Online Identity and Trust

Today, we are pleased to announce that our customers' options have been broadened by our technical and sales partnership with RSA, another "Best-in-Class" Authentication Provider. The agreement will provide organizations with the mutual benefit of an expanded VIP Authentication Service through the availability of RSA SecurID® two-factor authentication technology for more choice in one-time password (OTP) authentication.

Organizations in search of strong authentication solutions will benefit from being able to use VIP in combination with RSA SecurID hardware tokens and the convenience of a single platform.

This technical and sales partnership between RSA and VeriSign signals a new chapter in the longstanding relationship between RSA and VeriSign, both of whom were recently rated Best-in-Class for Multi-Channel Authentication Technology by Javelin Strategy & Research, are teaming up to address the market segment for managed, shared authentication services, offering organizations the convenience of a single platform. Read the press release.

Updated on October 9:
Read what Burton Group's Senior Analyst Mark Diodati has to say about our partnership with RSA.

Posted by Karen Snyder at 11:44 AM | Permalink | Comments (0)

CNET reported this morning that fraudsters phished thousands of email account passwords from multiple email providers.

You don't have to be a government official, political figure or celebrity to be the target of the phishing and password-reset hack. This latest incident demonstrates that hackers have moved beyond just the high and flighty to target ordinary people. With each security breach, the shortcomings of weak passwords and the need for stronger authentication solutions become more and more evident. One-time passwords via two factor authentication provides a critical layer of security to counter such threats. If you're an organization that has been on the fence on rolling out two-factor authentication, you're in luck. VeriSign is offering a 90 Day free trial of the VeriSign Identity Protection Service -- see more details at 90 Day Trial.

Posted by Jeff Burstein at 10:51 AM | Permalink | Comments (0)

Posted by Fran Rosch, SVP of User Authentication, VeriSign

This article was also published in SC Magazine.

All too frequently, reports surface of high-profile hacks victimizing individuals using weak password protection. But, unlike the inconsequential account break-ins hitting Britney Spears, Ashton Kutcher or Sarah Palin, the consequences of some compromised accounts raises serious implications for cloud services security.

Your personal and professional security is only as strong as your weakest password. And for IT managers, the security of an organization's cloud-based resources is only as strong as your most careless employee's weakest password.

Personal information can be harvested many ways - and the viability of traditional usernames and passwords are undermined by the "forgot your password" processes employed by many sites today. Many hacks have been successful because of harvested information used to break the confidence of such "reset" measures and then scouring accounts for professional account login information.

The industry must move to stronger authentication technologies. After all, the strength of a password is meaningless if someone can reset your password. The primary mechanism for secure access to web services is embarrassingly inadequate. In fact, the migration of IT to the cloud may mark the death of the traditional username and password and drive the adoption of stronger internet security measures.

Stronger authentication is available in the form of two-factor authentication, such as one-time password solutions. These solutions can - literally -- put stronger security in the hands of every individual: Plastic tokens, USB drives, SMS-enabled devices or software running on mobile devices.

Such solutions have been available for years for enterprise implementations, but cost issues tied to scaling these solutions to large numbers of users have been prohibitive.

By delivering two-factor authentication through a managed service, however, the expensive infrastructure investments of on-premise models may not present as intimidating a barrier. Such a service can dramatically reduce fixed and operating costs of ownership. And a mobile device can dramatically simplify deployment.

Ironically, or not so ironically, Authentication-as-a-Service (AaaS) - strong authentication delivered through the cloud - could be a major solution for the cloud paradigm's most obvious security challenge.

Reckless human behavior is something you can influence but can't ultimately control. Additionally, people live their digital lives across personal and private online accounts. But two factor authentication can be implemented across professional and personal accounts - from the free email account to the cloud-based ERP account - to ensure that password vulnerabilities are a thing of the past and that cloud-based services are secure in the future.

