Age Verification Front & Center in 2012

Posted on January 12, 2012 by Jodi Florence

It’s been some time since we’ve talked about age verification, but I assure you it’s still a hot topic in the market, especially for social networks and gaming (as in lotteries and sports betting) industries.

Let’s take a look at what is going on.

Social Networks are waiting to see how the rules and regulations for COPPA will play out.  This past September, the FTC proposed amendments to COPPA to help “create a safer, more secure online experience for children” as a response to technological changes in the market, including mobile technologies.  The FTC was soliciting public comment on their proposed changes through November.  So one might conclude that at some point this year the FTC will announce amendments to the COPPA rule that will affect any website or social network dealing with minors.

How does this impact age verification vendors?  Well, that depends on the verification tool you are using.  As for IDology’s age verification solution – the ruling has no direct impact on our solution per se, since we’ve been pitching using age and identity verification to verify parents from way back when MySpace was a synonym for social networking (see our member statement response to the Internet Safety Technical Task Force.)  But it will drive more interest from Internet properties who want to find a way to obtain verifiable parental consent.

The other hot area related to age verification is the gaming industry.  In late December, the US Department of Justice released a new opinion on the Wire Act clarifying that the law refers to only prohibiting online gambling on sporting events or contests, and not the ability to sell online lottery tickets to adults.  This ruling also opens the doors for intrastate poker to become a reality in the United States because the new opinion is that Wire Act only focuses on sports betting, not poker or casino games.  The new ruling also helps to further support the District of Columbia’s efforts to offer online poker to its residents, which has been delayed since September.  (See more information on this gaming topic)

Clearly age verification plays a big part in what is happening in these industries.   Although really the underlying issue is more about identity because you have to know who someone is before you can verify their age.  This is why I often use the words “identity and age verification” together.  While you can have identity verification without an age component, you cannot have an age component without identity.  Think about it.  How often do we hear people incorporating age as a part of describing someone’s identity?  Just a quick glance at any news article, biography, or obituary will prove my point….

Posted in Hot Topics, Know Age
Tagged , , , ,

Leave a comment

APPy Holidays

Posted on December 6, 2011 by Jodi Florence

The numbers are out around 2011’s Cyber Monday sales.  We spent a record $1.2 Billion which is up 33 percent from last year.   And thanks to all the smartphone’s and tablets Santa left under the tree last year, mobile traffic and mobile sales saw dramatic increases this year.  According to this article:

Purchases made from gadgets accounted for more than seven percent of sales, according to John Squire, chief strategy officer of IBM’s Smarter Commerce.

With the recent launch of Google Wallet gaining some traction with retailers and with the marketing around the super ease of using your google wallet to shop online, I’m already curious to see what Cyber Monday sales will be in 2012!

The 1-2 Punch of How Google Wallet Works

And if you need further proof that the mobile market is booming, just yesterday mobile apps marketplace analysis firm Mobilewalla, released a report indicating that the entire apps ecosystem, counting all the rival factions, will soon have 1 million apps to offer.  The company says that an average of 2,000 mobile apps enter the mobile app marketplace every day.

With 1,000,000 apps, keeping track of all the different “must haves” might be difficult …but I’m sure there will be an app for that too someday, if not already.  Meanwhile, here’s one marketer’s list of the top 5 Best Holiday Shopping Apps and Sites you might want to check out this season.

Posted in Hot Topics, Know More
Tagged , , , ,

Leave a comment

Data Privacy Everywhere…

Posted on November 18, 2011 by Jodi Florence

If there are 2 words that have permeated every online business in every industry, they’d probably be “data privacy.”   No surprise really, since a look at today’s Chronology Breach Report shows 542,590,837 data records have been reported as being breached since 2005 when the Privacy Rights Clearinghouse started tracking this information.

As consumer’s we want to keep all of our data locked up tight and can be reluctant to share it with anyone.  But how does this translate into our business lives where there is a real need to know more about consumers?  Not only so we can deliver better value to our customers, but also to protect our businesses from fraud and financial loss.

Data is a big factor in the identity verification industry and very top of mind for the security and compliance professionals we work with every day.  Which is why it’s the focus of the latest IDentity Matters podcast.

Take 10 minutes and listen to An Inside Look at Identity Data: A conversation with data expert Chris Luttrell and learn a little more about data as it relates to identity.

Posted in Know Privacy
Tagged , , ,

Leave a comment

How to prevent a data breach and save your organization more than $156B

Posted on September 21, 2011 by Jodi Florence

A recent study of data breaches during the last six years shows some staggering figures associated with this crime, especially as it relates to costs for a business.

