Online Identity and Trust

Han Dong, Sr. Product Marketing Manager, User Authentication

Getting noticed is a hard thing. But when you do get recognized by adoring fans, it's like living the life of a beauty queen.

And just look at who noticed us: CrackBerry.com and BlackBerry Cool

So you ask, what's the news?
We all know that VeriSign Identity Protection (VIP) Access for mobile has already been available for free on Blackberry® smartphones and downloadable from the BlackBerry App World and the VeriSign Identity Protection Mobile Center sites for some time now.

What is new (or what you may have not noticed until now) is that with the VIP Access 3.0 release of September 2009, users can easily copy-n-paste the security code and credential ID into a mobile browser to complete VIP Access registration. Two-factor authentication has never been easier for the 'power' mobile-user.

So where can you use VIP Access for two-factor authentication to websites?
Simple. Register and use your VIP Access credential at participating VIP network member sites, such as eBay, PayPal, AOL, GEICO, or any participating VIP network site.

Posted by Han Dong at 9:33 AM | Permalink | Comments (0)

Han Dong, Sr. Product Marketing Manager, User Authentication

Greetings VIP Blog fans,

In the way of introductions, I'm a new member of the Product Marketing organization at VeriSign. Seems like I'm already an old vet (time spent in the technology industry always seems to be measured in "dog years"). To give you some additional background on my IT curriculum vitae, 5 years of UNIX systems sales; 2 years of business development in Linux and Wireless; and 10 years in product marketing and management in Data Storage, Linux, and Networking. So as a long time marketer, I'm excited about the opportunity to share my experiences through 'new' social media vehicles, like this blog site.

I'm here at the 2009 Gartner Identity & Access Management (IAM) Summit. While this is my 1st Gartner IAM event, it certainly is not my 1st analyst or technology industry event. Having seen the ups and downs of the tech industry for the last 17 years, and having attended similar events like IDC Forums, CES, SNW, LinuxWorld Expos, Oracle OpenWorlds - you name it, I've been there.

The day started off with a keynote presented by Earl Perkins, one of the lead Gartner analysts who explained how much IAM has evolved over the years - highlighting the fact that there are several IAM lifecycle elements (Planning, Process, and Problems) to consider and several key business drivers (improving security, reducing risk, and meeting regulatory requirements) in deploying an IAM solution. And at the end of the day, four of the analysts presented as a panel and reviewed the 2009 "Magic Quadrant" (classic Gartner MQ) trends and developments for each of the IAM disciplines in User Provisioning, Web Access Management, Enterprise Single Sign-On (SSO), and Authentication.

One mid-day session titled "Google Case Study: Lessons From Google's IAM Initiatives For Cloud-Based Applications," presented by Eric Sachs, Google Product Manager, was particularly interesting. Eric's presentation covered essentially two topics: Federated login as a Service (or Cloud-based SSO) and Strong Authentication beyond passwords. Eric explained that the challenge of provisioning user accounts, managing multiple logins and passwords, and ensuring strong security and reliability is driving the movement towards a Federated login structure, built on open standards (OAuth and OpenID) and hosted in the cloud to support a host of Software as a Service (SaaS) applications.

With the heavy interest in cloud-computing and hosted applications, both IT vendors and consumers are seeking ways to reduce costs of deployment, speed implementation, and do more with fewer resources at hand. Google, Amazon, Salesforce, and Microsoft are just a handful of the many vendors vying to be the cloud-based app provider of choice. But in the hype, it seems that few vendors have discussed the new breed of security concerns that cloud-based services yield.

Eric's presentation touched on these very security concerns in the new SaaS world. And most importantly, Eric brought up the idea of leveraging "stronger forms of authentication" to mitigate the weak security of simple username and password. "One Time Password (OTP) is the answer!" Two-factor Authentication and OTP are not new technologies. Enterprises have long been using OTP tokens to authenticate users' access to internal networks (via VPN) for years now. But traditionally, OTP credentialed VPNs have been too costly or too resource consuming to manage and deploy. That is, until now - Eric also demonstrated a low-cost OTP credential in the form of a mobile phone software generated OTP. And the iPhone screen-shot Eric displayed on his slide was the VeriSign Identity Protection (VIP) Access for Mobile credential. Eric pointed out a unique feature of the VIP Access for Mobile software was that the key generator resides locally on the mobile phone itself, thus requiring NO network connection as some other products require in order for an OTP key to be sent via SMS or voice.

Here is Eric on stage:(image added 11/11)

What Eric did not mention during his session, is that behind the VIP Access for Mobile OTP credential lays a trusted VeriSign Identity Protection service entirely hosted by VeriSign. VeriSign allows enterprises to quickly and cost-effectively implement and integrate scalable Strong Authentication services (for VPN or partner and customer communications) for validating user credentials via Web Services APIs that connect to the VIP hosted network.

So what does this mean for the mass of new cloud-based computing enterprises? It means that enterprises can rest assured that not only can they migrate IT apps to the cloud, but they can also secure user access by leveraging a cloud-based Security as a Service with the VeriSign Identity Protection service.

Witnessing a 3rd party (not to mention the fact that we're talking about Google) extol the virtues of YOUR product, unpaid and unsponsored, was really an exciting surprise. And this really was a true coincidence - just by attending the Google breakout session at the Gartner IAM Summit, I saw VeriSign's own Two-factor authentication product in action and being explained by one of the premier thought leaders in the industry. This certainly bodes well for a plethora of future opportunities for Security in the cloud. And I can't wait to watch this all unfold.

Posted by Han Dong at 4:01 PM | Permalink | Comments (0)

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Posted by VeriSign Identity Protection Blogger at 11:00 AM | Permalink | Comments (0)

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

Posted by Vijai Shankar at 2:32 PM | Permalink | Comments (0)

Hi! My name is Kerry Loftus and I have product marketing and management ownership for our consumer authentication product offerings. By day, I'm a dedicated VeriSign employee focusing for the last 8 years on security technologies that are valuable to our customers in helping them better secure their online interactions with customers, business partners and employees. Few would also suspect, outside of my career, I'm a dedicated wife and mother to 4 kids (two boys and two girls, ages 1 - 13 years). Yikes! By keeping my toes in both professional and day-to-day worlds, I hope to bring real-world perspective to a space that is highly technical, potentially complicated, but incredibly essential in our still emerging digital world.

We found an awesome video on YouTube: the "MiniGeek" gets his PayPal security key in the mail, and shows us as he sets it up in less than two minutes. It's child's play! (this video has been removed.)

Posted by Kerry Loftus at 10:47 AM | Permalink | Comments (0)

Welcome to the Online Identity and Trust blog here at VeriSign. Here we hope to share some interesting news about the VeriSign Identity Protection team as well as in the world of identity protection. Since we are all about identity protection, I might as well give a blurb of who I truly am so that my identity and role is clear within this team. I am the new product marketing manager for VIP and I focus on outbound marketing for our solutions.

Reading the developments in the area of identity protection, we see a lot of interesting news these days. Some of us may think that it is only to protect our online financial transactions but with the growth in Internet and the flat world, we must increasingly adapt to newer threats posed to identity theft and fraud. For example, there has been some recent news about how fraudsters are targeting Facebook. Heck ya, I too am on Facebook and on reading this Wired article: Fraudsters Target Facebook With Phishing Scam, I figure that I will be a lot more careful with my Facebook transactions or any online transactions for that matter.

In this blog, the VIP team will share our thoughts on the future of identity protection.

- Vijai Shankar

Posted by VeriSign Identity Protection Blogger at 8:28 PM | Permalink | Comments (0)