Online Identity and Trust

Han Dong, Sr. Product Marketing Manager, User Authentication

Greetings VIP Blog fans,

In the way of introductions, I'm a new member of the Product Marketing organization at VeriSign. Seems like I'm already an old vet (time spent in the technology industry always seems to be measured in "dog years"). To give you some additional background on my IT curriculum vitae, 5 years of UNIX systems sales; 2 years of business development in Linux and Wireless; and 10 years in product marketing and management in Data Storage, Linux, and Networking. So as a long time marketer, I'm excited about the opportunity to share my experiences through 'new' social media vehicles, like this blog site.

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. While this is my 1st Gartner IAM event, it certainly is not my 1st analyst or technology industry event. Having seen the ups and downs of the tech industry for the last 17 years, and having attended similar events like IDC Forums, CES, SNW, LinuxWorld Expos, Oracle OpenWorlds - you name it, I've been there.

The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Posted by Han Dong at 4:01 PM | Permalink | Comments (0)

Imagine this scenario. You have a couple of hours to kill, so you log onto the free wireless access at an Internet cafe and check your personal email, maybe even make sure your latest check won't bounce by logging on to your banking site. (Whoops, that's just me).

What if a fraudster had set up that free WiFi you just logged into? How much of your personal information was just compromised? Well, this nightmare scenario is coming true. It's so widespread that it has even earned its own nickname: The "Evil Twin." Fraudsters can easily set up a fake hub and even name it to look legitimate, by using the name of a nearby store or cafe. Some people have noticed this in airports.

But don't lose hope: the "good guys" at the WiMAX Forum have defined a security model using two-way mutual authentication and they are creating standards that will protect us from this kind of scam. WiMAX is one of the standards for mobile broadband. It's not fully adopted anywhere yet, because only some providers have adopted it as a standard. But some of the big chip makers will be baking it into devices in the coming years so it will become more widespread.

Today we are announcing that the WiMAX Forum has chosen VeriSign as the Certificate Authority to secure the certificates that will go on WiMAX-enabled servers and devices.

Our PKI Product Manager, Charul Sadwelkar took a few moments to answer some of my questions about VeriSign's role in the WiMAX ecosystem. Charul used to work in the mobile industry so he knows all the jargon and he explained all the competing standards.

Question: "Are there any competing standards to WiMAX today?"
Answer: "There are competitive technologies that are in various stages of evolution. The one most commonly cited is the "Long Term Evolution" (LTE) roadmap, which is the path taken by the GSM and the GPRS service providers. But we believe that they are a little bit behind WiMAX which is spearheading the high-speed mobile Internet access revolution."

Question: "As part of VeriSign's PKI service for WiMAX, are we using any proprietary technologies?"
Answer: "VeriSign takes pride in the fact that we are a standards-based PKI provider. For the WiMAX ecosystem, we are not doing anything proprietary, these are very standard certificates with profiles as specified by the forum."

Question: "When will WiMAX be widespread?"
Answer: "It is in pilot roll-out in a couple cities in the US and in some Asian countries where the landline infrastructure is not particularly strong. We expect that WiMAX will be available in a widespread in a year or two from now."

Listen to the interview with Charul

Learn More:
White Paper: Helping to Secure the WiMAX World: VeriSign WiMAX PKI
Service
Data Sheets: VeriSign WiMAX Public Key Infrastructure Service for Device
Manufacturers, and VeriSign WiMAX Public Key Infrastructure Service for Service
Providers

Posted by Karen Snyder at 5:53 AM | Permalink | Comments (0)

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.

Posted by Yohai Einav at 1:00 PM | Permalink | Comments (0)

Today PayPal launched mobile access for its Security Key. This means that along with the traditional token and credit card form factor, PayPal Security Key users can now get their one time password (OTP) texted to their mobile phone. This is very cool, especially if you're one of those people who use your cell phone for everything--phone, email, text, Internet, GPS, camera...and now you can use it to protect your accounts online.

The new SMS OTP for the PayPal Security Key is available to customers in the U.S., Australia, Austria, Canada and Germany. PayPal does not charge for the OTPs texted to mobile devices. To use the service, customers need a mobile device and wireless service set up to receive SMS text messages. It's that simple.

The PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network. As part of this network, consumers can use the OTPs to protect their accounts on a variety of financial services and e-commerce Web sites like eBay, AOL, Geico, U.S. Department of Education, American Bankers Association, and many others. To activate your PayPal Security Key SMS functionality, go to https://www.paypal.com/securitykey

Posted by VeriSign Identity Protection Blogger at 11:48 AM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Researcher

The FTC announced last month that is pushing back the deadline for the implementation of the "red-flag" requirements for another six months. Under the "red flags" all financial institutions must develop and implement an "Identity Theft Prevention Program", which includes "reasonable policies and procedures for detecting, preventing and mitigating identity theft".

I'm pretty confident that somewhere in the world security chiefs are dancing in relief, and, on the other hand, so are many fraudsters (in their filthy underground caves).

FFIEC guidance and beyond
So why are fraudsters relieved? Because a well planned and implemented red flag program could actually slow the fraud business.

While the 2005 FFIEC regulations (or, "guidance") talked about using better locks to the gates of the castle (which is important, but castles tend to have windows and hidden entrances), the new requirements deal with fighting the enemy within the walls of the castle - inside the compromised accounts.

To put it in a less metaphorical way: today, most banks already implement some extra protectional measures at their login page, but only a few measures inside their online banking system itself. And as it seems, better protection of the login - a stronger authentication - does not completely stop fraud, but forces fraudsters to look for the "hidden entrances".

(Don't get me wrong - the FFIEC guidance was the cornerstone for all anti online-fraud legislation and the tipping point which propelled anti-online-fraud into the spotlight)

Taking care of hidden entrances
As it applies to many areas of life, the Pareto principle applies also to the fraud market: 80% of the fraud losses come from 20% of the scam patterns, and a well-thought red flags program will target exactly these 20% of the patterns. Here are a few required red-flags:

• "Flag an account with a material change in purchasing or spending". This is a strong indicator for financial fraud - someone who suddenly changes his spending behavior - yet today only a handful of financial institutions have applied the mechanisms to detect it;


• "An account that has been inactive for a reasonably long period of time resumes usage". This is really a common sense red flag, yet only a handful of banks today have the system to detect it.


• "A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as recent and significant increase in the volume of inquiries, or an unusual number of recently established credit relationships". If you learn the behavioral patterns of an account, you could easily be able to find the out-of-pattern activities, and prevent fraud.

Simple? Yes.
Effective? Yes, thank you.
Would the red-flags policy create a fraud-free environment? No, but it should significantly reduce fraud. Remember the Pareto.
And what would be of the fraudsters? It would drive them away from the castle - and back to their filthy underground caves.

Posted by VeriSign Identity Protection Blogger at 8:52 AM | Permalink | Comments (0)

Organizations around the world are deploying VeriSign® Identity Protection (VIP) services to stop fraudsters from tricking consumers into revealing sensitive private information. VeriSign Identity Protection service's one-time-passwords (OTP) are one element of a layered security approach. Other layers include Web site security brought by an Extended Validation (EV) SSL Certificate, fraud detection services to monitor anomalies on the back end, and consumer education.

The VeriSign Identity Protection Network allows consumers to use a single security device to authenticate themselves across any VIP-enabled Web site. So it's easier for all of us to stay safe online by integrating two-factor authentication into our online routine.

Our Newest "VIP" Members:
+ American Bankers Association (U.S.)
+ AWA Credit Union Ltd (Australia)
+ Central Murray Credit Union (Australia)
+ DocLocker (Australia)
+ Indusval Multistock (Brazil)
+ Joyo Bank (Japan)
+ Maitland Mutual Building Society (Australia)
+ Morgan Street Document Systems (U.S.)
+ South West Credit Union (Australia)
+ U.S. Department of Education (U.S.) + VietUnion (Vietnam)
+ Water ISAC (U.S.)

