web analytics

Making mobile banking safer

Jan 15

Online Identity and Trust: Making mobile banking safer Online Identity and Trust « And the SC Magazine Award finalists are… | Main | Password should not be your “password” » Making mobile banking safer

There’s been recent news discussing the vulnerabilities of wireless apps for the banking industry and how they could impact users. As the number of Americans regularly using mobile banking services continues to grow, security concerns will grow along with them.

The challenges for banks to consider are all of the potential vulnerabilities in their implementation to better mitigate risks effectively while managing the delicate balance between extra layers of security vs. user experience.

Here are a few recommendations we suggest bank and financial institutions may want to consider:

Deploy strong or two-factor authentication that goes beyond the traditional username and password. If username and password are compromised, the fraudster still needs the second factor to gain access to an account. With our VIP mobile SDK, banks can enable a silent user experience for a second factor of authentication allowing greater security without negative impact to usability.

Implement fraud detection and transaction monitoring. If a hacker passes the front door, real-time fraud detection services can automatically detect novel attacks by recognizing abnormal behaviors in user behavior to help recognize an attack.

Avoid storing sensitive personal information on mobile devices which can easily be retrieved. For any information that a bank may require users to store on their mobile devices, banks should leverage platform secure storage with various encrypted and obfuscated techniques.

To find out more about the solutions that can help protect your bank and customers, check out these resources:

Resources:
VeriSign Identity Protection (VIP) Authentication Service
Mobile SDK
Fraud Detection Service (FDS)

There is no silver bullet security solution or service that will protect everyone from everything. However, banks and other financial institutions should always consider a layered approach to protect themselves and their customers.

Posted by VIP Team on November 15, 2010 3:03 PM | Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style) VeriSign Identity Protection

Search Categories Authentication | Cloud-based Security | Device Security | Fraud Detection | Fraud Detection Service | Identity | Mobile devices and credentials | OpenID | VIP Blog | WiMAX | fraud protection | iPhone | layered security | two-factor authentication | second-factor authentication | verisign | Archives December 2010 November 2010 October 2010 July 2010 May 2010 April 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 Recent Posts Password should not be your “password” Making mobile banking safer And the SC Magazine Award finalists are… VIP Mobile So
ftware Developer Kit (SDK) Available for Windows Phone 7
Some additional “Social Security” Qualys provides VIP Protection to its customers VeriSign Customers Honored by Computerworld Cloud-based Authentication Matters Here ‘Smart’ meters will require ‘Smart’ security A Year of Progress for VIP Access for Mobile Subscribe to RSS FeedSubscribe Comments We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate. Powered by
Movable Type 4.21-en Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy

View the original article here

Read More

Password should not be your "password"

Jan 15

Online Identity and Trust: Password should not be your “password” Online Identity and Trust « Making mobile banking safer | Main Password should not be your “password”

password.jpeg

The recent Gawker database breach is yet another reminder of the weakness of the traditional “username and password” form of security. Previous database breaches, like this one, have shown that users do not realize how vulnerable they are making themselves and potentially their employers to identity and data theft by using weak passwords.

Steve Ragan of the Tech Herald wrote a story that includes a list of the top 250 passwords used by the Conficker Worm that you can read here. The list of passwords is truly impressive and includes many of the classics such as, “12345,” “qwerty” and of course “password.” It is surprising and concerning that these passwords continue to be used time and time again.

With the exposure of all of these passwords, we can’t help but emphasize the value in providing strong (or two-factor) authentication with solutions like our cloud-based VeriSign Identity Protection (VIP) Authentication Service. Strong authentication can be especially critical to the enterprise where mobile employees, partners and customers are logging in and accessing sensitive data.

As these types of breaches continue, more and more enterprise and consumer users will be put at risk. The “username and password” system is an antiquated system that can’t be relied on to protect sensitive information. Additional layers of security are needed to protect users, enterprises and sensitive data and that starts with adding strong authentication.

