View the original article here

Online Identity and Trust: Making mobile banking safer Online Identity and Trust « And the SC Magazine Award finalists are… | Main | Password should not be your “password” » Making mobile banking safer

There’s been recent news discussing the vulnerabilities of wireless apps for the banking industry and how they could impact users. As the number of Americans regularly using mobile banking services continues to grow, security concerns will grow along with them.

The challenges for banks to consider are all of the potential vulnerabilities in their implementation to better mitigate risks effectively while managing the delicate balance between extra layers of security vs. user experience.

Here are a few recommendations we suggest bank and financial institutions may want to consider:

– Deploy strong or two-factor authentication that goes beyond the traditional username and password. If username and password are compromised, the fraudster still needs the second factor to gain access to an account. With our VIP mobile SDK, banks can enable a silent user experience for a second factor of authentication allowing greater security without negative impact to usability.

– Implement fraud detection and transaction monitoring. If a hacker passes the front door, real-time fraud detection services can automatically detect novel attacks by recognizing abnormal behaviors in user behavior to help recognize an attack.

– Avoid storing sensitive personal information on mobile devices which can easily be retrieved. For any information that a bank may require users to store on their mobile devices, banks should leverage platform secure storage with various encrypted and obfuscated techniques.

To find out more about the solutions that can help protect your bank and customers, check out these resources:

Resources:
VeriSign Identity Protection (VIP) Authentication Service
Mobile SDK
Fraud Detection Service (FDS)

There is no silver bullet security solution or service that will protect everyone from everything. However, banks and other financial institutions should always consider a layered approach to protect themselves and their customers.

Posted by VIP Team on November 15, 2010 3:03 PM | Permalink Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style)

Search Categories Authentication | Cloud-based Security | Device Security | Fraud Detection | Fraud Detection Service | Identity | Mobile devices and credentials | OpenID | VIP Blog | WiMAX | fraud protection | iPhone | layered security | two-factor authentication | second-factor authentication | verisign | Archives December 2010 November 2010 October 2010 July 2010 May 2010 April 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 Recent Posts Password should not be your “password” Making mobile banking safer And the SC Magazine Award finalists are… VIP Mobile So
ftware Developer Kit (SDK) Available for Windows Phone 7 Some additional “Social Security” Qualys provides VIP Protection to its customers VeriSign Customers Honored by Computerworld Cloud-based Authentication Matters Here ‘Smart’ meters will require ‘Smart’ security A Year of Progress for VIP Access for Mobile Subscribe Comments We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate. Powered by
Movable Type 4.21-en Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy

View the original article here

Online Identity and Trust: Password should not be your “password” Online Identity and Trust « Making mobile banking safer | Main Password should not be your “password”

The recent Gawker database breach is yet another reminder of the weakness of the traditional “username and password” form of security. Previous database breaches, like this one, have shown that users do not realize how vulnerable they are making themselves and potentially their employers to identity and data theft by using weak passwords.

Steve Ragan of the Tech Herald wrote a story that includes a list of the top 250 passwords used by the Conficker Worm that you can read here. The list of passwords is truly impressive and includes many of the classics such as, “12345,” “qwerty” and of course “password.” It is surprising and concerning that these passwords continue to be used time and time again.

With the exposure of all of these passwords, we can’t help but emphasize the value in providing strong (or two-factor) authentication with solutions like our cloud-based VeriSign Identity Protection (VIP) Authentication Service. Strong authentication can be especially critical to the enterprise where mobile employees, partners and customers are logging in and accessing sensitive data.

As these types of breaches continue, more and more enterprise and consumer users will be put at risk. The “username and password” system is an antiquated system that can’t be relied on to protect sensitive information. Additional layers of security are needed to protect users, enterprises and sensitive data and that starts with adding strong authentication.

Posted by VIP Team on December 17, 2010 3:43 PM | Permalink Post a comment (If you haven’t left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won’t appear on the entry. Thanks for waiting.)

