Symantec Connect - Security - Blog Entries

How to Defeat the Two-factor Authentication-Killing Malware

Marty Jost — Thu, 05 Apr 2012 16:18:43 +0000

A recent BBC article has shed further light on the fact that not all online security companies or products are created equal. According to the article, hackers have found a way around some banks’ two-factor authentication security devices and have gained access to customer accounts.

The article describes these attacks as “Man-in-the-Browser” attacks, where malware resides in the web browser on a person’s device and gets between the user and the website, changing what is seen by the user and altering their account information and finances without their knowledge.

The types of malware that are used in these attacks are specifically designed to avoid signature-based detection mechanisms so that some virus protection software will find it. This situation is terrifying to both users and banks, especially considering their multi-factor authentication becomes basically null and void when this malware attacks. Suddenly the thick iron wall of protection becomes little more than a sheet of paper trying to stop an attacking malware tank.

So what are banks, or any other business that relies on multi-factor authentication to do? Can this kind of Man-in-the-Browser attack be prevented? We’re happy to say that yes, this type of attack can be prevented and stopped.

First, users should have up-to-date security on their PCs, smartphones and tablets. Having appropriate protection will help guard against viruses and malware latching on to a person’s device. Second, there are currently a number of products offered by Symantec that can protect against this attack, even if the malware has successfully penetrated a machine or browser. Symantec saw this kind of malware threat emerging years ago and worked to build in new advanced detection mechanisms like Insight and SONAR to specifically confront this type of targeted malware.

While getting users to purchase or download this security is out of the control of a bank or business, it should definitely be suggested for partners and employees. When users, partners and employees take an active role in the security of their information, much progress can be made in protecting that data.

Businesses and banks should use Symantec’s strong authentication solutions such as VIP or Managed PKI products with some kind of additional hardware-assisted technology to defend against attacks of this nature. Essentially, this approach additionally protects user credentials by shielding them from the rest of the system so the malware can’t see it. Using these products will help make sure that even if a user, partner or employee has failed to update their security, or install any at all, their information can be protected when they access it online.

Banks and businesses will be most effective at thwarting this and other attacks and threats by combining VIP and PKI products with fraud detection, behavior based authentication, two-factor authentication and Insight Anti-Malware Intelligence.

By putting into effect these security measures, banks and businesses can rest assured they won’t find themselves the center of the next article about a successful malware attack.

Symantec provides seamless certificate management for Apple iPADand iPhone users

Marty Jost — Fri, 24 Feb 2012 23:24:27 +0000

According to a recent iPass Mobile Enterprise Report, iPhones are now more popular in enterprises than Blackberry and Android phones. With the growing popularity of iPhones and iPads in the workplace, it’s important that these tools have high quality security and certificate management.

Enter Symantec Managed Public Key Infrastructure (PKI) Service v8.3. As part of a larger mobile strategy, Symantec’s new Managed PKI v8.3 provides certificate management enhancements for Apple iOS devices. These enhancements significantly simplify certificate lifecycle management for enterprises when securing user and device authentication, email, data encryption, and applications that digitally sign data for business transactions.

We prepared these service enhancements to leverage the built-in Simple Certificate Enrollment Protocol (SCEP) found in iOS v4 and later. The interface also takes advantage of certificate management usability features built into iOS, allowing it to tell the device how to automatically configure itself to use the certificate without any snags, or hiccups. This means certificates can be executed on these devices with fewer headaches for both the IT department teams and the users.

This updated Symantec Managed PKI Service provides numerous service features for enterprises using iOS devices, including:

Easy to use, pre-provisioned certificate formats for enterprise administrators and a point and click set of selections for user enrollment options and the creation of SCEP certificate configuration protocols.
A Real-time, SCEP web services interface for iOS which includes the ability to download and iOS certificate configuration profile so that iOS can automatically configure itself to use the certificate it receives.
A simple web services integration API so that certificate-enabled applications and other management platforms such as mobile device management servers can fully automate user enrollment procedures and the configuration of devices to use certificates.

