Main

January 6, 2009

Phishing is not just for email anymore: Twitter under attack

I always find it interesting the way old scams are redressed for new and emerging channels.


That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.


Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).


This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:


- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.


- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.


A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.


In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.


These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | | Comments (0)

September 19, 2008

The Palin Email Hack

The recent news about how Vice Presidential candidate Sarah Palin's Yahoo email account was hacked makes it clear as day that we need better security for web based email, and we need to close the giant loophole of "password reset". Web email often gets lumped into the bucket of "low value" accounts, so system designers pay little attention to the security of its authentication systems, but it often contains our most personal details. How many more high-profile account takeovers are we going to see before people take account security seriously? Come on folks, usernames and passwords just don't cut it anymore, and the problem isn't just limited to financial sites.


This incident also makes it abundantly clear that system designers need to take a holistic, layered approach to security. Palin's Yahoo account was compromised not because the hacker guessed her password, but because the "password reset" function was easy to get through. There's no sense in locking down the front door tight if you're going to leave the side door open, and that's what you get when you use simplistic "secret questions" as a password reset mechanism. So-called "secret" questions are never secret -- and even if you're not a national public figure, it's pretty likely that more than a few people know your dog's name, your birthday, or where you went to high school.


If you're a user stuck with a site that uses one of these bad "secret" question schemes, Veracode and Lifehacker have some good tips on what to do (besides threatening to take your business elsewhere if the site doesn't implement real security). If you're a system designer, you should use true two-factor authentication for the front door, and an out-of-band scheme for credential recovery.

Posted by Jeff Burstein at 5:47 PM | | Comments (0)

September 9, 2008

Welcome to the VeriSign Identity Protection Network, ABA!

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | | Comments (0)

February 21, 2008

Layered Security Approach in the Real World

My name is Fran Rosch and I manage the group that writes this blog and develops VeriSign's identity and authentication solutions.

I just got back from a 2-week trip to India, Israel and London talking to customers, prospects, and VeriSign team members. I spent much of the time talking about how customers should deploy solutions that are very "risk based." When consumers access lots of critical data or financial assets on their website, a user name and password is probably not enough. But how much is enough? Does one solution fit all? How much should we change user experience? How much should we spend on security and authentication?

As I traveled through the airports in San Francisco, Frankfurt, Bangalore, Delhi, Mumbai, Amman, Tel Aviv and Heathrow, I was struck by the very different security policies and I realized that they also deploy "risk-based" approaches just as we recommend on our customer's Web sites. Here were some different approaches I noticed:


* The BA flight leaving from Tel Aviv to London was the highest risk with the maximum security. As you would expect, the security in Tel Aviv was very tight with about 5 layers of screening including in-depth personal interviews, bag checks that open every compartment, dogs, etc.


* However, the security for the flight from Bangalore to Delhi was not high because internal country flights are not as sensitive.


* The flight from London to SFO had tighter security...you couldn't take liquids even though that is OK at other airports.


This reminds me of the point that we make to our customers - use layers of security to catch different types of fraud, security that maps to different types of risk. And here are examples in the off-line world where it already works!!

Posted by Fran Rosch at 1:20 PM | | Comments (0)

VeriSign Identity Protection

Search

Categories

Authentication | Fraud Detection | Fraud Detection Service | Identity | OpenID | VIP Blog | WiMAX | fraud protection | iPhone | layered security | two-factor authentication | second-factor authentication | verisign |

Archives

November 2009
October 2009
September 2009
August 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008

Recent Posts

Blogging about Blogs - VIP Access for Mobile getting noticed
Meditations in an Analyst Summit
RSA and VeriSign team up on Cloud-based, Two-Factor Authentication offering
Email Phishing Scheme Takeaway: More than Just the High & Flighty Need Stronger Security
The next Hollywood blockbuster?
Why Cloud Security is only as Strong as Your Weakest Password (and what you can do about it)
VeriSign Shares Strong Authentication Development Tools with Mobile Developers in the Fast Lane
VeriSign Identity Protection for Mobile Expanded to Leading Mobile Phones
VIP Access for iPhone Downloads Reach Record High
VIP for iPhone is HOT at the App Store!

Comments

We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate.
Powered by
Movable Type 4.21-en
Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy