Mike Davies: Online Identity and Trust in EMEA

PayPal UK Launch Security Key - Guest Posting from PayPal

2009-01-29T16:34:11Z

Great news today for anyone who uses PayPal in the UK.

They have announced that they are offering consumers an added layer of security when they log in. The UK rollout follows the successful implementations in Australia, Germany and the US, letting consumers either purchase a "PayPal Security Key" token for £3 (a small token that generates a One Time Password or OTP) or alternatively register their mobile phone with PayPal and receive an OTP through an SMS every time they log in for free.

I am happy to say they are using VeriSign Identity Protection to deliver this, which means that PayPal Customers will be able to use their token at other sites who join the VIP network. PayPal are the first UK members of the network, but there are around 30 other members in different countries around the world so you can expect to see more places where you can use your token in the UK appearing shortly.

I thought it best if you heard it straight from PayPal on why they are doing it and what consumers can expect. So here is a guest posting from the guy who led the UK roll out...over to you Garreth!

"I am Garreth Griffith and I lead the Risk Management team at PayPal in the UK. At PayPal our main concern is for the security of all the buyers and sellers who use our product.

We work very hard in the background to stop fraud, and whilst our results show we are successful, we wanted to offer consumers the opportunity to adopt an additional layer of security to protect their PayPal account should they desire further reassurance.

And that is an important point, this product is not mandatory for any of our customers. It is up to the consumer to adopt this additional layer or not.

The constant challenge with any movement of money over the Internet is striking the right balance between security, convenience and ease of use. Unlike other clunky options available to us, we believe the PayPal Security Key provides the perfect balance, particularly the SMS version which works directly with your current mobile phone.

In a nutshell, the way it works is that any PayPal customer can go to www.paypal.co.uk/securitykey and either purchase a PayPal Security Key (a small key fob sized token) which generates a one time password from us, or alternatively register your mobile phone number with us.

If you select the PayPal Security Key, we post you the key and when you receive it, you simply log in as normal, adding the 6 digit one time password when prompted.

If you select the PayPal SMS Security Key, at the point of logging in we send you an SMS message with a one time password which you enter to access your account.

We believe the security key will appeal to a significant group of our customers and based on its successful rollout in other countries, we expect the same success in the UK."

Thanks Garreth, I am sure I will be posting mroe on this over the coming weeks and months.....

Facebook scam - Part 2

2008-12-10T09:18:26Z

This just in from the BBC web site, Symantec have identified a virus that steals user names and passwords, nothing new there. But, if I understand this right, it is delivered through a Facebook invitation from someone you don't know and delivers malware which can then steal user names / passwords and also keylog credit card info.

http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm

Now, I realise that Facebook et al are trying their best to educate their users not to accept invitations from people they don't know, but as per my earlier post about stealing log on details for a mail account / social network, what if the fraudster had the Facebook user name and password of someone who had a load of Facebook friends? They could then send out the malware to all their contacts. This would result in a much increased success rate for the fraudster as the reciever would be much more likely to trust them, not knowing it was really a fraudster at work.

I really don't think that the social networking sites understand the value of the trust that a connection between users engenders, and the associated risk when their accounts are compromised.

Survey finds passwords are not secure - well d'uh!

2008-12-02T13:44:32Z

This article covers two main points:

1) Passwords are not changed regularly

2) People give out too much personal information online

http://www.finextra.com/fullstory.asp?id=19374

Let's look at the first point....

We see these kind of articles related to password surveys about 3 times a year, and I am pretty sure VeriSign, my employer, have done our fair share!

The reason we see them is twofold. Firstly Passwords on their own are no longer secure enough. I think people are getting that.

The second reason, if you are feeling cynical, is that vendors want to sell more secure solutions.

Let's face it, both points are true but I am seeing a sea change in attitude recently. .

