Online Identity and Trust

VeriSign Shares Strong Authentication Development Tools with Mobile Developers in the Fast Lane

2009-04-21T16:21:23Z

We announced our new "Mobile Developer Test Drive" program today at the 2009 RSA Conference. By leveraging the VIP Access for Mobile SDKs, developers can easily and quickly create a pilot version to transform personal mobile devices into two-factor authentication credentials.

The pilot allows developers to test the functionality of the mobile application to see how simply they can integrate strong authentication with any J2ME and iPhone applications. Developers of mobile payment, mobile banking, m-Commerce and mobile social networking can also easily incorporate VIP open standards two-factor authentication into their applications and protect their users with extra layer security that goes beyond standard secure log-ins.

To find out more about our new VIP mobile developer test drive, please visit vipdeveloper.verisign.com. Please also send us your success story and feedback. We'd love to hear from you!

VeriSign Identity Protection for Mobile Expanded to Leading Mobile Phones

2009-04-20T16:12:52Z

With the success of VIP Access for iPhone, we are adding many leading phone models into our mobile credential family. In addition to iPhone, VIP Access for Mobile now supports more than 90 popular mobile phone models including all the popular BlackBerry models as well as the Motorola, Nokia and Sony Ericsson.

VIP Access for Mobile is an easy-to-install application that transforms leading mobile phones into strong authentication credentials. To discover the benefits of the easy-to-use and cost-effective VIP Access for Mobile, download VIP Access for Mobile from m.verisign.com.

We continue adding popular feature phones into our phone family each month. If there is a popular phone model you do not see on our current official supported phone list that you would like to be considered, please let us know!

VIP Access for iPhone Downloads Reach Record High

2009-04-16T19:55:30Z

We are very excited to share that our VIP Access for iPhone downloads has reached a record high. Downloads grew three times more than our previous record high this week.

We appreciated all the constructive feedback from our VIP users. Many users also wish more online banks, gaming and social network sites would sign up with VIP Network, so they can use one VIP Access credential anytime anywhere to secure their online accounts and online identity.

We also have had many iPod touch users ask to be notified when we include support for the iPod Touch. Although in our first release, we leverage SMS as part of activation process, we are reviewing other alternatives to enable iPod Touch users in the near future. Stay tuned.

If you have any suggestions, please email to vipmobile@verisign.com. We love to hear from our users.

VIP for iPhone is HOT at the App Store!

2009-04-15T00:01:26Z

What are the hottest applications you can get for your iPhone this week?

Check out Apple's App Store "What's HOT" category. You will see "VIP Access" for iPhone recommended for iPhone users. This is the only security application to receive the coveted endorsement from the App Store - What's HOT category this week.

This great mobile application turns your iPhone into your personal security device and adds an extra layer security for your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

Check out VIP Access on your iPhone and tell us what you think.

VeriSign App for iPhone lets you Protect Your Identity

2009-03-31T14:11:57Z

Starting today, millions of iPhone users can now protect their online identities with VIP Access! A free download from the Apple app store, VIP Access turns your iPhone into a VIP credential, which adds an extra layer of security to your online accounts at the 40+ members of the VIP Network - including eBay, PayPal, AOL, and GEICO.

+ Read the New York Times Article

+ Read our press release

Download the app using iTunes or your iPhone here.

---Updated April 3, 2009---

Here is the latest coverage:

4/2/2009: Two-factor authentication using an iPhone: Killer security app? – Andrew Patrick

4/2/2009: How to turn your iPhone into unbreakable security token – TG Daily

4/2/2009: VeriSign release iPhone VIP Access security app – Geek.com

4/1/2009: VeriSign App Turns iPhone into Security Device – Mac Evangelism

4/1/2009: Move Over Token! My iPhone Can do The Trick – Celent Banking Blog

4/1/2009: VeriSign VIP Access for iPhone Provides Additional Authentication Security - Mobile Content Today

4/1/2009: VeriSign ships OTP generator iPhone app – Finextra.com

4/1/2009: New VeriSign app offers better online security – TECH.BLORGE

4/1/2009: VeriSign releases online security application for iPhone – The Paypers

4/1/2009: New iPhone App Reduces ID Theft by Unique Password - InfoPackets

4/1/2009: VeriSign Offers Two-Factor Authentication for iPhone – IT Business Edge