Conducted by Digital Forensics Association, the Leaking Vault Report is the largest study of its kind and presents data gathered from studying 3,765 publicly disclosed data breach incidents occurring in 33 countries during 2005-2010.  The incidents included over 806.2 million known records being disclosed– averaging more than 388,000 records per day/15,000 records per hour every single day for the past six years.

The estimated costs to the organizations experiencing these incidents is more than $156 billion.   (The study clearly points out that this cost does not include costs incurred by any organizations up or downstream from those organizations considered victims, nor does it include costs a data breach subject may have experienced)

That’s a lot of money.  I think we can safely assume these figures are actually higher now since we are approaching the end of 2011.  Just today the Boston Globe is reporting that 2.1 million Massachusetts’s residents were affected by data breach incidents since January 2010, with 480 breach incidents occurring between January and August of this year out of a total of 1166.

Other interesting tidbits from the Leaking Vault Report include:

  • Nearly half of all of the reported breaches came from a stolen laptop, which is the case 95 percent of the time. But actual hacks accounted for the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report, even though hacks accounted for 16 percent of the data breaches.
  • In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number.
  • From 2005 to 2010, there were 584 incidents disclosing over 17 million records with Medical data. The median records disclosed for medical data was 2,000. There were 27% of incidents reporting “unknown” loss figures. These incidents are now required to be reported under the HIPAA/Hitech regulations.

The report concludes with a summary of the recommendations included throughout the report:

1.     Know where your data is from inception to disposal. If you do not know where it comes into the organization, where it is transformed, stored, shared with outside parties, archived, and finally how it is disposed of—you cannot hope to keep it secure.

2.     Trace each sensitive data type from when it is created, to when it is disposed of, and all the places it is used in between. Without making these types of data flow maps, organizations are operating on an incomplete risk picture.

3.     When a laptop is issued to an individual, it should be accompanied by a set of rules for the custodian of the device to follow. This should include direction for maintaining physical control offsite and onsite, as well as fallback controls for when these rules either are insufficient to keep the asset safe.

a. Information Security professionals who can influence the contents of their organization’s awareness training should be lobbying to have something included about laptops.

b. In no case should the laptop be left overnight in the vehicle—particularly at the employee’s residence.

c. Do not neglect physical controls to protect electronic data. The number of laptops stolen from offices illustrates the need for locking mechanisms for the laptops when unattended at work.

4.     Organizations should either put controls in place that notify when a device is tampered with, or have regular inspections of point of sale devices, gas pumps and ATMs to mitigate this risk.

5.     Attention should also be given to the use of production data in test and development environments, since those environments typically have less stringent security controls in place.

6.     Organizations must “bake” security controls into contracts with third party partners. This means the Information Security personnel should be involved early in the selection and vetting of potential business partners where sensitive data is concerned.

7.     While prevention of malicious activity is ideal, detection is critical to minimize the damage of an incident, regardless of actor.

8.     If organizations are still using SSNs as their unique identifier, they should be taking steps to eliminate them wherever possible. Reducing the locations where this highly sought after data element is stored will only help to reduce the risk of their disclosure. Data masking and encryption should be considered in cases where they must be stored and used.

Adding to these recommendations, here are some pointers from IDology to help reduce your risks as it relates to your identity verification processes:

1.       Limit the data input requirements from your consumers to the minimum requirement of your business need – if you don’t need a full SSN for audit purposes, don’t ask for it!

2.       Don’t add to the data overexposure problem by feeding more data into your organization.  Use a solution provider, not a data provider to verify your customers-not- present.

3.       Eliminate shared secrets from your authentication process – with social networking and data breaches, shared secrets are no longer effective.

4.       Leverage your internal data in the verification process without sharing any of your data with a third party.

5.       Educate your employees – fraudsters are switching tactics. Instead of going for the big attack they are finding quick and easy ways to infiltrate a system making it harder to detect and stop.

Posted in Hot Topics, Know Privacy
Tagged , , , ,

Leave a comment

A Primer on Out-of-Wallet Questions Podcast

Posted on August 5, 2011 by Jodi Florence

A few weeks ago I blogged about all the confusing terms associated with out-of-wallet questions.  This week, I want to point you to IDology’s podcast on out-of-wallet questions.  This 12-minute interview is with yours truly and is intended to give an overview on out-of-wallet questions including what they are and why they are better than shared secrets.

Listen in if you get a moment to learn a little bit more about this effective authentication technology.