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style)

Search Categories Authentication | Cloud-based Security | Device Security | Fraud Detection | Fraud Detection Service | Identity | Mobile devices and credentials | OpenID | VIP Blog | WiMAX | fraud protection | iPhone | layered security | two-factor authentication | second-factor authentication | verisign | Archives December 2010 November 2010 October 2010 July 2010 May 2010 April 2010 March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 Recent Posts Password should not be your “password” Making mobile banking safer And the SC Magazine Award finalists are… VIP Mobile Software Developer Kit (SDK) Available for Windows Phone 7 Some additional “Social Security” Qualys provides VIP Protection to its customers VeriSign Customers Honored by Computerworld Cloud-based Authentication Matters Here ‘Smart’ meters w
ill require ‘Smart’ security A Year of Progress for VIP Access for Mobile Subscribe Comments We encourage comments and look forward to hearing from you. Please note that VeriSign may, in our sole discretion, remove comments if they are off topic or inappropriate. Powered by
Movable Type 4.21-en Disclaimer: Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of VeriSign.

VeriSign Legal Notices

Read our Privacy Policy

View the original article here

SSLPersonas is a Firefox extension that adds a little color to your secure browsing experience. When browsing an SSL protected web-site, the extension provides in-your-face visual feedback regarding the security of the site via a theme in the Firefox chrome at the top and bottom of the browser interface. The themes are as follows:

Green indicates that you are on a website secured by an EV SSL certificate.   Green theme (click to enlarge)Blue indicates that you are on a website secured by a valid non-EV SSL certificate issued by a certification authority trusted by your browser.Orange indicates that the website you are on is only partially secure, probably due to mixed content (secure and unsecure). These websites are vulnerable to mixed content attacks such as session hi-jacking.

I was also looking for enhanced indications for SSL certificates are expired or have been revoked, but it appears that the developer is satisfied with the user interface that Firefox natively provides.

This extension may be useful to unsophisticated users (e.g., your Mom) that you want to keep safe. Just tell her to only put in her personal information when the themes are green or blue. If the theme is orange, then it is best if Mom not use that site.

Tags: EV, Firefox, SSL

Tweet

This entry was posted on Thursday, December 16th, 2010 at 9:19 am and is filed under EV SSL, Secure Browsing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

View the original article here

Much has been written this past week about Firesheep. The bottom line: website operators must properly deploy SSL end-to-end security.

Firesheep is a Firefox extension written by Eric Butler and was presented by Butler and security consultant, Ian Gallagher, this past weekend at ToorCon hacker conference in San Diego. Firesheep takes advantage of a known security vulnerability related to non-secure session cookies. When connected to a public Wi-Fi, the program captures non-secure session cookies of other users of the Wi-Fi hotspot. When an unsuspecting user logs into an insecure website known by Firesheep, their name and photo are displayed. The Firesheep user can then click on the other user and they are instantly logged in as them.

Impacted websites include Amazon, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, and Yelp. A plugin system allows a Firesheep user to add their own sites.

There are many suggested solutions to fight Firesheep. These solutions include:

don’t use public Wi-Fionly use secure Wi-Fiuse a VPN serviceforce SSL by using a plug-in such as HTTPS-Everywhere or ForceTLS.use an anonymizer such as Tor

These are partial or in some cases impractical solutions that may or may not work. Worst of all, they require the security challenged end-user to perform an action or make a trust decision.

The point of Firesheep is to put all web-site operators on notice that they need to wake-up and properly secure their web-sites with full end-to-end encryption using SSL. This practice includes the use of secure cookies.

For other best practices on SSL deployment, see SSL Deployment Mistakes.

Tags: Firefox, Firesheep, SSL

Tweet

This entry was posted on Thursday, October 28th, 2010 at 11:20 am and is filed under SSL Deployment, Secure Browsing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

View the original article here