· Currently available integrated partner solutions for Mobile Device Management from FiberLink, Zenprise, Mobile Iron and soon Symantec Mobile Management.

Symantec’s Managed PKI comes with many benefits for both the enterprise as a whole, and the individual users of the service. Managed PKI is fast and easy to deploy, has a lower cost of ownership compared to a self-managed infrastructure, provides a High Availability (HA) service with 24/7 support and binding SLAs for 99.95 percent uptime and has had its operations and policy independently audited and accredited by KPMG, WebTrust and the U.S. Department of Defense.

The new benefits available through Symantec Managed PKI v8.3 include: Improved certificate management capabilities for Apple iOS devices, seamless integration with Symantec Mobile Management and 3rd party Mobile Device Management and a fully automated user experience for the acquisition and use of a certificate.

These benefits, along with the new features available through Symantec Managed PKI v8.3, will allow enterprises and users greater ease and less stress while using iPhones and iPads in the workplace. To learn more about how this announcement supports Symantec’s mobile strategy, go here.

Stronger Authentication Means Fewer Headaches in 2012

Marty Jost — Thu, 09 Feb 2012 17:55:51 +0000

This past year provided many important lessons in online security and protection. Based on these lessons and because of the numerous cyberattacks and threats in 2011, many organizations and businesses are currently revamping their online security guidelines and systems in an effort to improve authentication compliance and abide by authentication best practices.

In January, the Federal Financial Institutions Examination Council (FFIEC) recent updates to its Authentication Guidelines went into effect, requiring up-to-date and strong authentication compliance for financial institutions. The purpose of the guidelines is to “provide a risk management framework for financial institutions offering Internet-based products and services to their customers. Institutions should use effective methods to authenticate the identity of customers and that the techniques employed should be commensurate with the risks associated with the products and services offered and the protection of sensitive customer information” (See BankInfoSecurity for more information).

The Department of Defense (DoD) has also made updates to its authentication program, the Joint Personnel Adjudication System (JPAS). JPAS is a centralized security program that helps protect against unauthorized access to its networks and applications, comply with data protection regulations and enforce security best practices. As of January 21, 2012, non-DoD individuals in the JPAS program must use a digital certificate stored on a USB token or smartcard that has been issued by a DoD-approved External Certificate Authority (ECA).

Both the FFIEC and the DoD took note of the cyberthreat and attack lessons learned in 2011. In order for corporations to follow suit, they must implement authentication best practices that will more effectively keep their data and customer data secure. One of the most important solutions of identity authentication available to corporations today is two-factor authentication or risk-based authentication. Two-factor authentication helps corporations better protect themselves against hackers by requiring two methods of identity verification: a password (something the user knows) and an authentication token (something the user has). Risk-based authentication profiles a user’s device and their behavior to assess the risk associated with their activity and invoke secondary authentication when that activity appears to be unusual.

The popularity of smartphones and tablet devices represents a security opportunity for organizations – more users already have a device that could function as an authentication token to provide a stronger assertion of their identity to a wide variety of parties. Unlike traditional two-factor authentication token solutions, approaches that enable re-use of existing mobile devices are faster and easier to deploy, and more cost-effective to maintain. And, unlike traditional hardware tokens, users are far less likely to forget their mobile device at home. And using risk-based authentication mechanisms that profile a user’s device and behavior can provide similar protection, without any impact to a legitimate user’s experience.

Like this last year, 2012 will be full of cyberthreats and attacks. We can expect hackers will only increase the number and intensity of their attacks. Among the current threats to users of financial institutions is the Zeus Trojan, which the FBI is calling “Gameover” because once the hackers get a user’s financial information, it’s game over. In fact, so far in 2012 Symantec has seen over 200,000 attacks each day from criminals using the Zeus tool kit. The Zeus Trojan, as well as the recent DreamHost attack, prove the urgency corporations should feel about stronger authentication.

