Just in time for the holiday shopping season, eBay, one of the world's largest internet stores, makes changes to their payment policies. What are these changes and what do they mean to you and how you shop? Will they make you safer or are they simply a method for eBay to make more money. You decide and share your thoughts!
eBay announces big changes. Are you safer?
eBay recently announced that checks and money orders would no longer be allowed as payment methods on eBay. Under the new policy all items sold on eBay must be paid for through PayPal, credit or debit card payment to a seller through a merchant account, ProPay or payment upon pick up. PayPal account users can use not only existing PayPal account balances but also credit cards, debit cards or bank account withdrawals. The credit or debit card payments to sellers must be done through an internet merchant account. There are a few exceptions, to the payment rules, including vehicles, business and industrial equipment, real estate and "mature audience" items. Further eBay promises that in January in 2009, all of the approved eBay payment methods will be integrated into eBay check out.
Some buyers and sellers are saying Ouch! eBay insist that these changes benefit buyers and sellers. They claim that buyers can expect a more consistent and secure check out experience, therefore increasing buyer confidence and ultimately sales. EBay also suggests that the change will benefit sellers by providing them with more reliable and faster payments. In turn eBay argues that when payment is received faster, items are shipped faster and buyers are happier too.
The Facts Presented by eBay
eBay points out that of US transactions paid with PayPal, 25 % are paid within 5 minutes and 73% are paid within 24 hours.
eBay argues that listings that don't accept PayPal or credit cards are more than twice as likely to experience an unpaid item as listings that only accept these payment methods.
eBay further states than buyers today who pay with a check or money order on eBay are 80% more likely to file an "item not received" dispute and 50% more likely to leave a negative feedback than buyers who pay with PayPal or credit cards.
eBay also shares that 1 out of 5 current eBay transactions send buyers off eBay to complete their purchase and buyers' experiences vary greatly depending on the payment provider and seller. By using an integrated payment system, buyers will be able to remain on eBay to pay.
And therein may be part of the problem. Some people feel that the motivation behind this change benefits eBay when users use PayPal more than sellers and buyers. Some feel that eBay's new plan keeps all payments running through eBay and encourages eBay profitable payments.
Many consumers are complaining that they don't want to use these new accepted only eBay payment methods because they are uncomfortable providing credit card or debit card information on line for fear of identity theft or fraud. Some eBay buyers argue that they have been buying comfortably on eBay for years with money orders and never had or reported a problem. Others argue that there is still a cash economy in the U.S. that eBay is ignoring. With the recent banking crisis, many argue that they are unable to use credit cards or are untrusting of banks and unwilling to shop at eBay under these new rules. Some sellers are unhappy too. Sellers, who have not wanted to pay for the extra fees to be "merchant" allowed to accept credit cards aren't happy either. Others argue that Google Check Out is good alternative not included in eBay's new check out plans.
One unhappy eBay seller has said, "If the check doesn't clear---you don't ship. Simple as that. PayPal only benefits only one place EBAY AND EBAY alone--more money in their pocket since they own PayPal."
PayPal itself has been found to be a safe way to make financial transactions on line, whether with eBay or other popular on line sellers. Readers will remember, though, and keep in mind for their own safety, the identity theft phishing scam that sent out e-mails claiming to be a form of PayPal redirected readers to an unsafe site in an attempt to get their personal information.
Was eBay's decision motivated by profits or by increasing happy buyers and sellers? Are eBay users safer from identity theft and fraud or more at risk? Do you feel safer using PayPal? And how do you pay for items on eBay? Leave us your comments and let us know what you think.
What's Posted about You Online and Do You Really Want it There?
Have you ever Googled or used other search engines to find out what is posted on-line about you? What if you don't like what you find? What do you do?
Google and AARP have broadened their services to providing videos which may help you with your safety online. These videos will help you to discover what is posted online about you with simple step by step instructions on how to get the information removed from search engines as well as webpages.
Protect yourself and your information, be persistent, and you can work to keep your information off of the internet -- which AARP video refers to as a virtual card catalog of information on just about everything and everyone.
There is some truth to that, depending on who you are, and how much information is out there about you.
Use this information to make sure what is "out there" about you is only what you want to have out there.