4/1/2009: VeriSign app turns iPhone into security device - MacWorld

4/1/2009: VeriSign Powers iPhone Two-Factor Authentication - InternetNews

4/1/2009: VeriSign's free iPhone app secures passwords - InfoWorld

3/31/2009: An iPhone App for Security - BusinessWeek

3/31/2009: VeriSign Brings Authentication Tokens to iPhone - TidBits

3/31/2009: A safer iPhone – SiliconBeat

3/31/2009: What’s the Password? Only Your iPhone Knows– The New York Times Technology Bits Blog

3/31/2009: VeriSign Launches Online Authentication App For iPhone- WebGuild

3/31/2009: VeriSign password generator app for Apple iPhone- RSS For Gadgets

3/31/2009: Verisign launches secure password app: VIP Access - Textually.org

3/30/2009: VIP Access - iGoApps

---Updated April 21, 2009---

Additional News Coverage of VeriSign's new iPhone App

Broken Trust II: another victim on Facebook

2009-02-25T22:13:42Z

A quick update on the Broken Trust: when a criminal becomes your friend on Facebook story I posted a few days ago: as it turns out, it sounds like there are more victims of this scam other than my friend Beny and his friend Bryan. As you can see from this WPIX report Eileen Rodriguez also had her facebook account broken into and her friend Shaila lost $650 when she wired money to someone that she thought was her distressed friend.

Interesting to note that scam details were similar and the destination account was in the UK in both cases, which hints at the possibility that both scams were perpetrated by the same people. More troublesome was that Beny's case happened in Jan whereas Eileen's, according to WPIX, happened on Feb 8th which may show that Facebook was not able to block the attackers even after they got notice of the first incident.

The public tally so far is: 2 Facebook identities stolen, 2 friends scammed and $1793 stolen. I suspect there could be more, leave a comment here if you know of anyone else that may have been victimized by this scam.

Broken trust: when a criminal becomes your friend on Facebook

2009-02-21T00:29:55Z

Can you get scammed and lose money when you rely on social network sites to connect with friends ? Unfortunately the answer is yes.

A few weeks ago, my friend Beny stepped up to help one of his friends, Bryan, who was robbed at gunpoint in a foreign country.

We've all heard about friends getting in trouble during a trip, but what was new here was the fact that the distress call and help request came via Facebook status updates and instant messages.

As it turns out, the distress call was fraudulent and my friend ended up wiring a total of $1,143 to some fraudster account in England.

How could this happen ? Somehow, a fraudster got a hold of Bryan's Facebook username and password, studied his profile and started to reach out to his friends with the harrowing news and the request for help. The fraudsters were able to sound legitimate when instant messaging to Beny as they casually dropped bits and pieces of personal information that only Brian would know. Or, shall we say, only anyone with access to Brian's account would know. They went so far as leaving voice messages on Beny's phone asking for more money for Brian. After that, all that was left between the fraudsters and the money was Beny's good heart and a wire transfer.

Why are we seeing an increase in these types of attacks against non-financial sites (see also Twitter and Yahoo) ? Well, the answer is that fraudsters and criminals are always looking for the weakest link that can help them get access to your wallet.

Over the last 3 years, banks have stepped up their online banking security with measures such as second factor and risk based authentication. The bad guys did take note of that and are now trying to use the same tools they used against the banks to get access to your email, social network or work applications. There they can find information that can help them get access to your money without having to face the bank's security systems.

What is interesting about social networks is that it doesn't matter that you protect your own passwords, use the latest and greatest anti-virus or only transact with well authenticated EV sites. If any of your social network friends make a mistake and lose their Facebook or MySpace password, now your private information is exposed to a stranger or maybe even a criminal.

All that said, I'm a strong believer in the value of social networks and the hundreds of millions of people accessing them cannot be wrong: the power of sharing information online is really here to stay and we have only seen the beginning of this social fabric that we are building on top of the Internet.

What social network providers need to realize is that the growth and eventual monetization of these networks will depend on how well the user's data, identity and privacy is protected.

Beny will soon forget the $1000 or so that he lost, but I bet he won't recover his trust on social networks for a long time to come.

For more details on Beny and Bryan's case check the following video:

Watch out for the "Evil Twin" - Coming to a Hot Spot Near You

2009-02-03T13:53:53Z

Imagine this scenario. You have a couple of hours to kill, so you log onto the free wireless access at an Internet cafe and check your personal email, maybe even make sure your latest check won't bounce by logging on to your banking site. (Whoops, that's just me).