Extending the Reach of VeriSign Identity Protection With Global Partnerships
Enhancements to VeriSign's sales and delivery channel for VIP also has extended the network's market presence worldwide. VeriSign recently added to its channel and strategic partner ranks:
+ Blitz IT Consultants Pte Ltd in Vietnam
+ Senior Solutions in Brazil
+ Scitum and Netrix in Mexico
+ Bharti Airtel in India
+ iTrusChina in China
+ MSCTrustgate in Malaysia
And in the Europe, Middle East and Africa (EMEA) region, we launched a new program aimed at recruiting at least one anchor partner for the UK, Germany, France, Spain and Italy. We're working to ensure that VIP is represented via a robust and far-reaching ecosystem, particularly within the financial, retail, social networking and gaming markets.

Let's Give People What they Want
Here's a quote from a user of the Security Key who sells sports memorabilia on eBay:

"Before I started using my token, someone was breaking into my account every four to six weeks...I previously had to change my password constantly to keep others out of my account, but since I started using the PayPal Security Key, I haven't had to change it once."

Posted by VeriSign Identity Protection Blogger at 12:42 PM | Permalink | Comments (0)

Today we announced that the American Bankers Association will be joining the VIP Network. We are very excited about this on many levels. Getting VIP credentials into the hands of 350 member banks creates a huge opportunity for VeriSign and makes this much more convenient for their users. ABA Members will have first hand experience with strong authentication on tools they use every day. And as this protection rolls out, ABA member banks will witness how easily they can deploy strong, two-factor authentication, and how convenient it is for their customers. We look forward to working with the ABA. Welcome to the network!

Posted by Fran Rosch at 10:06 AM | Permalink | Comments (0)

Network Products Guide just announced we won the Reader Trust Award for Best in Multi- and Second-Factor Security. We're putting it in our trophy case right next to the Product Innovation Award in the Consumer Application or Service category. This is great for companies making decisions about two-factor authentication for their customers -- they might want to know the industry thinks highly of VIP.  It's also great for the team here at VeriSign working on VIP to see all their efforts to create a great product payoff with an award like this. So thank you, Network Products Guide, from the team at VeriSign. Here is the press release.

Posted by Jeff Burstein at 4:29 PM | Permalink | Comments (0)

by Perry Tancredi, Senior Product Manager, VeriSign Fraud Detection Service

I'm Perry Tancredi, and I manage the VeriSign VIP Fraud Detection Service product. A lot of times when I explain what I do to my friends and family, especially when I talk about some of the latest attacks we see, the conversation turns to whether or not it's too risky to do anything online at all. People want to know if I think banking and shopping online is safe, what virus program I use at home and what they should be doing to protect themselves.

I had already been writing this post when the news about the largest case of identity theft in America (BBC, Washington Post), it seems more relevant now. There's been a lot of coverage last night and this morning, but I happened to be available when the story BBC story was being written,and got the chance to talk to and be quoted by the BBC. I'm a long time NPR and BBC listener, so I do have to say that it was quite a kick to hear Maggie Shiels say my name on the radio last night.

I told the BBC what I typically tell anyone else who asks, that while for the most part, the Internet is secure, but the most important thing anyone can do is just assume that their accounts are going to be compromised. Credit card and personal data are stolen every day using all kinds of methods, and it's not all Internet related. Most people are most concerned about the security at the point of sale, but don't think about what happens with the information later. When you assume that your accounts will be compromised one way or another, you have to start doing what you should have been doing anyway: reading your credit card statements and monitoring your credit reports. It's not fun, but it's easy to spot suspicious transactions when you look at statements every month. If you see something suspicious, call your bank or credit card company. Likewise, if you see something strange on your credit report, follow up on it.

The VeriSIgn Fraud Detection Service (FDS) works on the same pricipal. Protect the front door, but stay on the alert after you've let someone in. Out of the box, the FDS allows our customers to look for suspicious logins, but it was built to be modular and allow the analysis of any kind of transaction, and really reaches its full potential when it looks at post-logon transactions. We already have customers who have written their own modules using it to protect wire transfers online. Soon we'll release our first module to look at a specific kind of post-logon fraud, and that will be just the first module of many.

With more and more organizations looking beyond login, consumers will be safer, and the combination of users and organizations being more vigilant will move the bar that much higher for the fraudsters.

Posted by VeriSign Identity Protection Blogger at 4:18 PM | Permalink | Comments (0)

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Posted by VeriSign Identity Protection Blogger at 9:49 AM | Permalink | Comments (0)