As corporations and organizations implement these and other authentication best practices, they’ll not only be keeping theirs and user data more secure, but they’ll also be better equipped to avoid finding themselves the subject of the latest hacked corporation news headline.

The Virtualization of Security and the Rise of Security as a Service

nicolas_popp — Mon, 06 Feb 2012 03:54:52 +0000

In the same way, the cloud emerged from software virtualization, cloud security can only emerge from the process of virtualizing security itself. As virtualization separated software from hardware, allowing enterprise software to freely move first across servers and eventually to external cloud infrastructures, security must now be separated from enterprise applications so themselves can be replaced with new cloud applications and eventually move to specialized clouds. Enterprises worldwide are already embracing the cloud for email, CRM, file sharing, collaboration, HR and other functional business applications. To properly manage cloud risk and compliance, IT needs a consistent way to inject its own security policy across cloud applications. Since these applications are operated by different cloud providers with different security capabilities, distinct security frameworks and diverse APIs, the security needs to be implemented outside these cloud applications.

That separation or virtualization of application security is the raison d'etre ofSymantec O3: the creation of a security control point outside the application and under the governance of IT. The cloud security gateway integrates with the legacy security infrastructure that it fully leverages to externalize application security. In doing so, the cloud security gateway separates the security infrastructure from the application infrastructure. The application software is then free to move to the cloud. The complex security infrastructure does not need to follow it. All IT security controls remain in place. This approach of security virtualization can be applied to any type of application, internal or external, whether it is running on a private or a public infrastructure. This allows CIOs to morph their cloud strategy overtime. An enterprise can start with SaaS and virtualized application running on a private corporate cloud. These private clouds can then transform into semi-private clouds (virtual private clouds or hybrid clouds). Eventually the whole IT infrastructure for application can be replaced with public clouds such as IaaS or PaaS. The security infrastructure, on the other hand can persist. The same security policies can be enforced. There lies the true benefit of cloud security virtualization: a single security infrastructure independent of the cloud providers.

What happens next? As CIOs become increasingly comfortable with not running the infrastructure, the complex security infrastructure must also go to the cloud. Security becomes its own cloud. The cloud transformation is complete. First the cloud security gateway, then security infrastructure as a service. Like virtualization was the catalyst for infrastructure as a service, the application security gateway becomes the catalyst for security as a service.

Can it mean that security companies must become specialized security infrastructure providers? Is their fate to become exclusive arm dealers to enterprise cloud builders, instead? Interestingly, security may well be the only viable answer to the infrastructure commoditization strategy embraced by the likes of Amazon and Google. This fact alone will make it worthwhile watching the enterprise security and infrastructure markets. So let us stay tuned. The security revolution is being televised. In fact, it appears that it will be streamed straight from the cloud.

Cybercrime and Mobile Finance: Like Flies to Honey

Brendon Wilson — Tue, 13 Dec 2011 17:40:20 +0000

Mobile wallet technology has once again become a hot topic in recent days, particularly around the potential security considerations related to these apps. The unavoidable truth is that whenever money is involved, mischief is sure to follow. I would guess this has been true since the dawn of currency.

Symantec recently published a paper detailing our stance that the widespread adoption of mobile payment-type technology will likely trigger a surge of mobile malware and in turn mobile cybercrime. The reason is that these applications rely on devices to transmit financial information – such as mobile banking credentials – backed by real monetary funds. If we’ve learned anything from the PC cybercrime realm, it’s just how lucrative the exploitation and sale of this kind of information can be for enterprising cyber criminals.

Despite all this, the business case and user benefits of technology that transforms mobile devices into financial tools, perhaps what we can call mFinance, cannot and should not be ignored, either. This goes beyond mobile wallet apps and includes mobile banking, online purchases performed via mobile devices and a handful of other mobile activities that involve digital or hard currency.

