Online Identity and Trust

Han Dong, Senior Product Marketing Manager, User Authentication

One great thing about blogging for a company like VeriSign, which happens to have so many cool tools in its bag, is that it's so easy to find several blogs on the net that mention you. And in this case I'm referring to a Wall Street Journal blog: "Under Surveillance: Big Brother Stocks", by James Altucher. In this blog, Altucher talks about all of the various measures (and money spent - to the tune of $200 billion in the U.S.) taken to automate the monitoring and protection of your banking transactions, checking in at the airport, and even your simple ATM cash withdrawal.

Here Altucher mentions VeriSign and our VIP Fraud Detection Service for risk-based authentication and detection of unscrupulous user activity. Fraud detection is the key to enabling risk-based authentication, where an enterprise can deploy authentication based on the commensurate risk of a given transaction. The VIP Fraud Detection Service provides an "invisible means" of delivering proactive protection to consumers. Using advanced anomaly detection technology, the service detects fraudulent logins and transactions in real-time without affecting legitimate user's web experience. The solution also takes a self-learning approach to fraud detection, adapting to customer usage habits unique to that individual. Using policies and pattern recognition technology, the service can flag potentially fraudulent activities based on known types of fraud and behaviors not associated with the user. Because the service is self-learning, it can adapt to changing criminal behavior without manual intervention. This non-intrusive approach does not require any change to a Web site and remains invisible to the consumer until a fraud is detected.

And this whole scenario is completely customizable by VIP Fraud Detection Service customers. By using the provided rules or rules you set up, and by comparing current user transaction behavior to historical and live data, the system rates fraudulent transactions and alerts you to possible risks. Once alerted, you can investigate these fraudulent transactions as cases within the Fraud Detection Service Investigation Console. As the system logs a number of transactions for each user, it can learn user behaviors to better assess subsequent transactions for fraud, and it can use feedback from rules to build lists of fraudulent and legitimate transaction information.

Going back to Altucher's article, to clarify, there is one specific optional module known as the ATM Module. This is the additional component to the VIP Fraud Detection Service that evaluates and analyzes thousands of transactions per second to detect compromised cards and ATM locations used for fraudulent activity. When the risk score generated at the time of the transaction exceeds your threshold, an instant alert notifies your fraud team. Then fraud investigation and management tools provide sophisticated analysis to efficiently resolve scams. And banks can even choose to block an activity in real time.


Rest assured, VeriSign is watching your assets...

Posted by Han Dong at 4:09 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

It's a good thing that people much smarter than me are thinking about the future of the internet, cloud computing, and ensuring I'm properly indoctrinated on the right social networking sites du jour. More importantly, these same smart people are constantly thinking about really critical things, like 'standards', 'interoperability', and 'security'. Guys like Tim Berners-Lee, the inventor of the Web and HTML, Paul Mockapetris, the inventor of DNS, and Vinton Cerf, the father of the internet and co-designer of TCP/IP, are constantly analyzing what's happening today and thinking about what's coming in the future. These people are part of the founding fathers of the web, the internet, and how all the intricate pieces work together seamlessly - just so you can download your tunes, update your tweet/blog, and get the latest NFL scores.

Whew, I'm glad these guys are on top of things.

Of course, anytime a paradigm shift occurs in the world of computing, there's bound to be an outgrowth of new issues and problems. And some of these new issues related to cloud computing, are exactly what Vinton Cerf has been thinking about. Mamoon Yunus' article "Vint Cerf and Multi-Cloud Mayhem of cloud Computing" and Paul Krill's InfoWorld article "Cerf urges standards for cloud computing", both cover a number of issues Cerf sees that are created by the "cloud" and how the situation is very similar to the way things were in the wild west days of early computer networks.

One issue in particular is in the area of cloud security and authentication. "Strong authentication will be a critical element in the securing of clouds," said Cerf. Multi-tenant cloud environments and ensuring that the properly authorized user is permitted to access the right services, creates a critical need for strong authentication in the cloud. Now I bring this issue to your attention because this is precisely an area that VeriSign has given a great deal of thought and attention to in delivering our goal of providing trust on the internet and in the cloud.

From Extended Validation SSL, to VeriSign Identity Protection for Two-factor authentication and Fraud Detection Services, to PKI Digital Certificates for authentication, every weapon in VeriSign's arsenal is designed to deliver a secure, trusted experience in the cloud and on the net. And just as I discussed in my last post, VeriSign knows just how to deliver a multi-layered security strategy for anyone who's moving to the cloud.

Whew, I'm glad Vinton Cerf (and VeriSign) has got your back.