Why? Well I do not think it is because Vendors have honed their selling skills to the point when they are selling snake oil successfully. The reason is that the problem itself has grown to a point where the business case for adopting stronger authentication is here. This has been because of the increase in fraud, sure, but the also due to new solutions and business models which make it significantly cheaper.

Let's take PayPal. They charge for two factor authentication to consumers. Now I doubt that they are making money out of the solution by charging $5 for a token but I do know that they are reducing fraud considerably whilst proving that consumers will pay for this. Not all consumers of course, but those that do want better security are prepared, some of them even very happy to pay for additional security. And a happy customer is less likely to take their business elsewhere.

Now let's look at the second point made in the article...

This talks about publishing personal information online and how social networking site users are accepting invitations to connect with people they have never heard of before. By doing this they allow the person they connected to access to their more sensitive information that they have published.

As a security vendor I wish I could provide a silver bullet that would help here. I can't, but I can say that companies like mine are talking to the social networking organisations looking for long term solutions.

But one thing that can work in the short term is education. I am sure the guys from the social networking sites are doing this but it is a continual process. They must keep reminding their customers not to accept invitations or publish anything in their public profile that is sensitive.

Not a silver bullet, but sometimes you have to keep making a noise about a problem until people start listening. Did I mention that passwords are not strong enough anymore?

Facebook Scam (aka Social Phishing)

2008-11-14T13:53:01Z

A couple of months back I posted on a scam that had surfaced in Mexico where fraudsters managed to get hold of people's email User Name and Password, access the account and email the whole address book asking for money to be sent to a bank account to help them raise bail as they were in Jail.

Obviously the overwhelming majority of people would not expect anyone they knew to wind up in jail and ignored the email.

Well this new one in Australia takes the same principles and applies it to Facebook but is a little more feasible.

This time, the individual masquerading as your Facebook contact "needs $500 for a plane ticket".

If phishing in it's more traditional form has proved anything there is always someone who will fall for it.

This "Social Phishing", i.e. taking over an email or social networking account and preying on the trusted relationships the account holder has is much more targetted (i.e. not millions of emails aimed scattergun, but a smaller number preying on friends trusted relationships) but I would guess is much more likely to succeed.

Another example of passwords just not being enough anymore....

What have Sarkozy, Clarkson and Palin got in common?

2008-10-22T08:24:47Z

For clarification, I should mention that I mean Nicolas Sarkozy, Jeremy Clarkson, and Sarah Palin, but the question remains what have they got in common?

The answer is they have all had high profile identity theft issues in the past 6 months.

Now granted, Jeremy Clarkson (a British TV presenter and Journalist) deserved it. He deliberately published in a UK national newspaper personal information to prove that the whole identity theft problem was overhyped.

Having briefly met Clarkson, a man who in the two minutes I chatted to him used more swear words than I normally use in a year, I can only imagine that his wife had to put her hands over her childrens ears when he found out someone had used the information he published to transfer £500 from his bank account to a charity, proving how dumb he had been.

Sarah Palin had her Yahoo email account compromised. This was more a cantakerous prank than malicious fraud but it proved how easy it can be if you know some information about the cardholder. The fraudster got in by guessing correctly (or more accurately researching Sarah Palin on Wikipedia and Google) the password reset questions.

And finally Sarkozy. A man who I can only presume given his position as President of one of the leading world economies is an intelligent man, fell for a phishing scam.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9117548&source=rss_topic17

Each one of these could have been prevented with some form of stronger authentication:

1) Clarkson: With stronger authentication the reader would not have been able to transfer money.

2) Palin: Password reset functionality would not result in a compromise if the account was protected by some kind of token.

3) Sarkozy: If his account had been protected by Stronger Authentication, even if he had responded to a phishing email, it would be unlikley (but not impossible) for the fraudster to have completed a real time attack.