The fact of the matter is that the trend of using mobile devices as financial tools isn’t going anywhere but upwards. According to a research report by Berg Insight, the worldwide number of mobile banking users is expected to reach 894 million by 2015. And the Yankee Group is expecting to see one trillion mobile payments by 2015.

Thus, what the industry must do is figure out a better way to make sure that mFinance activities remain secure. There are many complexities involved in properly safeguarding devices against threats targeting mobile financial transactions. Once the transactions themselves are secured with proper encryption technology, mobile antimalware is a good next step. After all, malware is usually the backbone of the cybercrime arsenal. However, there is more that can be done.

One approach that can be taken to improve both the security and usability of mobile apps that access sensitive financial information is embedding strong authentication directly into the apps. An example of this is what one of our customers – a large financial institution – did with their mobile banking app.

By embedding Symantec authentication technology – Symantec Validation and ID Protection Service (VIP) – directly into their app, the financial institution’s mobile banking customers’ devices become a second form of authentication. Each time a user attempts to login to their account via the mobile app, a one-time passcode is automatically generated and validated on the authentication service’s backend. All this is accomplished without the user having to do anything but enter a four digit PIN. Thus, this technology’s ability to eliminate the need for users to enter in cumbersome user names and complex passwords every time they want to access their accounts thereby improves the user experience in addition to the bolstering the security of users’ account.

The widespread adoption of mFinance creates tremendous benefits and opportunities for end users, financial institutions, retail operators, carriers and third-party app developers. However, the industry needs to think outside the box in terms of security to make it a success. The same concept employed by the Symantec customer highlighted above can be implemented in a variety of different uses cases and serves as just one example of the unique strategies available to make mFinance secure and user friendly.

From Windows to the Cloud: "Nothing is created, nothing is destroyed, everything transforms."

nicolas_popp — Tue, 12 Jul 2011 16:23:38 +0000

Every so often in technology, new trends emerge to drive large changes to society by transforming our established computing paradigms. Cloud as a computing pattern is certainly not dissimilar. The cloud carries in itself all the genes of disruption that the PC, client-server and Web revolutions embodied before it. For many, cloud computing is the logical evolution of information technology towards the utility model. From an economic standpoint, it signals the great commoditization of IT.

When large technology shifts occur, opportunities arise for new and innovative companies to displace the large and sleepy incumbents within their core markets. To understand the cloud tectonic shift, and the potential losers and winners, I devised a simple visual representation that captures the competitive landscape of cloud computing. If one thinks of the traditional computing world as the "primordial Pangea", the old world appears as a highly coupled stack with devices on top, infrastructure at the bottom and applications and development platforms snugged in-between the two dominant businesses. Although simplistic, this representations has the merit to capture the market significance of companies such as Microsoft/Intel, Oracle, SAP, HP, IBM, Cisco and EMC (the device and infrastructure incumbents).

When the shift to the cloud happens, the old continents spread apart, and the original Pangea morphs into a "cloudscape". New major classes of devices platforms appear (mobile platforms in particular). The old core platforms have transformed and taken new names (SAAS, PAAS and IAAS). The four strongholds drift apart creating "seas" of opportunities for new intermediaries (the cloud brokers). who can integrate, secure and harmonize these new heterogeneous environments. Many of these new markets are still up for grab, but a few enlightened companies have already moved in a an attempt to capitalize on explosive growth as old budget money shifts towards the new models.

The four strongholds

The cloudscape shows the four old strongholds as four new distinct and decoupled markets. Furthermore, a new generation of cloud-enabled device platforms have emerged (IOS, Android...). SAAS are rapidly replacing traditional applications in the eyes of corporate users and consumers. For developers, PAAS are becoming the environment of choice for custom web service development and deployment. At the bottom, infrastructure is becoming a commoditized utility service. The four strongholds are still differentiated markets. No real consolidation has occurred yet, as the new players are too busy battling for supremacy within their own market. Each of the four platforms appear to present a significant business model with large ecosystems acting as powerful "moats" or barrier to entry.