What if a fraudster had set up that free WiFi you just logged into? How much of your personal information was just compromised? Well, this nightmare scenario is coming true. It's so widespread that it has even earned its own nickname: The "Evil Twin." Fraudsters can easily set up a fake hub and even name it to look legitimate, by using the name of a nearby store or cafe. Some people have noticed this in airports.

But don't lose hope: the "good guys" at the WiMAX Forum have defined a security model using two-way mutual authentication and they are creating standards that will protect us from this kind of scam. WiMAX is one of the standards for mobile broadband. It's not fully adopted anywhere yet, because only some providers have adopted it as a standard. But some of the big chip makers will be baking it into devices in the coming years so it will become more widespread.

Today we are announcing that the WiMAX Forum has chosen VeriSign as the Certificate Authority to secure the certificates that will go on WiMAX-enabled servers and devices.

Our PKI Product Manager, Charul Sadwelkar took a few moments to answer some of my questions about VeriSign's role in the WiMAX ecosystem. Charul used to work in the mobile industry so he knows all the jargon and he explained all the competing standards.

Question: "Are there any competing standards to WiMAX today?"
Answer: "There are competitive technologies that are in various stages of evolution. The one most commonly cited is the "Long Term Evolution" (LTE) roadmap, which is the path taken by the GSM and the GPRS service providers. But we believe that they are a little bit behind WiMAX which is spearheading the high-speed mobile Internet access revolution."

Question: "As part of VeriSign's PKI service for WiMAX, are we using any proprietary technologies?"
Answer: "VeriSign takes pride in the fact that we are a standards-based PKI provider. For the WiMAX ecosystem, we are not doing anything proprietary, these are very standard certificates with profiles as specified by the forum."

Question: "When will WiMAX be widespread?"
Answer: "It is in pilot roll-out in a couple cities in the US and in some Asian countries where the landline infrastructure is not particularly strong. We expect that WiMAX will be available in a widespread in a year or two from now."

Listen to the interview with Charul

Learn More:
White Paper: Helping to Secure the WiMAX World: VeriSign WiMAX PKI
Service
Data Sheets: VeriSign WiMAX Public Key Infrastructure Service for Device
Manufacturers, and VeriSign WiMAX Public Key Infrastructure Service for Service
Providers

Welcome Name.com!

2009-01-29T00:18:53Z

Lately I seem to be posting notices about hacks and identity theft - like Monday's Monster.com news. Today's entry has a happier note - I'm proud to welcome Name.com to the VIP Network. Check out the press release and some of the reaction in the blogosphere.

A Monster Problem

2009-01-26T21:29:14Z

It seems like every day there's another headline about a major site being hacked with stolen usernames and passwords. Today it's Monster.com, which has compromised the passwords and personal details of thousands of recruiters and job seekers.

How many more of these breaches will it take for people to realize that just plain passwords aren't good enough?

Phishing is not just for email anymore: Twitter under attack

2009-01-07T00:39:45Z

I always find it interesting the way old scams are redressed for new and emerging channels.

That was the case during the last few days when Twitter users and employees found themselves under attack by phishers and hackers: follow these links to find a good account of the former and the latter.

Today I'll talk about the phishing attack, which consisted in luring people to give away their twitter passwords to a fake site, the novel aspect is that it used twitter-generated messages (Direct Messages) to propagate to your list of contacts (Followers).

This is all pretty similar to what we have seen with phishing via e-mail, but with two key differences:

- The first one is that e-mail phishing is a "mature product" where phishers are one cog in the big underground economy of stolen bank/e-commerce passwords and credit card numbers, whereas this twitter phishing looked like a "prototype". The good news is that apparently no big harm was done and the Twitter team reacted quickly to reset accounts. The bad news is that the twitter phishing prototype worked, and the bad guys will come up with ideas on how to use it more effectively.

- The second aspect, which I find more disturbing, is that the Twitter media is more time-sensitive than e-mail, capable of reaching a lot of people in very little time. That is why I think there is potential for much greater damage if you combine twitter phishing with events with intensive twitter coverage such as the Mumbai attacks.

A short-term measure that Tweeter could take to beef up its defenses would be to upgrade their SSL certificate to an EV cert and tell their users to check the green bar when they login.