Posted by VIP Team on December 17, 2010 3:43 PM | Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style) VeriSign Identity Protection

Search Categories Authentication | Cloud-based Security | Device Security | Fraud Detection | Fraud Detection Service | Identity | Mobile devices and credentials | OpenID | VIP Blog | WiMAX | fraud protection | iPhone | layered security | two-factor authentication | second-factor authentication | verisign | Archives December 2010 November 2010 October 2010 July 2010 May 2010 April 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 Recent Posts Password should not be your “password” Making mobile banking safer And the SC Magazine Award finalists are… VIP Mobile Software Developer Kit (SDK) Available for Windows Phone 7 Some additional “Social Security” Qualys provides VIP Protection to its customers VeriSign Customers Honored by Computerworld Cloud-based Authentication Matters Here ‘Smart’ meters w
ill require ‘Smart’ security
A Year of Progress for VIP Access for Mobile Subscribe to RSS FeedSubscribe Comments We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate. Powered by
Movable Type 4.21-en Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy

View the original article here

Read More

VeriSign Customers Honored by Computerworld

Nov 28

Online Identity and Trust: VeriSign Customers Honored by Computerworld Online Identity and Trust « Cloud-based Authentication Matters Here | Main | Qualys provides VIP Protection to its customers »

VeriSign Customers Honored by Computerworld

be412fec1398f6848b66ff82fb034031_2011_website.jpg
Congratulations to Addison Avenue Federal Credit Union and the U.S. District Court in the District of Columbia, both of which were designated as Laureates by the Computerworld Honors Program. In addition to this honor, Addison Avenue Federal Credit Union was also named as a finalist for the Computerworld 21st Century Achievement Award, an award that honors and documents the extraordinary innovations of individuals and organizations that are leading the global IT revolution.

Addison Avenue Federal Credit Union
Addison Avenue offers its customers the VeriSign Identity Protection (VIP) Authentication Service, a cloud-based, strong authentication service that delivers an additional layer of protection beyond simple username and password. Addison Avenue was the first federal credit union in the U.S. to offer VIP Authentication to help its customers protect their account access and information against fraud or theft. The Addison Avenue case study can be found at this link.

Magistrate Judge for the U.S. District Court
On Sept. 26, 2009, the Honorable John M. Facciola, Magistrate Judge for the U.S. District Court in the District of Columbia, issued the first digitally signed judicial order in U.S. history, which was built on VeriSign’s Managed Public Key Infrastructure (PKI) Services

View the original article here

Read More

Qualys provides VIP Protection to its customers

Nov 28

Online Identity and Trust: Qualys provides VIP Protection to its customers Online Identity and Trust « VeriSign Customers Honored by Computerworld | Main | Some additional “Social Security” »

Qualys provides VIP Protection to its customers

Qualys logo 3.jpg

At this week’s RSA Conference in Europe, Qualys announced that it will now offer its customers strong authentication protection with our VIP Authentication Service. VIP will provide users of QualysGuard® a safer and more secure way to access and manage their accounts.

Qualys is the latest VIP customer to implement our leading cloud-based authentication service that allows enterprises to secure online access and transactions to obtain compliance and reduce fraud risk. As with VIP, QualysGuard is a SaaS service that requires no on-premises hardware to purchase and deploy. Both companies are continually striving to make the adoption of cloud computing safer and easier for organizations of all sizes.

To download a FREE VIP mobile credential for your Android®, iPhone®, Windows Mobile®, BlackBerry® handsets or most of the devices using the Java 2 Micro Edition (J2ME) and BREW platforms, click here for more details.

Posted by VIP Team on October 15, 2010 9:40 AM | Permalink

Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

View the original article here

Read More

Cloud-based Authentication Matters Here

Nov 27

Online Identity and Trust: Cloud-based Authentication Matters Here Online Identity and Trust « ‘Smart’ meters will require ‘Smart’ security | Main | VeriSign Customers Honored by Computerworld »

Cloud-based Authentication Matters Here

Han Dong, Senior Manager – Product Marketing, User Authentication

cloud_apps2.jpg

Thinking of moving your productivity apps to the cloud? Several tech-savvy folk like you have already deployed or are in various states of making the move to leverage an increasing number of enterprise productivity apps that live in the cloud. Just consider the benefits of cloud-apps:

Zero infrastructure investment / capital expenditure (for typical server & software installation, on-going care and feeding, etc.)
Quick-and-easy deployment and provisioning of applications (no need to install software on redundant servers or on every desktop), including multi-tenant (disparate organizations) sharing of pooled resources (of host CPUs, system failover, etc.)
Built for reliability, availability and scalability (RAS) – and thus allowing you to optimize cloud-app access, based on target SLAs, peak utilization, and data protection (fail-over, backup, mirroring, etc.)
Subscription-based “pay-as-you-go” consumption model (less expensive than big one-time license fees plus annual maintenance) – aka “Utility-computing model”
Centralized management, reporting, and maintenance

So if cloud-based services are the panacea for enterprise apps, where are the holes?