There are some positives to take out of this:

1) The general consumer becomes more wary of publishing data or phishing

2) The more these things happen, the more likely we will adopt stronger authentication technologies to help protect online accounts. This is not just because a high profile person such as Sarkozy says so, more that the general population will demand better security the more they realise they are under threat.

3) Jeremy Clarkson got scammed for £500.

I know the last one sounds a but malicious but I really didn't like him when I met him...

How is security affected by the credit crunch - Post 3 (of many)

2008-10-20T11:51:48Z

In the first post in this series I mentioned I would touch on some of the more obvious affects of the credit crunch...no surprises but the fraudsters have changed their tactics to try and exploit the uncertainty. Even if you are not based in the UK, I am sure you will have seen the main banks who have been affected by this are RBS, LloydsTSB and HBOS.

http://www.timesonline.co.uk/tol/money/consumer_affairs/article4965394.ece

Well it seems that the malicious people who are determined to get your money have started sending out phishing emails hoping they snare a few of their customers.

It amazes me that Phishing must still be working after so much consumer education about the problem through news stories such as this, but I guess they wouldn't be doing it if there was not money to be made.

I remember being told 3 years ago that Phishing had peaked and since then the quantity and variety of attacks has continued to rise, and my guess is this trend will continue.

How is security affected by the Credit Crunch - Post 2 (of many)

2008-10-13T13:35:46Z

The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.

There seems to be a pattern that you can follow when we have major incidents like this:

1) Panic
2) Attempts at a solution (which either individually or combined) eventually works
3) Assessment of how things have changed and what we should be doing now

I think we are edging towards number 3 now.

And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.

And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:

http://www.computerweekly.com/Articles/2008/10/10/232612/fraud-survey-highlights-business-security-failures.htm

As in banking, if you don't trust you don't do business.

So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.

I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.

How is security affected by the credit crunch - (Post 1 of many)

2008-10-10T08:59:14Z

I think most of us are quite surprised about how deep the financial crisis is becoming.

More and more of us are sitting here and wondering how it will affect us in our personal or business lives over the coming months, and I thought I would try and take a look at how it affects consumer authentication.

I will cover the more obvious ones in later posts, like potentially smaller security budgets and the cost savings of using the internet as a channel, but a little gem from the BBC website really caught my eye.

The upshot is that all of a sudden banks aren't lending as much money as they used to. Ok so how does that affect fraudsters? Well obviously less money available to lend manifests as tighter controls on the acceptance of applications for new credit agreements, which are falling rapidly. So with an overall decrease in credit applications then naturally that means an overall decrease in the number of fraudulent claims that get through the system. With the notable exception of Whaling, targeting high wealth individuals for nefarious gains, if you are stealing an identity you are less likely to get an application fraud accepted because the individual is less likely to be credit worthy.

So as a fraudster what do I do? I need to make my money, so I target those people who already have an established relationship with the organisation. In other words I target the people with an existing account. This is where consumer authentication really becomes important.

The more I follow fraudsters the more I get back to the idea of "the rational man". This is one of those stating the obvious theories hidden behind psychobabble which means if it makes financial sense everyone will do it.

According to this article, which I believe, Fraudsters will switch their focus to account based relationships away from application fraud as they are unable to make money through that channel.

But what is most interesting here is that the UK banking industry looked like it was winning the account takeover war. Fraud in this area had reduced from £33m to £22m from 2006 to 2007. This was mainly due to better Risk based Authentication being conducted in the back office as consumers (and yes fraudsters) try to access accounts.

And then in the first half year of 2008, APACS release fraud figures showing that account takeover fraud is increasing again.

Some questions, with my opinion as answers:

1) Is the rise in account takeover fraud a direct result of the credit crunch and the associated switch to account takeover from application fraud? I doubt it, the credit crunch hadn't really bit by the release of these figures.