In the meantime, my twitter guru Bob Angus tells me that some of the buzz in the twittershpere is that these attacks confirm Twitter's arrival as a relevant media.

These past attacks seem to confirm that at least the bad guys seem to agree with that.

Putting order into things (Part I)

2008-12-10T21:00:59Z

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.

CheckFree Hijacked Due to Poor Domain Registrar Authentication

2008-12-05T20:44:04Z

This just in from the Washington Post: CheckFree, a major online bill payment site with over 24 million customers, had their domain hijacked and redirected to a site that tried to install malicious software on users computers. This all happened because criminals stole the username and password for CheckFree's domain management account at Network Solutions.

Clearly the criminals who perpetrated this attack should be caught and prosecuted, but isn't it sad that such valuable assets are protected by just a simple username and password? If you run a website, your domain registrar has the keys to your online castle -- how could this not be protected by strong two-factor authentication?

PayPal: New "Key" on the Block

2008-11-24T19:48:24Z

Today PayPal launched mobile access for its Security Key. This means that along with the traditional token and credit card form factor, PayPal Security Key users can now get their one time password (OTP) texted to their mobile phone. This is very cool, especially if you're one of those people who use your cell phone for everything--phone, email, text, Internet, GPS, camera...and now you can use it to protect your accounts online.

The new SMS OTP for the PayPal Security Key is available to customers in the U.S., Australia, Austria, Canada and Germany. PayPal does not charge for the OTPs texted to mobile devices. To use the service, customers need a mobile device and wireless service set up to receive SMS text messages. It's that simple.

The PayPal Security Key is part of the VeriSign Identity Protection (VIP) Network. As part of this network, consumers can use the OTPs to protect their accounts on a variety of financial services and e-commerce Web sites like eBay, AOL, Geico, U.S. Department of Education, American Bankers Association, and many others. To activate your PayPal Security Key SMS functionality, go to https://www.paypal.com/securitykey

Why "Red Flags" would work

2008-11-12T16:52:57Z

By Yohai Einav, VeriSign Senior Fraud Researcher

The FTC announced last month that is pushing back the deadline for the implementation of the "red-flag" requirements for another six months. Under the "red flags" all financial institutions must develop and implement an "Identity Theft Prevention Program", which includes "reasonable policies and procedures for detecting, preventing and mitigating identity theft".

I'm pretty confident that somewhere in the world security chiefs are dancing in relief, and, on the other hand, so are many fraudsters (in their filthy underground caves).

FFIEC guidance and beyond
So why are fraudsters relieved? Because a well planned and implemented red flag program could actually slow the fraud business.

While the 2005 FFIEC regulations (or, "guidance") talked about using better locks to the gates of the castle (which is important, but castles tend to have windows and hidden entrances), the new requirements deal with fighting the enemy within the walls of the castle - inside the compromised accounts.

To put it in a less metaphorical way: today, most banks already implement some extra protectional measures at their login page, but only a few measures inside their online banking system itself. And as it seems, better protection of the login - a stronger authentication - does not completely stop fraud, but forces fraudsters to look for the "hidden entrances".

(Don't get me wrong - the FFIEC guidance was the cornerstone for all anti online-fraud legislation and the tipping point which propelled anti-online-fraud into the spotlight)

Taking care of hidden entrances
As it applies to many areas of life, the Pareto principle applies also to the fraud market: 80% of the fraud losses come from 20% of the scam patterns, and a well-thought red flags program will target exactly these 20% of the patterns. Here are a few required red-flags:

"Flag an account with a material change in purchasing or spending". This is a strong indicator for financial fraud - someone who suddenly changes his spending behavior - yet today only a handful of financial institutions have applied the mechanisms to detect it;

"An account that has been inactive for a reasonably long period of time resumes usage". This is really a common sense red flag, yet only a handful of banks today have the system to detect it.

"A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as recent and significant increase in the volume of inquiries, or an unusual number of recently established credit relationships". If you learn the behavioral patterns of an account, you could easily be able to find the out-of-pattern activities, and prevent fraud.

Simple? Yes.
Effective? Yes, thank you.
Would the red-flags policy create a fraud-free environment? No, but it should significantly reduce fraud. Remember the Pareto.
And what would be of the fraudsters? It would drive them away from the castle - and back to their filthy underground caves.