Online Identity and Trust

Real People Talk to VeriSign about their Online Identity

2008-07-02T17:49:38Z

We asked people on the streets of San Francisco about what they do online, how many passwords they have, and whether they think their personal information is safe.

"Any bill that I pay, other than my rent, I pay online"
"There's probably a lot of sites out there that have my personal information."
"Sometimes even with secure sites, hackers get through"
"Every time I use a credit card, I hope that's the only place it gets used."

Find out how VeriSign can help keep your online identity safe.

Online fraud: Thinking "outside of the box"

2008-06-23T19:00:43Z

By Yohai Einav, VeriSign Senior Fraud Analyst

I was on my way to the airport, chatting with my cab driver. After I told him my overused joke about the peasant, the seigneur and the miraculous goat, he asked me for my profession. "Oh, fraud?", he said. "You know, I almost lost $7,000 to card fraud last year".

So the sanguine driver told me how his bank called him, warning him he had gone into overdraft. When he investigated this he found that his Visa card had recently been charged with $6,000. He called Visa, and they told him - "Sir, didn't you make two £1,500 transactions in London two weeks ago?"

No, he was never in London. No, he rarely uses the British Pound in Israel.

"Time out", I said. "Credit card issuers know that this could happen, and no way could these two transactions have passed without Visa noticing them". Firstly, the amounts were high, and secondly, the driver's card had a consistent pattern of transactions in only one country. "Didn't Visa call you??" I asked. "No", he said, "the transactions were made on Yom Kippur, the holiest of the Jewish holidays, and no one in Israel was able to answer their phone". "No problem", the driver concluded, "Visa refunded my money the next day. They actually told me that they had dozens of fraud transactions on that same holy day".

I loved that story for one reason - it shows how the bad-guys constantly think outside the box. They knew that such a large scale scam would be detected on any other regular day, so they found a day when it wouldn't. They know what's inside the box, and then plan ahead.

Here's another story - a few years back I was analyzing a fraudsters' product called CC2Bank, which was basically a management tool for stolen credit cards. Release 1.3 of the tool enabled the bad-guy to type in any credit card number and learn the type of card, name of the issuing bank, the bank's phone number or the country where the card was issued. Yet it also had included another feature - "list of busy phone lines", with a geographical distribution of the phone numbers. Why was that of interest for the fraudsters?

Again - it was the think-outside-the-box attitude: on e-commerce sites the user needs to provide a phone number. So if you're a bad-guy you probably don't want to provide your home phone number, but you still need to provide some number. You obviously cannot use a random number, because the credit company is going to call it. So what do you do? You find a number that [1] geographically makes sense, and [2] is always busy. When the transaction validation call is made and the ringing tone is always be busy, the credit company will have to make a decision - are we going to pass on this transaction or not?

In most cases, you can already guess, such transactions will be approved.

This is not a new tactic, but a regular fraudster's strategy. Bad guys must use think-outside-the-box ideas since security companies already cover what ever is inside-the-box. The lesson for us in the security industry should be emphasized: never rest on our laurels; always try to cover what's outside of the box; occasionally think like a bad-guy; and never ever tell jokes about miraculous goats.

Consumer Security Goes Green at VeriSign

2008-06-20T00:39:16Z

Posted by Fran Rosch, VP of VeriSign Identity and Authentication Solutions

Living in California, I have tried to become as environmentally conscious as possible given the grim reports on climate change and rising sea levels. The major steps I have taken along with my family include installing brand new energy efficient appliances and significantly more insulation as part of our home remodel. We also implement smaller initiatives such as maximum recycling, eating organic and locally grown products and composting as much as possible. I have even given up coffee and my favorite Irish oatmeal because of the carbon required to ship these products such long distances. We also try (but usually fail) to restrict ourselves to bicycle-only transportation on weekends.

I know there is lots disagreement on whether these small actions actually make an impact but they do make us feel better. I also travel extensively for business which blows my personal carbon foot print sky-high regardless.