IAAS and the commoditization of I.T. infrastructures

The most powerful stronghold may prove the IAAS since the business model is based on very large economy of scale with razor thin margins and high volumes that cannot be realized by new entrants who may lack the CAPEX muscle or the home-grown commodity technology to enter. The IAAS vendors are rapidly commoditizing the compute and storage stack. They are now walking up the stack to subsume middleware such as RDBMS (database.com, BigTable and the No SQL movement). The next target is the network infrastructure. Large virtual private clouds soon emerge that allow enterprises to create complex segmented networks without having to buy expensive networking gear. Corporate networks are built using virtual switches. They are secured by commoditized software appliance (virtual firewall, virtual IDS and virtual IPS) sold on a usage basis. As the IAAS market consolidates around Amazon, Google, a few large global Telcos, the old IT power houses (Cisco, HP, IBM) may still be able to carve out some land for themselves. Unfortunately, some of them have lost their strategic compass lured by the temporary gold rush of the so-called private cloud market, a desperate attempt to re-invent yesterday's "build-it-yourself" model of information technology.

The battle for Development as a Service (DAAS)

The cloudscape identifies and positions the main platforms tenants and their strongholds. For example, Amazon has a strong position in infrastructure as a service (IAAS), while Salesforce is a dominant SAAS vendor. Like OS vendors before them, both are vying to leverage their strength position to become the application development platform of choice. Amazon is betting on infrastructure for their unfair advantage. Salesforce is betting on corporate business data such as customer info and collaboration artifacts. Google's bet is on becoming "Office" for the cloud, thus owning corporate unstructured data. For new businesses like Zynga, infrastructure is king. For enterprises who need to build mission-critical business applications, data is queen. Google+ is more innovative than Chatter but Google needs to become enterprise-friendly (new DNA and a large M&A likely required).

The cloud brokers and the rise of the middle-man

Nevertheless, in between these giants, there is still ample room for trusted cloud brokers who can integrate business data across multiple cloud sources and provide business intelligence across all SAAS services. In fact, the map identifies very large intermediary opportunities. Cloud brokers can become significant disintermediation businesses. The distant and heterogeneous nature of the four large cloud markets creates a real opportunity for cloud middle-men to reduce the complexity of integrating, securing and brokering the capabilities of the new cloud platforms through a unified management interface. The "device management as a service" layer (e.g. VDI in the cloud) or user and SAAS management (e.g. SAAS marketplaces and SAAS data integration as a service) are examples of these new intermediaries seeking to capitalize on the plurality of devices and SAAS platforms.

Security as a fundamental ingredient (says the wishfully-thinking security guy)

Interestingly, Security emerges as a fundamental enabler. If one considers availability as a form of security, security is in actually relevant to all forms of cloud brokering. This leads us to believe that security companies could benefit from the new world balance if they can establish partnerships with the strongholds who are about to significantly impact the distribution of security services. Moreover, security assets provide a natural beachhead for security companies to extend into cloud brokering opportunities. Conversely, security M&As could become increasingly important to cloud platform vendors or cloud platforms wannabes in search of differentiation and higher margins.

Eventually, what the cloudscape demonstrates is that in the long run, information technology is not immune to the fundamental laws of physics. Cloud computing is undeniably disruptive technology. But, in the end, the four core business strongholds still exist, granted, under new names, forms and shapes. Under the tectonic shift of cloud computing, the whole industry landscape of information technology is about to radically transform under our eyes, reminding us once again of what an old French chemist taught us a few centuries ago: "Nothing is created, nothing is destroyed, everything transforms." -Lavoisier

Switching Authentication Providers: Three Key Questions

Brendon Wilson — Mon, 04 Jul 2011 21:26:12 +0000

Last week, the Australian online edition of CIO magazine published a great set of questions your CEO should be asking IT staff about replacing their existing strong authentication solution. Three key questions in the article are particularly interesting in wake of the recent news from RSA:

How much is distributing new tokens going to cost the organization?
When will we receive the replacements? Six months? Twelve months?
Are there any alternative two-factor authentication offerings that are lower cost and more convenient that would save the organization operating expenses without compromising security?