Posted in Know Security
Tagged , ,

Leave a comment

The Triple Threat for Fraud: Stalking, Social Networking & Shared Secrets

Posted on July 27, 2011 by Jodi Florence

Banks might not need as much convincing that challenge questions based on shared secrets aren’t safe since the FFIEC’s updated guidelines came out saying as such, but there are other industries – like healthcare and ecommerce, that still need to take heed.

Case in point:

A California man who trolled women’s Facebook pages searching for clues that allowed him to take over their email accounts was sentenced Friday to more than four years in state prison after a judge rejected a plea for a lighter sentence and likened the man to a peeping Tom.

Once he took over women’s email accounts, George Bronk searched their folders for nude or semi-nude photographs or videos sent to their husbands or boyfriends and distributed the images to their contact list, prosecutors said.

The emails went to families, friends and coworkers. Women in 17 states, the District of Columbia and England were victimized.

The case illustrates the vulnerability of all Internet users, said prosecuting attorney Robert Morgester of the state attorney general’s office.

“The victims we went to said I had very robust passwords. But it didn’t matter how robust the password was if the recovery question is easy,” he said. “Lost your password? What’s your favorite color or what high school did you go to? Or what’s your dog’s name? And he was able to glean that information from social media.”

And there it is.  The realization of one of the dangers of shared secrets that we’ve been pointing out at IDology during the last few years.

This guy is only an amateur — he admittedly did what he did because he thought it was funny and he was bored.   If he succeeded in cracking shared secrets, don’t you think sophisticated fraudsters can too?

The FFIEC gets it.  They’ve told banks to use more sophisticated authentication technologies, like out-of-wallet questions instead of shared secrets.  If this authentication method isn’t safe enough for your bank to use anymore, then it isn’t safe for your business either.

Posted in Hot Topics, Know Fraud
Tagged , , ,

Leave a comment

An Out-of-Wallet Rose by Any Other Name…

Posted on July 18, 2011 by Jodi Florence

I want to help clear up some confusion in the market about the updated FFIEC guidelines as they relate to out of wallet challenge questions.  Here are terms (and their origins) that you might hear in reference to out of wallet solutions and meeting the FFIEC guidelines:

  • Out-of-Wallet Questions – this came about based on the type of data being used to generate authentication questions.  Out of Wallet questions are designed so that if someone were to steal your wallet, they could not use the information to answer any questions.  The questions that are used are multiple-choice.  (FFIEC guidelines state these to be an effective authentication technique)
  • Challenge Questions – the term the FFIEC uses to describe the questions Banks and others present to consumers when they forget their password.  Challenge questions are more commonly known as Shared Secrets.
  • Shared Secrets –Shared Secrets is slang for a piece of information a consumer shares with the business.  Shared secrets take the form of questions that the consumer picks out and provides and answer to after an account has been established.  Shared Secrets is what describes all the questions most people are familiar with in their online banking systems such as questions about mother’s maiden name, favorite pet, high school etc.    Shared secrets are limited to how many questions the consumer selects and what answers the consumer provides.  Shared secret questions are not multiple-choice. (FFIEC guidelines indicate these are not safe for a Bank anymore)
  • Knowledge based authentication (KBA) – really this means using something someone knows as a way of verifying their identity.  However, most people use KBA as a synonymous term for shared secrets. KBA is used in multi-factor authentication to satisfy the “something you know” component (going beyond just knowing a password).
  • Static KBA – another name for Shared Secrets, because the something you know never changes, it’s static.  You must have a prior relationship with someone to use static KBA because the consumer gives the Bank the questions/answers to store and call up when needed
  • Dynamic Knowledge Based Authentication or Dynamic KBA – another name for out-of-wallet questions because the something you know changes and is not limited to what questions the consumer sets up.  These questions are dynamically generated from lots of different data sources so you do not have to have a relationship with someone to use Dynamic KBA.
  • Sophisticated challenge questions – introduced in the FFIEC updated guidelines as a way to describe out of wallet questions a.k.a. Dynamic KBA
  • ID Quiz – used to describe out-of-wallet questions since these questions are provided in a quiz format with multiple choice answers.

Really, it doesn’t matter what you call “out-of-wallet questions”, only what it does – quickly verifies consumers in a way that reduces your risk of fraud.

For more term definitions in the identity authentication space, check out IDology’s new online glossary.