But, I have been thinking how VeriSign's VIP Consumer Authentication solution stands up against the competition as green or not. Traditional strong authentication companies sold by companies such as RSA and Vasco are software in-premise solutions based on proprietary solutions as compared to VeriSign Identity Protection ("VIP") which is network-based service driven by open standards.

For the software based solutions sold by our competition, an enterprise must purchase, install and manage a server infrastructure to validate the consumer's OTP (one-time password). There is a significant amount of energy used to manufacture these servers, ship them half way across the world and then power them 24x7. Never mind the energy use to develop the raw materials for the components. In contrast, VIP requires no infrastructure at the enterprise and uses a shared infrastructure installed at VeriSign's data centers. There is an immediate environmental savings by using shared infrastructure versus everyone operating their own. Using the VIP is like taking an electric high-speed train with hundreds of other happy passengers instead of each person getting in their own car by themselves and crawling along crowded highways.

Then I felt bad about all of those pesky plastic tokens that have been the staple of the traditional authentication solution market. Our competitors have manufactured and shipped over a hundred million of these devices which will eventually find their way to landfills across the globe. By using open standards and encouraging a diverse and creative ecosystem of credential providers, we can imagine strong authentication without any plastic tokens. By embedding an OTP generating into a device that a consumer already carries such as a credit card, mobile phone or PC, the industry can stop manufacturing security-only plastic tokens.

However, until all this innovation is fully ready for production, the VIP has another environmental benefit in that it allows the sharing of one credential across multiple websites. With traditional consumer authentication solutions, a consumer must have a separate token for each website requiring more materials, more manufacturing, more shipping and more eventual trash. This is commonly referred to as the "token necklace". With VeriSign, one device can be the key to many websites meaning the consumer will use it more and keep it longer resulting in less basura.

Finally, I thought what other environmental benefits could VeriSign encourage with our VIP product? Well, according to the survey results published by our friends in the analyst community, there are still millions of consumers who are too concerned with Internet fraud and security to use the Web for banking, shopping, healthcare, etc. If the VIP can help enterprises encourage these consumers to use more of the Internet for more of these activities and reduce their number of trips to the mall, that is a good thing for the environment.

VIP Developer Test Drive Update

2008-06-11T06:37:24Z

It's now been about two months since we announced the VIP Developer Test Drive, and it's been a great success! Nearly 200 developers have downloaded the API, and many have already gone on to integrate it into their own applications. Over at Sun, Jeff Bounds has blogged about his integration of VIP with Sun Java System Access Manager/OpenSSO, and even posted step-by-step instructions on the Sun Wiki.

So, have you downloaded the API yet?

Looking Beyond the Obvious

2008-05-28T07:54:40Z

Whenever anyone talks about typical authentication use cases, they inevitably use a financial institution as an example. "The user logs into his bank to perform a transaction." or "The bank issues the user a credential to protect his account." We use financial institutions as an example because it's an easy situation to explain -- you have a place with a lot of money, criminals like money, so we protect the money from the criminals. Simple, right?

But we should look beyond the "obvious" places where additional security is needed. If someone breaks into your online bank account and steals your money, it's almost certain that your bank will eventually cover your losses. It may be a giant headache for you, take a ton of time and effort, and it probably reduces your faith in online banking, but you will most likely be made "whole." But now what if someone breaks into your online health record? Or your email account? Or your social networking profile? Or your blog? Who's going to make you "whole"? Is that even possible?

Last week there was a great anecdote being discussed on a C|Net blog about how someone's instant messenger account had been breached by a password stealing piece of malware. The attacker got the victim's IM username and password, then logged in as the victim. The attacker then tried social engineering all of the people on the victim's buddy list, pretending to be the victim who was in some dire financial/legal predicament and needed money wired immediately. While none of the targets took the bait, what would have happened if they did? Nobody's going to refund the money they send off to some scam artist -- their bank is just following their legitimate wire transfer instructions, the instant messaging provider is providing a free service and disclaims all liability. But these people are just as much a victim of a weak username and password as our typical bank example.

Who thinks these people are going to continue to trust IM as a communications medium? Shouldn't we be protecting our most private conversations, and our actual online identity with something better than an easily phished username and password?

Money can be refunded, but trust and privacy can't.

