identity, we have a problem: the surrogate still looks like us, other web surrogates still know him and trust him, but it is really, well, misbehaving. Our one chance to stop it is to identify that it is not acting like we usually do, and that's why we find behavioral analysis systems at banks, stores and (recently) social networks. If we miss that chance, our identity must be terminated - close accounts, cancel cards, change email address.

As it happens in many Hollywood movies, there is a happy ending to "Surrogates". Willis solves the mysteries, kills the bad guys, and even ends up with the girl (yes, there is a girl in this flick!). In real life, however, this rarely happens: even when we solve the mystery ("The attacker came from a proxy server in Finland, and used a zero day IE6 exploit! Yeah!"), catching the bad guys is slow and expensive, and new "killers" are born every day.
And I'm not even talking about getting the girl.

Still, what we can do (considering we don't have the budget to hire Mr. Willis) is to carefully watch our online identities: Let them communicate with the world only behind firewalls. Dress them with an anti-malware shield. Don't let them go to places you wouldn't visit in the real world. And if you're a security company, look for changes in their behavior, they may have been taken over by a vicious nerd.

Posted by Yohai Einav at 5:28 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service
Greg Pierson of iovation recently wrote an interesting blog postabout the idea that the more places your identity information resides, the greater the chance of your identity actually getting stolen. It reminded me of an incident that happened to me recently. I live in a condo and our neighbor's sprinkler system had gone off. There was so much water that it seeped through the walls and ceiling and flooded one of our rooms, which happened to be carpeted. Our landlord, along with the condo association, arranged to have the carpet replaced. When the workers arrived, they insisted on taking my wife's credit card number even though they weren't going to charge us. They took an impression of the card, and then insisted on writing down the CVV2 number (the three digit number on the back of the card, often called a "security code"), not to charge anything, but because it was policy or they couldn't start the work. Of course, recording both numbers is totally unnecessary. It's actually pretty dumb, and most likely against the rules that merchants have to sign up to to be able to take credit cards as payment.

Credit card transactions can be "card present" transactions, when the card is physically present, like at a gas station or when you are physically at the store, or "card not present" (CNP), when the card is not present like when you make a transaction online or over the phone. The presence of the card is usually established by reading the magnetic strip or by taking an impression of the card. Clearly, the risk of fraud is greater for CNP transactions because all a fraudster may need is the card number (something you know). Card companies started to combat this by using CVV2 to validate CNP transactions, so you, in theory need to physically have the card or else you wouldn't be able to turn it over to read those three extra digits. Of course, those three digits are just something else you know, and can easily be compromised along with your card number, especially when written down by unscrupulous or clueless merchants. In practice, it does provide a little more security because those extra digits aren't supposed to be stored with your card number. Of course, when the carpet guys are holding your new carpet hostage and they insist on writing both pieces of information on the same piece of paper, that extra security goes out the window. To make matters worse for me, these particular carpet guys spoke with Russian accents. I don't want to launch a discussion about the merits of profiling cyber-criminals, but it didn't do much to ease my suspicion.

After my wife told me what happened, I considered canceling our credit cards, but then we would be faced with the hassle of updating every subscription and service that has our card stored somewhere for auto-renewal. On the one hand, that's not such a bad idea. Who knows what auto-renewals we'd forgotten about and didn't need anymore. On the other hand, who wants to deal with all that, especially when your liability for any fraudulent charges is capped at $50? The real fear wasn't the charges themselves but of someone establishing a new credit line in one of our names using the credit card. Ultimately, we decided just to keep an even more vigilant eye on our statements and rely on our Equifax Credit Watch to alert us of any suspicious behavior.

Continue reading "Who's minding the Identity store?" »

Posted by VeriSign Identity Protection Blogger at 4:00 AM | Permalink | Comments (0)

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Posted by VeriSign Identity Protection Blogger at 9:49 AM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 8:50 AM | Permalink | Comments (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 1:38 PM | Permalink | Comments (0)

But what happens when your entire online identity is consolidated into a single entity? It becomes a prime target for attack. In the pre-OpenID world, attackers need to steal your individual credentials for each and every site you visit; but if they're all replaced with a single OpenID, hacking just one account gives you the keys to the castle.

The need for strong account protection has never been greater, which is why we've integrated our VIP Authentication Service with the VeriSign Labs' Personal Identity Provider as a showcase for how strong authentication melds with user-centric identity. Our users agree - a significant percentage of PIP users already protect their OpenID with a PayPal Security Key or a VIP Security Card.

Once you add strong authentication to OpenID, you need a way for relying parties to request it, and for identity providers to answer those requests. This is where the PAPE standard comes in, providing a standardized language for OpenID sites to talk about the strength of their authentication.

In the OpenID world, we're encouraged to put all of our eggs into one basket. Just make sure you stick a good lock on it!

Posted by Jeff Burstein at 8:16 AM | Permalink | Comments (0)

Hi, I'm Jeff Burstein, a product manager on the VIP team.

Today is Super Tuesday, and as a California resident, I went to vote this morning in the primary election. Since this is a blog about identity and trust, let's examine what I needed today to prove my identity to vote: nothing. Do I really look that trustworthy?

I walked into my polling place, went up to the table and told the poll worker my name, which she dutifully looked up in the voter roll and crossed out. No identity check needed, no need to show my ID, check a signature, or any other form of authentication -- just the honor system. (And of course the threat of going to jail for voter fraud!)

For those of us who live and breathe identity and authentication every day this is just unnatural! Of course, there are all sorts of reasons for the lack of strong authentication for voting today, most having to do with budgets, voter turnout, the 24th amendment, and the potential for discrimination. So what can be done to strengthen voter authentication while still preserving equal access and maintaining the integrity of the secret ballot? Some ideas are coming out of the Caltech-MIT Voting Technology Project, who held a conference on this very topic in 2006. But considering the recent fiascoes with touchscreen voting machines, it may be hard to get the public to accept new technology solutions to voting problems.

-- Jeff

Posted by Jeff Burstein at 9:12 AM | Permalink | Comments (0)