Sources:
Check out all the videos Google and AARP created at the YouTube Channel about personal information protection.
AT&T's Pledge to Protect You: What Should Other Companies Do?
AT&T has pledged to protect their customers information during their online experience, as well as provide customers and visitors who visit their site with more control over their information and if it is shared. What should other companies do? Share your thoughts with Identity Theft Secrets.
AT&T Pledges To Protect Internet Users Privacy
Mike Sachoff | Staff Writer
WebProNews.com
Says others should do the same
AT&T is calling on all companies that track and collect data on Internet users search and browsing activity to give consumers more control over how their online habits are collected and used.
"While we have no immediate plans to offer online behavioral advertising we believe that a key dimension of any such program would be to give customers significant control over collection and use of their search and Web browsing data for online advertising purposes, by requiring their advance affirmative consent," said Dorothy Attwood, Chief Privacy Officer, AT&T, testifying before the Senate Committee on Commerce, Science, and Transportation.
"Over the past several months we have talked with consumers about what they want and expect from any company using their online information to provide behavioral advertising," Attwood said.
"Based on that input, we pledge to uphold a few simple principles in the design of any online behavioral advertising program we may deliver in the future."
Attwood said AT&T would seek permission from its customers before collecting and using their information for online behavioral advertising. AT&T would have transparent information about what the company would collect and use for online behavioral advertising.
Customers will be able to opt in or out of any AT&T behavioral advertising program. Their identities will be protected no matter what choice they make about being part of any behavioral advertising campaign.
Attwood pointed out that privacy issues are not only related to ISPs. "While this pledge represents AT&T's commitment, there are many other companies with access to information about online users, many of which collect large volumes of data every day for advertising purposes without the knowledge or affirmative consent of those users."
"Only when all companies that track and collect data for the purpose of delivering behavioral advertising -- including search engines, advertising networks and ISPs -- adopt similar commitments to transparency, customer control and privacy will Internet users have more confidence in the privacy of their online experience," said Attwood.
Imagine, getting info without having to give any! I spent many years working for a university, that required you to "tailor" your experience with your name and information, to get information from the school. At the time, it was considered great marketing. The information was supposed to be limited to use by the university, but do you wonder like I do, that if the information IS THERE, even if the business doesn't sell it or make it available, maybe it still is available to those who shouldn't have it?
What do you think? Should more companies be required to protect their customers privacy? What are the advantages to this system? How can we know our information is safe online and still get the services we need? Is AT&T setting a standard? Share with us your thoughts.
How many people do worry about their online privacy? How many take steps to protect it, and what are some things that you don't want companies to do with your information? WebPro News takes a look at how Americans feel and now you can weigh in too, answer our questions at the end of the article.
Americans Anxious Over Online Privacy
Mike Sachoff | Staff Writer
WebProNews.com
The majority of Americans are concerned about what is being done with their personal information online according to a new poll from Consumer Reports.
The poll found that 82 percent of people are concerned about their credit card numbers being stolen online, while 72 percent are concerned that their online activity is being tracked and profiled by companies.
Over two-thirds (68%) of Americans have provided personal information to gain access to a Web site, but 53 percent said they were not comfortable with Internet companies using their email content or browsing history to send relevant ads, and 54 percent are uncomfortable with third parties collecting information about their online behavior.
The overwhelming majority (93%) of people think Internet companies should always ask permission before using personal information and 72 percent want the right to opt out when companies track their online behavior.
"Americans are clearly concerned with how their personal information is being collected and used by Internet companies," said Joel Kelsey, policy analyst with Consumers Union. "The vast majority of consumers want more control over their personal information online and want the ability to stop internet companies from tracking and profiling them."
The poll shows that people are taking steps to limit the information that is being compiled and shared about them online. Thirty-five percent use alternate email addresses to avoid providing real information; 26 percent use software that conceals their identity; and 25 percent have provided bogus information to access a Web site
People are aware that information about their surfing habits is being collected online, but many do not know what companies do with their information.
The majority (61%) believe what they do online is private and not shared without their permission. Just over half (57%) falsely believe that companies are required to identify themselves and indicate why they are collecting data.