5 Winning Strategies to reduce cost of Consumer Authentication from a Winner in Consumer Authentication

2008-05-17T00:06:23Z

Posted by Vijai Shankar, Sr. Product Marketing Manager

Consumer Authentication has been around for over 10 years in other countries, but here in the USA, adoption has been slow due to a myriad of reasons... the main one seems to be the perceived high cost. As you've probably gathered by now, we don't think it has to be that costly, so we developed a new whitepaper on "5 strategies to reduce the cost of consumer authentication". I know you're thinking this has to be pure marketing fluff, but I think you'll find some nuggets of info in there that are worth exploring. After all, we must be doing something right, we just won the Network Products Guide 2008 Product Innovation Award.

Don't forget:, if you want to test drive VeriSign Identity Protection Authentication Service and see how easy consumer authentication can be, download the APIs for free and check it out. You can join the growing team of test drivers, which has now exceeded 100 within a few weeks of its inception.

~Vijai

Online Fraud: Start with the "Why"

2008-05-05T22:25:09Z

By Yohai Einav, Senior Fraud Analyst

I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling

Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.

But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."

Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:

"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"

All good questions. But, the first thing we should ask is "why?"

"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"

When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?

A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.

Why?

Well, fraudsters constantly look for new hacks in banks' security, and once they find one they attack with full force (by the way, when I say "hack" I don't necessarily mean technological hack, but a "hack" in the bank's security procedures). This means that if you see your bank has a sudden increase in phishing attacks - start looking for loopholes in the bank's perimeter security.

A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.

Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.

Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.

How VIP Helps George

2008-05-02T19:21:32Z

We had a little fun with a whiteboard, magnets, some goofy voices and a video camera. Take a look at the premiere of "How VeriSign Identity Protection Keeps George Happy and Safe Online".

Calling all developers!

2008-04-07T17:00:00Z

Say you've got a web application that you develop, and you want to provide your users a stronger form of authentication beyond a simple username and password. Or your users have been asking about two factor authentication, but actually implementing it never moves up on the priority list because your boss thinks it's too complicated, will require months of coding, and a giant new server farm to handle the extra authentication. Or you've got a PayPal Security Key or VIP Security Card and want to enable your own site to use it.

Welcome to the VIP Developer Test Drive!

Today we announced that we're making the API to the VIP Authentication Service freely available to developers to try out on their own. No salespeople to call, new servers to install, or paperwork - just fill out a simple web form and download. We'll give you the API documentation, SOAP WSDL, and access to your own little corner of our pilot web service.

Why are we doing this? Well, because almost every time we meet with a company's technical team, they start out skeptical -- integrating the VIP Authentication Service can't be as easy as we say it is. So we send them the API, they check it out, and then reply back, "You're right, it really is that easy." Now we're cutting out the middleman and letting you download it on your own.

We're also looking to see what ideas the developer community has for this technology. Through our experience with OATH, we've been amazed at the innovation that can happen when technology building blocks are just put out there available for anyone to use. So let us know what you think!

Now let me be clear: the Test Drive is designed for developers. There's no point and click GUI or fancy installer - it's a SOAP web services API. If you've ever written a web services client, it should be very straightforward. If you haven't, that's cool too -- we've got sample code for Java (using Apache Axis 1.4) and C# (using .NET 2.0) to get you started.

Check it out at http://vipdeveloper.verisign.com. Comments or questions? Comment below or email us at vipdeveloper@verisign.com.

Here's another incentive: 5,000 FREE CREDENTIALS to Join the VIP Network

2008-04-02T22:32:06Z

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

I posted earlier today about the difficulty in remembering passwords, security questions, our daily tasks etc. and mentioning consumers to ask organizations to introduce secure, yet painless authentication methods. Here's another incentive for organizations to make life easy yet secure for consumers at a lower cost. VeriSign is now offering up to 5,000 FREE CREDENTIALS to each organization joining the VeriSign Identity Protection Network by Sept 30, 2008. This is a great incentive for organizations looking to deploy strong or two-factor authentication and be a part of a Network enables consumers to use a single credential across multiple site. The timing is opportune. With quite a few folks from the security industry at the RSA Conference next week in San Francisco, if you want to know more information stop by the VeriSign Booth # 1316 at the conference and we can help.