Granted you do have to relinquish some control over your IT infrastructure, since much (if not ALL) of the IT infrastructure is located off-site, in the cloud, and managed by a trusted 3rd party. But if ultimately your primary concern is to deliver access to important apps to your users and if doing it in the cloud is somehow more efficient and more cost effective, wouldn’t this scenario at least save significant IT budget spending – certainly in a budget-strapped, IT resource-constrained environment?

You may ask, what about security? Ahhh, the magic word…. Well, it turns out that while Cloud-based apps provide all the great taste of on-premise enterprise apps with fewer IT administrative calories, many of these apps have not addressed the necessity for stronger authentication – to ensure that users who access cloud-apps (and more importantly critical / confidential data) are legitimate and properly verified and authorized to have this level of access.

Two recent articles, one from the New York Times: Cyberattack on Google Said to Hit Password System, by John Markoff and another article from Tech Crunch: Los Angeles Bureaucrats Question The Transition To Google Apps, by Leena Rao, demonstrate a number of real-world examples of exactly just what can happen with popular cloud-based apps. In these articles, the theme is consistent with this very concern about the security of cloud-based apps. And that is, cloud-based apps – been there, done that, but now how are you going to protect users of these apps from getting spoofed or phished?

Strong authentication is what matters here. And VeriSign is committed to the cause of protecting user access with a number of solutions from PKI-based digital certificates on Smart Cards to One-time password credentials for Two-factor Authentication and Risk-based Authentication that leverages “behind-the-scenes” intelligence to monitor, analyze, and protect users from ID theft.

View the original article here

Read More

Password for my password

Nov 27

I just read an article in CNET, by Jonathan Eunice, Character limitations in passwords considered harmful. And immediately after reading the story I thought to myself, Jonathan (may I call you Jonathan), we have the answer to your troubles. It’s called VeriSign Identity Protection (VIP) Authentication Service and it’s precisely what you need to address your goal to have strong authentication for your “4,000 web services.”

Jonathan’s article described the issue of how various websites will frequently restrict your ability to create ‘stronger’ passwords that use symbols (i.e. !@#$%^&), and thus relegate the user to simple (and easy to steal) phrase or nickname passwords. So he is thwarted from his attempt to use a password like “Ga9i)t|Z” by the fact that the website in question, is not allowing the use of these special character passwords. And he’s forced to use “easy-to-remember, easy-to-hack passwords.” Not an ideal solution.

So here’s where VIP comes in. VIP is an easy to implement two-factor authentication service that employs an open standards-based one-time password credential that strengthens your existing userid and password. The VIP Authentication Service provides a cloud-based second-factor authentication, integrated to your favorite web service via Web Services-based API. The VIP credential is available as a small hardware token or can reside as a client application on your mobile phone (always available, regardless of wireless network coverage). This VIP credential generates a 6-digit code (which changes every 30-seconds). The credential is registered with a relying party web service – and every time you initiate a login session to your web service, in addition to entering your easy to remember userid and password, you also enter the 6-digit code from your credential as a “second” password.

Now Jonathan has essentially a password for his password. And better yet, that password for his password is uniquely generated (based on OATH standards) and constantly changing, every 30-seconds. Someone would have to physically steal Jonathan’s mobile phone or VIP token IN ADDITION to stealing his userid and password to hack into his favorite websites. Jonathan can combine something he knows (userid & password) with something he has (VIP credential) to add strong password protection. Now he can login, safely and securely.

So Jonathan, feel free to use “goofdog” as your password – just be sure to add VIP Authentication and you’re good to go.

Posted by Han Dong on December 3, 2009 3:55 PM | Permalink

Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

View the original article here

Read More