Posted by Han Dong at 3:13 PM | Permalink | Comments (0)

Han Dong, Senior Product Marketing Manager, User Authentication

Some thoughts on a couple of recent articles, one from Gartner Research: Where Strong Authentication Fails and What You Can Do About It, by Avivah Litan and a similar article by Jaikumar Vijayan in Computerworld, which also references Ms. Litan's article.

The basic idea presented in these two articles is that "one-time passwords...are no longer enough to protect online banking transactions against fraud." These one-time password (OTP) token-based two-factor authentication methods may be compromised by man-in-the-browser malware that overwrites the user transactions to steal their assets. So the general recommendation from Avivah Litan is "A layered fraud prevention approach that includes server-based fraud detection and out-of-band transaction verification that precludes call forwarding to illegitimate user phone numbers can and has mitigated these threats."

We agree that OTP is not the end-all, be-all of security for the internet. In fact, VeriSign was recently recognized as a "best in class authentication technology solution" by Javelin Strategy & Research, primarily because VeriSign espouses a layered security approach to our customers for protecting online transactions. This approach includes Extended Validation SSL to authenticate the website to a user, with an easily identifiable green address bar. Plus the VeriSign Identity Protection Fraud Detection Service, which delivers risk-based authentication to monitor particular user behavior and trigger authentication when abnormal patterns or behavior are noted. And additionally, the VeriSign Identity Protection Service, one-time password (OTP) authentication to mitigate account takeover and require an additional factor the user must present, in addition to username and password for accessing critical accounts. OTP in and of itself is not a panacea, but it is part of a multi-layered security approach that anyone conducting business online should consider to protect its customers and business.

Fraud may be on the rise, so whom do you turn to for trust in the online world?
Easy, look for the check.

Posted by Han Dong at 12:53 PM | Permalink | Comments (0)

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | Permalink | Comments (0)

The recent news about how Vice Presidential candidate Sarah Palin's Yahoo email account was hacked makes it clear as day that we need better security for web based email, and we need to close the giant loophole of "password reset". Web email often gets lumped into the bucket of "low value" accounts, so system designers pay little attention to the security of its authentication systems, but it often contains our most personal details. How many more high-profile account takeovers are we going to see before people take account security seriously? Come on folks, usernames and passwords just don't cut it anymore, and the problem isn't just limited to financial sites.

This incident also makes it abundantly clear that system designers need to take a holistic, layered approach to security. Palin's Yahoo account was compromised not because the hacker guessed her password, but because the "password reset" function was easy to get through. There's no sense in locking down the front door tight if you're going to leave the side door open, and that's what you get when you use simplistic "secret questions" as a password reset mechanism. So-called "secret" questions are never secret -- and even if you're not a national public figure, it's pretty likely that more than a few people know your dog's name, your birthday, or where you went to high school.

If you're a user stuck with a site that uses one of these bad "secret" question schemes, Veracode and Lifehacker have some good tips on what to do (besides threatening to take your business elsewhere if the site doesn't implement real security). If you're a system designer, you should use true two-factor authentication for the front door, and an out-of-band scheme for credential recovery.

Posted by Jeff Burstein at 5:47 PM | Permalink | Comments (1)

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | Permalink | Comments (0)

My name is Fran Rosch and I manage the group that writes this blog and develops VeriSign's identity and authentication solutions.

I just got back from a 2-week trip to India, Israel and London talking to customers, prospects, and VeriSign team members. I spent much of the time talking about how customers should deploy solutions that are very "risk based." When consumers access lots of critical data or financial assets on their website, a user name and password is probably not enough. But how much is enough? Does one solution fit all? How much should we change user experience? How much should we spend on security and authentication?

As I traveled through the airports in San Francisco, Frankfurt, Bangalore, Delhi, Mumbai, Amman, Tel Aviv and Heathrow, I was struck by the very different security policies and I realized that they also deploy "risk-based" approaches just as we recommend on our customer's Web sites. Here were some different approaches I noticed:

* The BA flight leaving from Tel Aviv to London was the highest risk with the maximum security. As you would expect, the security in Tel Aviv was very tight with about 5 layers of screening including in-depth personal interviews, bag checks that open every compartment, dogs, etc.

* However, the security for the flight from Bangalore to Delhi was not high because internal country flights are not as sensitive.

* The flight from London to SFO had tighter security...you couldn't take liquids even though that is OK at other airports.

This reminds me of the point that we make to our customers - use layers of security to catch different types of fraud, security that maps to different types of risk. And here are examples in the off-line world where it already works!!

Posted by Fran Rosch at 1:20 PM | Permalink | Comments (0)