Most organizations seeking to mitigate the potential risk to their sensitive networks posed by the RSA breach have been distracted by the first question; however, many are now realizing that the replacement costs aren’t limited to the hardware tokens. In fact, as analyst firm Gartner has pointed out, there are numerous other incremental costs associated with replacement that may exceed the cost of the tokens, such as:

Administrative costs to receive, configure, and provision new tokens
Mailing costs to deploy tokens to remote users
Incremental licensing costs above and beyond the costs of the token hardware

Even if you’re one of the lucky few organizations for whom cost is not an issue, you may still face the challenge of getting replacement tokens in a timely fashion. For these organizations, the prospect of waiting six to eight months for replacement tokens is simply unacceptable. Which means the only viable option for most organizations is to replace their current solution with a secure alternative.

Symantec knows your organization can’t afford the time and money required to fix your current two-factor authentication solution. That’s why we're offering $5 (credited toward a 3-year subscription) to new customers for every SecurID they trade in for Symantec's VIP Authentication Service, a two-factor authentication service you can deploy in a matter of hours.

With VIP, your organization can use our free trial to start using the technology immediately to replace your strong authentication solution. And with VIP Access for Mobile, your users can turn their iPhone, Android, BlackBerry, or Windows phone (or any of the 800 other supported models) into a software token in seconds, eliminating the delay and cost of procuring and deploying hardware tokens.

Learn more about the VIP Authentication Service and how Symantec can help you deliver answers to the tough questions on the fastest, easiest, most cost-effective way to replace your two-factor authentication solution.

Announcing the Symantec Credential Exchange Program

Brendon Wilson — Thu, 09 Jun 2011 03:07:17 +0000

Given the events of the past 3 months, many of our customers have consulted us regarding mitigating the impact to their environment of the RSA SecurID breach. With the revelation that a breach at a major US defense contractor was perpetrated as a direct result of the attack on RSA, this question has become even more critical to answer. Time is of the essence for many organizations to protect their sensitive networks and applications from the fallout.

Symantec’s VIP Authentication Service is uniquely designed to address the concerns of customers impacted by the RSA SecurID breach, delivering:

A broad spectrum of authentication capabilities
Customers can deploy traditional two-factor authentication, out-of-band authentication leveraging mobile devices, and risk based authentication from a single vendor
Flexibility to deliver authentication capabilities tailored for any enterprise’s risk profile in today’s threat environment
Independently audited Symantec-hosted infrastructure with a proven security track record
15 years protecting critical Internet infrastructure from attack including DNS root servers and security root keys for the internet
Built on open standards
Transparent and vetted by top security experts as best in class
Unimpacted by recent RSA breach

To assist our customers and prospects in mitigating the impact, Symantec is currently offering an Symantec Credential Exchange Program (initially in North and South America):

Symantec will rebate $5 for every RSA token or credential replaced with Symantec’s VIP Authentication Service
This rebate will be credited towards a 3-year subscription and available from now until September 30, 2011 for customers looking for authentication solutions to replace RSA SecurID
Symantec offers FREE software based credentials for desktops and mobile handsets that enables customers to download and replace existing RSA SecurID tokens without the cost, delay, and effort of mailing replacement tokens

The total cost of ownership for Symantec’s solution is as much as 60% lower than the cost of RSA SecurID. With Symantec’s VIP Authentication Service, customers get a lower cost alternative they can deploy immediately to address any concerns they have regarding the security of their environment.