2) Didn't the security implementations of EMV CAP (i.e. PINSentry et al) mean that Account Takeover fraud was decreasing? Well I am sure that these initiatives had a positive impact on fraud but what I guess has happened is that those who have implemented stronger authentication are experiencing less fraud but those that haven't are seeing exponential growth in fraud in this area. And this fraud is only going to get worse as fraudsters follow the rational man hypothesis and go for the easiest money route, account takeover at those banks who have not implemented more secure authentication.

3) So should all banks follow the EMV CAP model? I don't think so, I love the security benefits of PINSentry et al but hate the usability issues which are well documented (just google PINsentry and you will see what I mean), but there are other more consumer friendly devices that can achieve similar results to EMV CAP, especially when combined with Risk Based Authentication and I believe that they will become more prevalent.

vipcard.tif

4) Will fraudsters following the rational man model keep targeting the account based relationships in the banking sector? Yes, increasingly so. Do nothing and your fraud will rise. Tell me I am wrong.

5) If application fraud decreases and account takeover fraud increases will that only be in the financial sector? Absolutely not. Any account based relationship is a potential money spinner for a fraudster...see earlier post about Mexican bail bonds.

So, here are a few questions which I will leave for you to answer:

1) As a bank do you believe that you should be doing more to stop account takeover fraud, given that the overall fraud is rising but competitor organisations have already implemented technology to reduce fraud making you the easier target?

2) As a non financial sector organisation do you believe that fraudsters are not looking at you as potential targets as online banking gets more secure?

3) Do you not think as fraud rises and confidence amongst your consumers is falling, threatening the cost effective internet channels you want to grow, that your business does not need to consider stronger authentication?

In my opinion, Account takeover fraud will continue to rise, with or without the credit crunch, but perhaps this crisis and the associated fraud losses incurred will be a catalyst for organisations to act.

Mexican bail bonds

2008-10-09T08:58:07Z

This is priceless. No really, this is a new fraud I had never heard about (OK the principles are nothing new, but the implementation is).

According to the Guadalajara reporter, I presume a respected voice in the land of Tequila, fraudsters have come up with an innovative way to defraud Joe Public and it goes something like this.

Step 1 - Fraudster gains control of an individuals personal email account
Guess you are not surprised by this so far, it could have been Phishing, Trojan delivering key logger or guessing password reset questions.

Step 2 - Fraudster emails all personal contacts stored in the address book of taken over account
OK still nothing new...what happened next?

Step 3 - Email contains an appeal for funds as stolen account individual is in Jail and needs money for bail
So I guess you have got this by now, but to explain fully just in case, perhaps the email looks like this:

"Hi friends, I need your help. Unfortunately I am in jail (again), of course I didn't do it but try persuading the Guadalajara police that. I need your help to post bail, please send whatever you can (at least 1000 pesos) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. Jose."

You might think that you would never have friends that would ask you for contribution to help them out of jail and would dismiss it as a scam, so how can his be relevant to me?

Well let's substitute the "bail" request for something closer to home, remember, this is an email you receive from someone you know and probably receive emails from regularly:

"Hi friends, I need your help. I am running the London Marathon this year and I promised to raise £1000, so far I am only at £300 If I don't get the full £1000 there are going to be a lot more homeless children so please donate (at least £10 ) to the following bank account as soon as possible XXXX XXXX XXXX XXXX. Thanks. John."

Sounds more feasible?

How many times do you ignore spam from people you have never interacted with before? Probably always, you don't trust the sender, you don't trust the content.

How many times do you ignore an email from a trusted friend? You may be wary of a opening a file supposedly sent from a friend, but would the above call for help go equally ignored?

There is a level of trust you have established with your contacts which can be so easily abused by fraudsters, Why? Well a user name and password are so easily stolen, we need stronger authentication in the consumer space, but unfortunately it will require scams like this to occur before some businesses and consumers realise that.

I'm Back!

2008-10-09T08:54:27Z

I'm Back

Sorry for not posting, but I'm back now

It's been a really busy summer for me, here is the reason.....

