Online Identity and Trust

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Posted by Vicente Silveira at 4:39 PM | Permalink | Comments (0)

Today PayPal launched mobile access for its Security Key. This means that along with the traditional token and credit card form factor, PayPal Security Key users can now get their one time password (OTP) texted to their mobile phone. This is very cool, especially if you're one of those people who use your cell phone for everything--phone, email, text, Internet, GPS, camera...and now you can use it to protect your accounts online.

The new SMS OTP for the PayPal Security Key is available to customers in the U.S., Australia, Austria, Canada and Germany. PayPal does not charge for the OTPs texted to mobile devices. To use the service, customers need a mobile device and wireless service set up to receive SMS text messages. It's that simple.

The PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network. As part of this network, consumers can use the OTPs to protect their accounts on a variety of financial services and e-commerce Web sites like eBay, AOL, Geico, U.S. Department of Education, American Bankers Association, and many others. To activate your PayPal Security Key SMS functionality, go to https://www.paypal.com/securitykey

Posted by VeriSign Identity Protection Blogger at 11:48 AM | Permalink | Comments (0)

You may have read the news over the weekend that cyber thieves raided Sarkozy's bank account and began stealing small amounts of money frequently. This marks the second high-profile online account break-in in recent weeks where an e-criminal broke in through the user name and password security function (the Palin email hack was the other). Consumers need to take full responsibility and control of their online accounts by securing them with an added layer of security, beyond a username and password. With more and more consumers putting their identities online, this type of account break-in will continue if we continue to use simple usernames and passwords. One such way to strongly secure an online account is the use of one-time passwords, also referred to as two-factor authentication. Some banks have already started rolling such measures to their customers. The recent news about Sarkozy's account being raided serves as yet another example of why consumers should sign up or ask their financial institutions to offer two-factor authentication for their accounts.

~Vijai Shankar
Sr. Product Marketing Manager, VeriSign Identity Protection Services

Posted by Vijai Shankar at 10:19 AM | Permalink | Comments (0)

Posted by Fran Rosch, VP of VeriSign Identity and Authentication Solutions

Living in California, I have tried to become as environmentally conscious as possible given the grim reports on climate change and rising sea levels. The major steps I have taken along with my family include installing brand new energy efficient appliances and significantly more insulation as part of our home remodel. We also implement smaller initiatives such as maximum recycling, eating organic and locally grown products and composting as much as possible. I have even given up coffee and my favorite Irish oatmeal because of the carbon required to ship these products such long distances. We also try (but usually fail) to restrict ourselves to bicycle-only transportation on weekends.

I know there is lots disagreement on whether these small actions actually make an impact but they do make us feel better. I also travel extensively for business which blows my personal carbon foot print sky-high regardless.

But, I have been thinking how VeriSign's VIP Consumer Authentication solution stands up against the competition as green or not. Traditional strong authentication companies sold by companies such as RSA and Vasco are software in-premise solutions based on proprietary solutions as compared to VeriSign Identity Protection ("VIP") which is network-based service driven by open standards.

For the software based solutions sold by our competition, an enterprise must purchase, install and manage a server infrastructure to validate the consumer's OTP (one-time password). There is a significant amount of energy used to manufacture these servers, ship them half way across the world and then power them 24x7. Never mind the energy use to develop the raw materials for the components. In contrast, VIP requires no infrastructure at the enterprise and uses a shared infrastructure installed at VeriSign's data centers. There is an immediate environmental savings by using shared infrastructure versus everyone operating their own. Using the VIP is like taking an electric high-speed train with hundreds of other happy passengers instead of each person getting in their own car by themselves and crawling along crowded highways.

Then I felt bad about all of those pesky plastic tokens that have been the staple of the traditional authentication solution market. Our competitors have manufactured and shipped over a hundred million of these devices which will eventually find their way to landfills across the globe. By using open standards and encouraging a diverse and creative ecosystem of credential providers, we can imagine strong authentication without any plastic tokens. By embedding an OTP generating into a device that a consumer already carries such as a credit card, mobile phone or PC, the industry can stop manufacturing security-only plastic tokens.

However, until all this innovation is fully ready for production, the VIP has another environmental benefit in that it allows the sharing of one credential across multiple websites. With traditional consumer authentication solutions, a consumer must have a separate token for each website requiring more materials, more manufacturing, more shipping and more eventual trash. This is commonly referred to as the "token necklace". With VeriSign, one device can be the key to many websites meaning the consumer will use it more and keep it longer resulting in less basura.

Finally, I thought what other environmental benefits could VeriSign encourage with our VIP product? Well, according to the survey results published by our friends in the analyst community, there are still millions of consumers who are too concerned with Internet fraud and security to use the Web for banking, shopping, healthcare, etc. If the VIP can help enterprises encourage these consumers to use more of the Internet for more of these activities and reduce their number of trips to the mall, that is a good thing for the environment.

Posted by Fran Rosch at 4:39 PM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

Posted by Vijai Shankar at 2:32 PM | Permalink | Comments (0)