Posted by Fran Rosch at 11:04 AM | Permalink | Comments (0)

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

Posted by Erica Huang at 8:21 AM | Permalink | Comments (1)

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

Posted by Erica Huang at 8:12 AM | Permalink | Comments (0)

What are the hottest applications you can get for your iPhone this week?

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

Posted by Erica Huang at 4:01 PM | Permalink | Comments (0)

Starting today, millions of iPhone users can now protect their online identities with VIP Access! A free download from the Apple app store, VIP Access turns your iPhone into a VIP credential, which adds an extra layer of security to your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

+ Read the New York Times Article

+ Read our press release

Download the app using iTunes or your iPhone here.

---Updated April 3, 2009---

Here is the latest coverage:

4/2/2009: Two-factor authentication using an iPhone: Killer security app? – Andrew Patrick

4/2/2009: How to turn your iPhone into unbreakable security token – TG Daily

4/2/2009: VeriSign release iPhone VIP Access security app – Geek.com

4/1/2009: VeriSign App Turns iPhone into Security Device – Mac Evangelism

4/1/2009: Move Over Token! My iPhone Can do The Trick – Celent Banking Blog

4/1/2009: VeriSign VIP Access for iPhone Provides Additional Authentication Security - Mobile Content Today

4/1/2009: VeriSign ships OTP generator iPhone app – Finextra.com

4/1/2009: New VeriSign app offers better online security – TECH.BLORGE

4/1/2009: VeriSign releases online security application for iPhone – The Paypers

4/1/2009: New iPhone App Reduces ID Theft by Unique Password - InfoPackets

4/1/2009: VeriSign Offers Two-Factor Authentication for iPhone – IT Business Edge

4/1/2009: VeriSign app turns iPhone into security device - MacWorld

4/1/2009: VeriSign Powers iPhone Two-Factor Authentication - InternetNews

4/1/2009: VeriSign's free iPhone app secures passwords - InfoWorld

3/31/2009: An iPhone App for Security - BusinessWeek

3/31/2009: VeriSign Brings Authentication Tokens to iPhone - TidBits

3/31/2009: A safer iPhone – SiliconBeat

3/31/2009: What’s the Password? Only Your iPhone Knows– The New York Times Technology Bits Blog

3/31/2009: VeriSign Launches Online Authentication App For iPhone- WebGuild

3/31/2009: VeriSign password generator app for Apple iPhone- RSS For Gadgets

3/31/2009: Verisign launches secure password app: VIP Access - Textually.org

3/30/2009: VIP Access - iGoApps

---Updated April 21, 2009---

Additional News Coverage of VeriSign's new iPhone App

Posted by Jeff Burstein at 6:11 AM | Permalink | Comments (3)

Lately I seem to be posting notices about hacks and identity theft - like Monday's Monster.com news. Today's entry has a happier note - I'm proud to welcome Name.com to the VIP Network. Check out the press release and some of the reaction in the blogosphere.

Posted by Jeff Burstein at 4:18 PM | Permalink | Comments (0)

It seems like every day there's another headline about a major site being hacked with stolen usernames and passwords. Today it's Monster.com, which has compromised the passwords and personal details of thousands of recruiters and job seekers.

How many more of these breaches will it take for people to realize that just plain passwords aren't good enough?

Posted by Jeff Burstein at 1:29 PM | Permalink | Comments (0)

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | Permalink | Comments (0)

Posted by Jeff Burstein at 12:44 PM | Permalink | Comments (0)

Today PayPal launched mobile access for its Security Key. This means that along with the traditional token and credit card form factor, PayPal Security Key users can now get their one time password (OTP) texted to their mobile phone. This is very cool, especially if you're one of those people who use your cell phone for everything--phone, email, text, Internet, GPS, camera...and now you can use it to protect your accounts online.

The new SMS OTP for the PayPal Security Key is available to customers in the U.S., Australia, Austria, Canada and Germany. PayPal does not charge for the OTPs texted to mobile devices. To use the service, customers need a mobile device and wireless service set up to receive SMS text messages. It's that simple.

The PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network. As part of this network, consumers can use the OTPs to protect their accounts on a variety of financial services and e-commerce Web sites like eBay, AOL, Geico, U.S. Department of Education, American Bankers Association, and many others. To activate your PayPal Security Key SMS functionality, go to https://www.paypal.com/securitykey

Posted by VeriSign Identity Protection Blogger at 11:48 AM | Permalink | Comments (0)

You may have read the news over the weekend that cyber thieves raided Sarkozy's bank account and began stealing small amounts of money frequently. This marks the second high-profile online account break-in in recent weeks where an e-criminal broke in through the user name and password security function (the Palin email hack was the other). Consumers need to take full responsibility and control of their online accounts by securing them with an added layer of security, beyond a username and password. With more and more consumers putting their identities online, this type of account break-in will continue if we continue to use simple usernames and passwords. One such way to strongly secure an online account is the use of one-time passwords, also referred to as two-factor authentication. Some banks have already started rolling such measures to their customers. The recent news about Sarkozy's account being raided serves as yet another example of why consumers should sign up or ask their financial institutions to offer two-factor authentication for their accounts.

~Vijai Shankar
Sr. Product Marketing Manager, VeriSign Identity Protection Services

Posted by Vijai Shankar at 10:19 AM | Permalink | Comments (0)

The recent news about how Vice Presidential candidate Sarah Palin's Yahoo email account was hacked makes it clear as day that we need better security for web based email, and we need to close the giant loophole of "password reset". Web email often gets lumped into the bucket of "low value" accounts, so system designers pay little attention to the security of its authentication systems, but it often contains our most personal details. How many more high-profile account takeovers are we going to see before people take account security seriously? Come on folks, usernames and passwords just don't cut it anymore, and the problem isn't just limited to financial sites.

This incident also makes it abundantly clear that system designers need to take a holistic, layered approach to security. Palin's Yahoo account was compromised not because the hacker guessed her password, but because the "password reset" function was easy to get through. There's no sense in locking down the front door tight if you're going to leave the side door open, and that's what you get when you use simplistic "secret questions" as a password reset mechanism. So-called "secret" questions are never secret -- and even if you're not a national public figure, it's pretty likely that more than a few people know your dog's name, your birthday, or where you went to high school.

If you're a user stuck with a site that uses one of these bad "secret" question schemes, Veracode and Lifehacker have some good tips on what to do (besides threatening to take your business elsewhere if the site doesn't implement real security). If you're a system designer, you should use true two-factor authentication for the front door, and an out-of-band scheme for credential recovery.

Posted by Jeff Burstein at 5:47 PM | Permalink | Comments (0)

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | Permalink | Comments (0)

Network Products Guide just announced we won the Reader Trust Award for Best in Multi- and Second-Factor Security. We're putting it in our trophy case right next to the Product Innovation Award in the Consumer Application or Service category. This is great for companies making decisions about two-factor authentication for their customers -- they might want to know the industry thinks highly of VIP.  It's also great for the team here at VeriSign working on VIP to see all their efforts to create a great product payoff with an award like this. So thank you, Network Products Guide, from the team at VeriSign. Here is the press release.

Posted by Jeff Burstein at 4:29 PM | Permalink | Comments (0)

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Posted by VeriSign Identity Protection Blogger at 9:49 AM | Permalink | Comments (0)

Posted by Fran Rosch, VP of VeriSign Identity and Authentication Solutions

Living in California, I have tried to become as environmentally conscious as possible given the grim reports on climate change and rising sea levels. The major steps I have taken along with my family include installing brand new energy efficient appliances and significantly more insulation as part of our home remodel. We also implement smaller initiatives such as maximum recycling, eating organic and locally grown products and composting as much as possible. I have even given up coffee and my favorite Irish oatmeal because of the carbon required to ship these products such long distances. We also try (but usually fail) to restrict ourselves to bicycle-only transportation on weekends.

I know there is lots disagreement on whether these small actions actually make an impact but they do make us feel better. I also travel extensively for business which blows my personal carbon foot print sky-high regardless.