Can’t wait to replace your RSA SecurID solution? You can deploy the VIP Authentication Service immediately with our free 30-day trial.

RIP to SecurID

Christina Rohall — Wed, 08 Jun 2011 00:42:30 +0000

...on behalf of Kerry Loftus, senior director of product management, User Authentication.

RSA SecurID has a long history and the recent events have been shocking for anyone in the security industry. While the details of the RSA breach have still not been made public, the fact that its effect led directly to an attack on a defense contractor infer that the breach was serious and widespread. For security professionals working with smaller budgets to protect their infrastructure from increasingly more sophisticated attacks this presents an interesting question – ok, now what? There used to be a saying, “You’ll never get fired buying SecurID.” Now its quite the opposite.

So who’s on the shortlist? Lots of authentication companies are chiming in and speed is of the essence. But its critical that as customers are evaluating alternatives, they keep in mind a couple of basic tenets:

Security is more than a point solution. Authentication requirements vary by application, by data set and by end user. Point authentication solutions will offer a patch for now but the needs of the enterprise are broader.
Flexibility is key. Given varying needs across applications, data and users, having the flexibility to address these varying risk profiles in a single solution is critical.
The cloud makes you nimble. Authentication techniques have evolved greatly in 15 years—in fact, some may argue this was RSA’s general Achilles heal. There was little innovation and change in a solution that was at the forefront of protecting critical enterprise infrastructure and IP. Cloud solutions deliver this agility—they can ebb and morph based on relevant megatrends such as mobility as well as threat landscapes that may be driven from international espionage. Plug into a cloud solution that is centralized and can be adjusted to the here and now.
Vet the vendor. Who do you want to partner with in protecting your most critical infrastructure? Who will have the resources to ensure that the authentication solution you buy is relevant and will be relevant for years to come.

At Symantec, we have been working with customers in delivering the VIP Service designed to address the needs of today’s enterprises in protecting their most critical assets. Our VIP Service distinguishes itself from the rest:

Broad spectrum of authentication capabilities: From traditional two factor to out of band leveraging mobile devices to risk based authentication; Applicable authentication capabilities for any enterprise’s risk profile in today’s threat environment
Centralized in Symantec hosted infrastructure, protected by tried and true security: 15 years protecting critical internet infrastructure from attack including DNS root servers and security root keys for the internet
Built on open standards: Transparent and vetted by top security experts as best in class; Unimpacted by recent RSA breach

….All delivered by a proven vendor with a holistic approach to security. Be sure to check out a free trial of the VIP Service at http://www.verisign.com/authentication/two-factor-authentication/free-trial-vip-authentication/index.html

Latest News Headlines Further Highlight the Laxness of a Simple User Name and Password

Christina Rohall — Fri, 03 Jun 2011 01:19:44 +0000

Numerous headlines about a massive spear phishing attack on top U.S. officials’ Gmail accounts hit earlier today alongside articles covering the ensuing Weinergate “ordeal,” leaving many to wonder, “Could this happen to me?” If you use a standard user name and password to access your online accounts, the answer is, “Yes, it could.”

While nobody is immune to online security threats-- after all, there are no silver bullets -- people can arm themselves with information and technologies that will minimize the chance they will fall victim.

One such technology that became available this year for Gmail and Facebook users is 2-step verification, also known as 2-factor authentication, which businesses have been providing to employees for many years to prevent account takeover.

While the technology has been around for many years, two-factor authentication has become much easier to deploy and maintain, especially within the enterprise, thanks to cloud computing. One good example is our VIP Authentication Service. [We just announced yesterday that e-prescribing leader, DrFirst, will be using VIP to authenticate providers and enable e-prescribing of controlled substances.]

Adding an extra layer of security to personal accounts like webmail and social networking is a good idea, just like it’s a good idea to add another layer of security to access controlled substances. It’s tough to put a price on reputation and privacy. So if a site you frequent offers it, then enable it. As the old saying goes, use it or lose it.