~Vijai

We all need an easy and secure login access

2008-04-02T16:50:01Z

Posted by Vijai Shankar, Sr. Product Marketing Manager at VeriSign, Inc.

We are seeing more and more articles about the difficulty remembering username and passwords. To add to the list along with our other stuff to remember i.e. household chores, birthdays etc., we now have to remember the new trend of security questions along with username and passwords. I was having a problem logging into one of my student loan accounts, which not only had a username and password but a set of security questions in a PARTICULAR order. Phew, needless to say I was locked out and had to call in, listen to some crazy call center music and after 15 minutes of waiting, spoke to an agent to unlock my account.

I saw this article in The Wall Street Journal about the daunting task of managing passwords, a complicated system she came up with, aggravated by the added task to manage answers to security questions. Can't we make all this simpler and yet secure? How about a stronger authentication and painless authentication process like using a single device be it mobile phone, tokens, SMS etc. to generate unique codes eachtime at all my online sites? How about asking your organizations that you transact online with to join a trusted Network that enables you consumers to use a single credential across multiple sites thus offering secure yet painless authentication process? The answer is right here, the VeriSign Identity Protection Network. Now is a great time for your organizations to join and be a part of a Network that will drive consumer adoption across the globe.

~Vijai

Security is for Teenagers, Too

2008-04-01T21:38:13Z

Posted by Kerry Loftus

I drove my 13-year-old and his friends to one of their activities recently (yes, I have a minivan) and their conversation was really interesting and eye opening. I quickly called my gal pals in Erie, PA to find out if they were hearing the same and got the affirmative so this is not just a 'valley' phenomena. All of our kids are online and many are using various email, IM and social networking applications. Did you know that they all know each other's usernames and passwords? If they don't know the password part, they can very quickly guess (I chimed in at one point and asked them if they knew anything about 'strong passwords'-- most of them replied that they just use 'password'!). They didn't really think protecting the information was important.

It's probably harmless to sign in as your friend on IM and send one of the girls in your class a provocative message, but couldn't that be the tip of the iceberg? What about online harassment when pranks become more than just kid fun? Our kids are revealing more and more of themselves on the public internet everyday through these applications and many of us have done the right parental things in response. We know to put the computer in a more public spot in our house; we know to ask what they're doing online and periodically check over their shoulders. But did you know how easily kids can "become" each other online? By logging in their email, IM and social networking sites with their guessable usernames and passwords, it's pretty easy to impersonate almost anyone they know. In addition to these guessable usernames and passwords, I'd like to see my teenager's accounts protected with something he physically has in his possession (enter a second-factor one-time password credential). Let's give our kids real, permanent control over what they want to communicate to the rest of the world.

I'd say old chap- you are reading your survey all wrong!

2008-03-31T23:48:59Z

Posted by Jen Gilburg

Last week a news headline from across the pond proclaimed:

"Abbey wary of two-factor authentication. Bank decides against password verification devices because customers consider them a hassle."

Turns out Abbey, a major retail bank in the UK, did a survey on strong authentication. Turns out that two-thirds of those surveyed did not want the "hassle" of two-factor authentication. Turns out those surveyed even poo-pooed challenge questions.

So Abbey decided to act on the survey results. They decided to do nothing. And they decided to shout it out for all (including the fraudsters) to hear!

I question which business schools their marketing folks graduated from.

I wonder too what context the survey questions were raised (perhaps a brief explanation of how two-factor authentication protects against phishing would have been in order!). I wonder if the mere 1000 users surveyed really represented the fraud concerns of their overall user population. I wonder if they bothered to survey any of their customers who were not using their e-banking services- perhaps because of fraud concerns. And most importantly I wonder if the one-third of respondents who wanted stronger protection against fraud will take their business elsewhere...

Now here is a different survey. It is one we did last summer of customers who were using our VeriSign Identity Protection (VIP) Network. Those who were actually using two-factor authentication to protect one or more of their online accounts. Of those surveyed 81% thought it was easy to use. And over half wanted to use their same token at their broker, healthcare provider and gaming site.