I am very happy to say that I am now a father, a beautiful baby girl and things have settled down well enough now for me to start blogging again, regularly.

She also blogs herself, and I am afraid I won't be sharing a link to her blog or her name as you would probably be able to find the blog if you knew my surname and her first name. Why don't I want you to find her blog? Well when my wife set up the blog she asked what she should or shouldn't publish, from a security perspective.

We defined a policy for the new persons blog as such:
- Only first names
- No surnames
- No details of where we live
- No plans for holidays

Maybe I am being paranoid, but I know that is a part of my duty as a father to prepare her for for life, online or offline.

If I made public her full name, the day she was born, the town we live in and other personal details like her mother and fathers name, I am already setting her up for an online fall. The amount of information that is being published by people on Facebook and other similar sites is manna from heaven for fraudsters. If you analyse what you need to take over a consumers identity the above information is a significant part.

And what about if we published when we were going on holiday? It would only take a bad guy a little time to find out where we live, and know when is the best time to pay me a visit to relieve me of my treasured possessions.

Just put it down to new parent paranoia...

OAUTH and OATH - confusing?

2008-07-30T11:43:44Z

Just read an excellent post about the difference between OAUTH and OPEN ID.

http://mashable.com/2008/07/28/openid-and-oauth/

The reason for this post is that I wanted to make sure that there is no confusion between OAUTH and another standard called OATH which broadly fits in the same space.

Here is my understanding of OAUTH with an example shamelessly taken from their web site to explain:

OAUTH is a way for you to move from one site to another site and grant temporary access to the second site so that you can access the resources from the second site from the first site. Here is a good real life example:

"When a user wants to print a photo stored on another site, the interaction goes something like this: the user signs into the printer website and place an order for prints. The printer website asks which photos to print and the user chooses the name of the site where her photos are stored (from the list of sites supported by the printer). The printer website sends the user to the photo site to grant access. At the photo site the user signs into her account and is asked if she really wants to share her photos with the printer. If she agrees, she is sent back to the printer site which can now access the photos. At no point did the user share her username and password with the printer site."

OATH on the other hand is a standard for sharing a second factor authentication token.

Imagine that you have 10 online relationships which are potentially interesting to a fraudster or contain sensitive personal information (such as Banking, Healthcare, Retail, Gaming, gambling, insurance etc.).

If each site provided you with a two factor authentication device (like a Vasco token or VIP Card) then you would need 10 tokens for your online relationships, obviously impractical and expensive at the consumer level.

OATH sets a standard where the consumer uses the same token across multiple sites.

The first factor of authentication (i.e. user name and password) would likely be different at each site and are not part of the OATH standards, and in fact hey guess what, this is where OPEN ID fits in.

A real live example of OATH working is the VeriSign VIP network (enough plugging already, if you want to read more go to the VeriSign Site).

My personal view on OPEN ID and OATH I have blogged before about, but here is a simple diagram explaining that relationship.

If I was to try and fit OAUTH into the diagram I guess it would kind of fit across both the SITE ID part and the 1st FACTOR part as it is establishing a standard where sites can ID themselves to each other and allow the consumer to use their first factor of authentication to enable the sites to share the resources.

Anyway, I see OAUTH and OATH and OPEN ID living side by side.

Stopping Card Not Present Fraud

2008-06-11T14:04:21Z

Interesting article on "The Register" about a new way around an existing security measure in place to prevent online shopping fraud (http://www.theregister.co.uk/2008/06/11/plastic_fraud/).

To summarise, when you shop online (or place a mail or telephone order) this is known as a Card Not Present transaction, in other words the card is not physically present at the merchant when the transaction takes place.

This means that the clever stuff in your card which authenticates it to the electronic Point of Sale machine can't actually work, hence if a fraudster gets all the numbers on your credit card they can commit fraud.