But, I have been thinking how VeriSign's VIP Consumer Authentication solution stands up against the competition as green or not. Traditional strong authentication companies sold by companies such as RSA and Vasco are software in-premise solutions based on proprietary solutions as compared to VeriSign Identity Protection ("VIP") which is network-based service driven by open standards.

For the software based solutions sold by our competition, an enterprise must purchase, install and manage a server infrastructure to validate the consumer's OTP (one-time password). There is a significant amount of energy used to manufacture these servers, ship them half way across the world and then power them 24x7. Never mind the energy use to develop the raw materials for the components. In contrast, VIP requires no infrastructure at the enterprise and uses a shared infrastructure installed at VeriSign's data centers. There is an immediate environmental savings by using shared infrastructure versus everyone operating their own. Using the VIP is like taking an electric high-speed train with hundreds of other happy passengers instead of each person getting in their own car by themselves and crawling along crowded highways.

Then I felt bad about all of those pesky plastic tokens that have been the staple of the traditional authentication solution market. Our competitors have manufactured and shipped over a hundred million of these devices which will eventually find their way to landfills across the globe. By using open standards and encouraging a diverse and creative ecosystem of credential providers, we can imagine strong authentication without any plastic tokens. By embedding an OTP generating into a device that a consumer already carries such as a credit card, mobile phone or PC, the industry can stop manufacturing security-only plastic tokens.

However, until all this innovation is fully ready for production, the VIP has another environmental benefit in that it allows the sharing of one credential across multiple websites. With traditional consumer authentication solutions, a consumer must have a separate token for each website requiring more materials, more manufacturing, more shipping and more eventual trash. This is commonly referred to as the "token necklace". With VeriSign, one device can be the key to many websites meaning the consumer will use it more and keep it longer resulting in less basura.

Finally, I thought what other environmental benefits could VeriSign encourage with our VIP product? Well, according to the survey results published by our friends in the analyst community, there are still millions of consumers who are too concerned with Internet fraud and security to use the Web for banking, shopping, healthcare, etc. If the VIP can help enterprises encourage these consumers to use more of the Internet for more of these activities and reduce their number of trips to the mall, that is a good thing for the environment.

Posted by Fran Rosch at 4:39 PM | Permalink | Comments (0)

We had a little fun with a whiteboard, magnets, some goofy voices and a video camera. Take a look at the premiere of "How VeriSign Identity Protection Keeps George Happy and Safe Online".

Posted by Jeff Burstein at 11:21 AM | Permalink | Comments (0)

Say you've got a web application that you develop, and you want to provide your users a stronger form of authentication beyond a simple username and password. Or your users have been asking about two factor authentication, but actually implementing it never moves up on the priority list because your boss thinks it's too complicated, will require months of coding, and a giant new server farm to handle the extra authentication. Or you've got a PayPal Security Key or VIP Security Card and want to enable your own site to use it.

Welcome to the VIP Developer Test Drive!

Today we announced that we're making the API to the VIP Authentication Service freely available to developers to try out on their own. No salespeople to call, new servers to install, or paperwork - just fill out a simple web form and download. We'll give you the API documentation, SOAP WSDL, and access to your own little corner of our pilot web service.

Why are we doing this? Well, because almost every time we meet with a company's technical team, they start out skeptical -- integrating the VIP Authentication Service can't be as easy as we say it is. So we send them the API, they check it out, and then reply back, "You're right, it really is that easy." Now we're cutting out the middleman and letting you download it on your own.

We're also looking to see what ideas the developer community has for this technology. Through our experience with OATH, we've been amazed at the innovation that can happen when technology building blocks are just put out there available for anyone to use. So let us know what you think!

Now let me be clear: the Test Drive is designed for developers. There's no point and click GUI or fancy installer - it's a SOAP web services API. If you've ever written a web services client, it should be very straightforward. If you haven't, that's cool too -- we've got sample code for Java (using Apache Axis 1.4) and C# (using .NET 2.0) to get you started.