Posted in Hot Topics, Know Identity
Tagged , , , , , , ,

Leave a comment

Finally…FFIEC Guidelines Update Is Issued

Posted on June 28, 2011 by John

After almost 6 months the long anticipated FFIEC guidelines update has been issued. And as suspected, shared secret questions (What’s your mother’s maiden name? What’s your favorite food?) are not enough anymore. Banks should deploy out-of-wallet technologies (aka dynamic knowledge based authentication) which are more stronger and more effective. Here is the section to challenge questions from the Unabridged Release from the U.S. Banking Regulatory Agencies:

Challenge Questions
Many institutions use challenge questions as a backup in the event that the primary logon authentication technique becomes inoperable or presents an unexpected characteristic. The provision of correct responses to challenge questions can also be used to re-authenticate the customer or verify a specific transaction subsequent to the initial logon. Similar to device identification, challenge questions can be implemented in a variety of ways that impact their effectiveness as an authentication tool. In its basic form, the user is presented with one or more simple questions from a list that was first presented to the customer when they originally enrolled in the online banking system. These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information about the customer [e.g., mother's maiden name, high school the customer graduated from, year of graduation from college, etc.]. In view of the amount of information about people that is readily available on the Internet and the information that individuals themselves make available on social networking websites, institutions should no longer consider such basic challenge questions, as a primary control, to be an effective risk mitigation technique.

Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as “out of wallet” questions, that do not rely on information that is often publicly available. They are much more difficult for an impostor to answer correctly. Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a “red herring” question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical. The Agencies have also found that the number of challenge questions employed has a significant impact on the effectiveness of this control. Solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective. Although no challenge question method can mitigate all threats, the Agencies believe the use of sophisticated questions as described above can be an effective component of a layered security program.

We’ve long discussed the security and effectiveness of shared secrets v dynamic KBA. Ultimately the problems with shared secrets led us to launch a new product earlier this year that is intended to allow banks to use out-of-wallet questions using their own proprietary data (we already have a solution that is based on external data sources).

With the deadline just six months away, and many other factors to consider beyond challenge questions, one can probably already smell coffee brewing to help fuel many Bank’s IT departments. Thankfully with all of IDology’s dynamic KBA solutions (ExpectID IQ or ExpectID Enterprise) the hardest thing about implementing them is just making the decision to change.

Posted in Hot Topics, Know Security
Tagged , , , , , , , , ,

Leave a comment

You Know You Were Born in 2011…if your social security number is completely random.

Posted on June 21, 2011 by Jodi Florence

As of June 25, 2011, the Social Security Administration is changing the way it issues social security numbers to babies and new in country people by randomizing the entire 9 digits.  Previously this has been limited to the last 4 digits.

While the change is designed to increase the longevity of Social Security Numbers (there are approximately 420 million Social Security Numbers for assignment. However, the current SSN assignment process limits the number of SSNs that are available to people by each state); This is good news for identity safety because it will make it much more difficult for bad guys to glean information about people based on their social security number – that is if the SNN is issued after June 25, 2011.

There is a lot of emphasis in the media placed on financial fraud. But identity theft takes many forms including someone using your Social Security Number to gain employment, file taxes, commit crimes and more.

Regardless of if you have an “old” SSN or a “new” SSN, the same safety rules always apply – memorize your number, secure or shred documents that have your SSN listed on them, never give your social security number to a business you don’t trust, and most of all be aware of the different email and voicemail phishing attempts used to get your SSN and/or other personal details.

Posted in Hot Topics, Know Fraud
Tagged ,

Leave a comment

Phishing Season Has Begun…

Posted on May 11, 2011 by Jodi Florence

People not involved in the security industry may not realize the impact of the Epsilon data breach that was announced last month could have on the,m personally or in their business. After all, it was “just email addresses” that were stolen.

In reality, this breach could have big repercussions to both consumers and businesses. It’s not like going for a swim in the ocean where the odds are pretty slim that you won’t be attacked by shark. This is more like being in a salt water lake with some aggressive bull sharks circling about – the pool of water is smaller, and the sharks are hungrier and highly adaptable.

The biggest risk of these email addresses falling into the wrong hands relates to “spear phishing” which was announced as the cause of the RSA breach that occurred this past March. If employees in the security industry can be tricked by a phishing attempt, what are the odds that a lesser security oriented person can fall victim?

Phishing as a fraud tactic has been around for awhile and we were curious what the average consumer knows about phishing. In our latest episode of IDology’s IDentity Street Beat, we interviewed a few people and the results were mixed…

Want to know if you’d fall for any phishing bait? Take this phishing quiz and tell us how you scored in the comments section.

Posted in Hot Topics, Know Fraud
Tagged , , , , , , ,

Leave a comment