A number of years ago, the financial industry (led by Visa and MasterCard) introduced a couple of measures to stop Fraudsters just stealing the credit card details of others. One is CVV2 (the three digit Security Code on the back of the card), the other AVS or Address Verifcation Service looks at the numbers in the address the card is registered to and compares that to the mailing address for the goods. If they are different it is more likely to be a fraudulent transaction (i.e. a Fraudster using stolen credit card details to order and send goods to another address).

The Fraudsters worked out that the AVS only checks the numbers in an address and so have got around this by looking for addresses they can send the fraudulent goods to which have the same numbers in as the real address (i.e a house number of 12 and a post code of W4 2QR would be the same as a housenumber of 12 and post code of E4 2RT).

Obviously this is not a perfect "workaround" for the fraudster but the article mentions a number of occasions where this has worked.

Solving the Card Not Present fraud problem is a major priority for banks and vendors alike and I hope to post something soon about how VeriSign plans to stop this type of fraud....sorry to be cryptic, we have a solution we are very sure will stop this and most other types of CNP fraud, but until we have done our due dilligence am unable to say more...

Market Segmentation of your consumers needs to include security

2008-06-06T10:35:22Z

As a marketer and a security professional, I think I am well placed to make a comment on an area I think this blog will repeatedly come back to.

Segmentation.

Now in marketing terms segmentation refers to finding similarities between members of your existing or targeted market and tailoring the offering to them to ensure you attract and retain the highest number of profitable customers possible.

It seems that the fraudsters have been doing the same:

http://www.theregister.co.uk/2008/05/28/id_fraud_trends/

Now no-one will be surprised to see this of course, especially if you are a security professional.

In fact you probably do "Segmentation" in a way when you assess the risk of fraud for particular systems or customer groups, tailoring the security to where the need is.

So I would suggest if you are a security professional reading this to think about two things.

1) Who within my customer base NEEDS the most security when they are accessing their account?

2) Who within my customer base WANTS more security when they are accessing their account?

As the recent survey from Abbey (Part of Santander banking group) in the UK that said 67% of their customers don't want added security, what about the other 33% that do WANT it? They will be more loyal customers if you are giving them additional benefit.

What percentage of those 100% are high net worth individuals who NEED additional security?

Faster Payments in the UK

2008-05-30T10:36:58Z

Lots of newsfeeds this week talking about the move to faster payments in the UK and the welcome news that consumers (and business) will not have to wait up to 3 days for money to transfer between accounts.

The Issue this raises is that the consumers accounts that have been compromised and are in fact being used for fraudulent transactions have to be detected faster (i.e. before they had 3 days foe the transaction to complete).

This gives the banks in the UK a big challenge to make extra sure that the consumer logging into the account is actually who they say they are.

My take is that risk based authentication can help in this area, looking at the nature of the consumers log in (i.e. have they logged in from this machine before, from this geolocation, is this there usual log in behaviour?) along with two factor authentication.

The bottom line is the UK banks have put a lot of work into making sure fraud does not shoot up with faster payments, I just hope that they are successful!

Societe Generale and biometrics

2008-05-05T16:58:31Z

As a security professional I am never surprised when security breaches occur such as the recent Societe Generale incident when a rogue trader wiped out a large proportion of their profits. By that I mean that they aren't the first and they certainly won't be the last.

I only mention them as I read a story the other day that after the incident they are now looking at implementing biometrics to protect internal procedures.

I have followed the biometrics industry for many years and have heard many issues about usability. I truly hope that the latest generation of technology is robust enough as the false negative rates before had seemed to be too big a barrier.

I hope that their implementation is successful, they certainly have had enough problems. to deal with.

From a consumer authentication perspective, I think that biometrics still have a way to go.

Some biometrics are already creeping into consumer authentication (i.e. some sites monitor how fast you type your keystrokes or some companies have established voice biometrics for telephone banking). But these are usually used in conjunction with other authentication methods and I can see that not changing for a long time.