Check it out at http://vipdeveloper.verisign.com. Comments or questions? Comment below or email us at vipdeveloper@verisign.com.

Posted by Jeff Burstein at 9:00 AM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

Posted by Vijai Shankar at 2:32 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Posted by Vijai Shankar at 8:50 AM | Permalink | Comments (0)

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

Posted by Kerry Loftus at 1:38 PM | Permalink | Comments (0)

Posted by Jen Gilburg

Last week a news headline from across the pond proclaimed:

"Abbey wary of two-factor authentication. Bank decides against password verification devices because customers consider them a hassle."

Turns out Abbey, a major retail bank in the UK, did a survey on strong authentication. Turns out that two-thirds of those surveyed did not want the "hassle" of two-factor authentication. Turns out those surveyed even poo-pooed challenge questions.

So Abbey decided to act on the survey results. They decided to do nothing. And they decided to shout it out for all (including the fraudsters) to hear!

I question which business schools their marketing folks graduated from.

I wonder too what context the survey questions were raised (perhaps a brief explanation of how two-factor authentication protects against phishing would have been in order!). I wonder if the mere 1000 users surveyed really represented the fraud concerns of their overall user population. I wonder if they bothered to survey any of their customers who were not using their e-banking services- perhaps because of fraud concerns. And most importantly I wonder if the one-third of respondents who wanted stronger protection against fraud will take their business elsewhere...

Now here is a different survey. It is one we did last summer of customers who were using our VeriSign Identity Protection (VIP) Network. Those who were actually using two-factor authentication to protect one or more of their online accounts. Of those surveyed 81% thought it was easy to use. And over half wanted to use their same token at their broker, healthcare provider and gaming site.

If I were a marketing person at an online outlet- I would figure out a way to leverage those statistics to attract customers away from the Abbey banks of the world who are not taking customer's fraud concerns seriously. "Hey- you with a PayPal Security Key- come use it over here".

At minimum- what Abbey should do is to offer strong authentication to the users who want it. Isn't it a much better strategy to offer security as an option versus risking losing customers to those who do?

Posted by Jen Gilburg at 3:48 PM | Permalink | Comments (0)

Posted by Jen Gilburg, Director of Business Development for Identity and Authentication Solutions

I have a confession to make. I was almost a victim of fraud.

It involved Craig's List, the selling of a refrigerator, a random check for $3000 over the amount being sent for payment, the panic of the buyer for overpaying and them begging me to 'Western Union' them the erroneous overpayment once I cashed the check. I was even 'offered' $200 of the overpayment for my troubles.

I am embarrassed to admit- I got all the way to the bank. I actually deposited the check- then in a last minute of "this doesn't seem right" had them run the check and low and behold...

Truth is I was taken off guard, in the middle of a move, not really paying attention-- just happy to have the refrigerator out of my garage.

What is mortifying is that I have been working in security sector of high tech for the last 20 years. The fact I didn't immediately rip up the check shows how even the most security minded of consumers can fall prey.

Last week there was a phishing report by California Berkeley Law School researcher Chris Hoofnagle. The report shows the increase volumes of reported identity theft and highlighted the most frequently phished sites -- the numbers were incredible. The chatter around the report in the press and on other blogs put the stress on consumer awareness. I would argue (from experience!) that is not the answer.

The answer lies in fool proofing websites. Making it so that even if someone did get a hold of your userID and password- they cannot gain access to your accounts. A layered approach including second factor authentication is indeed the answer.

Ironically- many financial institutions that we talk to about two-factor authentication often take the stance that "their customers don't want it". Conversely every member of our VIP network who is providing opt-in second factor authentication has exceeded expectation of the amount of users who indeed opt-in.

Hoofnagle advocates that identity theft information be made available so consumers can make educated decisions on whom to bank with based on security risk. If consumers took his advice banks and ecommerce sites might actually be forced to take action.

I will look forward to the day that my bank protects me should my guard ever drop again.

Posted by Jen Gilburg at 12:27 PM | Permalink | Comments (0)