If I were a marketing person at an online outlet- I would figure out a way to leverage those statistics to attract customers away from the Abbey banks of the world who are not taking customer's fraud concerns seriously. "Hey- you with a PayPal Security Key- come use it over here".

At minimum- what Abbey should do is to offer strong authentication to the users who want it. Isn't it a much better strategy to offer security as an option versus risking losing customers to those who do?

The true cost of online fraud

2008-03-21T22:12:53Z

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

The never ending parade of consumer data leakage and the inevitable fraud that follows added another participant this week with the Hannaford incident. This time, the damage amounts to 4.2 million credit and debit cards being compromised. It is early to tell all the ramifications of this incident, but the unraveling already started with the first salvo of class-action lawsuits against Hannaford.

When I see something like this happen, I'm always left to wonder: what is the true cost of a fraud incident ?

Looking back to some of the high-water mark incidents of the past we can have some hints of what the direct cost involved may look like. Take TJ Maxx for example: back in January 2007 TJ reported a 45 million (or 94 million) card compromise, which was followed by an estimated $68 million to $83 million in fraud losses on Visa cards alone. All this damage led to legal action and a settlement last September with TJ reserving more than $120 million to cover for it. Fast forward to the beginning of this week, and TJ is still in the news with a massive notification campaign that has been kicked off with mailings, magazine and newspaper adds to try to reach customers that may have had their cards compromised.

Based on all of this, it shouldn't be unreasonable to think that the direct costs associated with this fraud incident are north of $100 million dollars, specially when you include legal costs, advertising and G&A overhead to manage all the mess. All the urgent security assessments, patching and fixing shouldn't have come cheap either.

The indirect costs are harder to access but in my view even more dramatic: one can only imagine the amount of brand damage when you have to engage tens of millions of your customers repeatedly over more than one year, reminding them you didn't manage to keep their sensitive data safe. The cost goes up and is shared with all of us with the broader backlash against e-commerce and online businesses in general, where consumer confidence is melting away faster than I can say Global Warming. We are already seeing that in the polls: according to a recent YouGov survey in the UK almost half of the women in Great Britain would be ready to stop shopping and banking online in order to reduce their risk of ID fraud.

It got to a point where even corrective and preventive measures are becoming vectors for data leakage, such as this bank's attempt to notify one customer about a fraud issue in his account ending up compromising information on other people's accounts.

Sooner or later we will have to implement pro-active, stronger security measures for the broader online infrastructure, the only question is how much organizations and consumers will have to pay until that day arrives.

What's your online persona worth?

2008-03-12T22:15:12Z

Posted by Vicente Silveira, Sr. Product Manager for VIP Fraud Detection Service

If you live in the UK, the answer would be a little over twenty thousand dollars (at current exchange rates) for the average adult internet user, a nice bounty for phishers, bot herders, malware coders and other cyber-criminals to go after.

This is based on highlights of a recent YouGov survey that estimates European Internet users are risking up to 1.6 trillion dollars by sharing personal and financial data with sites that are not adequately protected, with UK Internet users responding for a 731 billion chunk of the total amount.

What the research also suggests is that the ubiquity of social networking and other data sharing sites has increased dramatically the quantity and sensitivity of the information available on the web, with users volunteering more and more details in order to complete their profiles, make more friends or establish new connections. Many consumers are giving away their date of birth (75%), their home address (70%) and even their mother's maiden name (68%). People sharing such data may not realize that it is not too hard to aggregate all this information and use it to compromise internet banking accounts and other sensitive online applications.

That is why consumer education plays a key role in making sure users understand what is appropriate to share and where to share it. And believe it or not some of it is working, as the YouGov research shows that consumers are becoming more aware of security symbols such as the padlock (69 percent) or a security mark like the VeriSign® Secured Seal (41 percent).

Moving forward, tools such as Microsoft IE7 and EV certificates will ease the learning curve, but at the end of the day good old common sense continues to be key when deciding whether to share sensitive data online.