Just under half (48%) incorrectly believe their consent is required for companies to use personal information they collect from online activities and 43 percent wrongly believe a court order is needed to monitor activities online.
"Many consumers have misconceptions about the information available about them and how commonly it is sold by companies without their knowledge," said Kelsey. "Our poll makes clear that consumers want more control over the treasure trove of information companies are collecting about their activities online." What about you? What do you think? Should companies require you to give information just to view their website? For example, many newspapers now require basic information to create an account simply to read the news online. Should we have to provide our name and location? What do they do with this information? How is it used? And, have you every provided "false" or "fake" information or created an email address just for these reasons? Why? Share with Identity Theft Secrets your take on this important privacy issue.
The Dream Work from Home Job May Be an Identity Theft Nightmare
From work at home to finding your mate, find out what scams out there are taking your money and your identity.
There are identity theft scams and then there are identity theft scams within identity theft scams. The "Work from Home" scam, also known as the "Reshipping" scam, is one such scam in which thieves have stolen identities, made fraudulent credit card purchases and then recruit other unknowing victims to share their identity information and do their dirty work.
"Work from Home" notices get a lot of attention as many people desire to work from home to spend more time with their children or to work from home to save gas money or other resources. Working from home is ideal employment opportunity for many but all work from home opportunities are created equally. This scam has used posted "Work from Home" signs as well advertisements on popular on line job search sites such as Monster.com.
Prospective employees are asked for all personal information, including their Social Security Number and date of birth. This doesn't seem out of the ordinary when applying for employment but unless you "know" the company, always verify a company's legitimacy before giving them your personal information. You can check on a company through-
• Local consumer protection agencies
• Federal Trade Commission
• Better Business Bureau
• The state attorney general
The ads often look say they are looking for "merchandise managers" or "package processing assistants." Duties listed include receiving, packaging and remailing merchandise for clients.
Victims are then "hired" and they immediately begin receiving packages at their residence for repackaging and shipping abroad. Of course, the merchandise has been purchased with stolen credit card information. Soon the "employees" will receive a third party cashier's check, not a regular paycheck. What's even better is the check is for too much. How lucky can you get? But here's the catch. The "company" acknowledges the error, ask you to go ahead and cash the check and get your money and then to electronically forward the extra to a bank account, which is invariably overseas. Of course, once the bank learns the cashier's check is counterfeit, the victim is now responsible for the total amount. Instead of a landing a new work from home job, they've landed in a nightmare. Victims have lost money and participated in the shipment of stolen goods and handed over their personal information to know identity thieves.
Other Versions of the Work from Home Identity Theft Scam
Sweetheart Scams
These scammers also look for prey on dating websites. They spend a little time to "get to know you" and may even send a photo or flowers. Then they ask you to help their business or family by shipping packages to Europe or Africa. They may even claim to be working with a charity or as a missionary and ask you to help them get merchandise delivered to Africa or another part of the world.
Of course, this "Sweetheart" is really asking you to commit a crime by smuggling stolen goods. You can be sure that the photo they sent you is fake and what's worse you've given these identity thieves your address and personal information.
Avoiding the Con
*Don't accept packages for anyone you don't know personally.
*Check out any potential employer before you give them any personal information.
*Be suspicious of e-mail or chat room sweethearts.
What to do if You've Been Conned:
*If you've already received merchandise, DO NOT mail it.
*Save all correspondence including paperwork, e-mails or faxes.
*Contact Postal Inspectors at 1-877-876-2455.
Be savvy. Identity thieves are! Companies are constantly looking for ways to eliminate the middleman. Why would a company pay to mail merchandise to you and then pay you to re-mail it? You can be sure crooks will give you a convincing reason but don't be victimized by scammers who take advantage of your desire to work from home or make a friend on line.
Will this USB Based Vault Keep You Safe While Shopping On Line?
ID Vault is a portable protection service which offers several special features to not only keep your information safe but to make your on line shopping experience easier -- most of the time. Read more ....
As consumers, we don't just want our cake and to eat it too. We want to order our new cake pan on-line and have it delivered without worrying that we've put ourselves at risk for identity theft. We don't want to worry that when we order on line from the butcher, the baker and the candlestick maker that we've exposed ourselves to identity theft. Yet, every time we log on and enter our user name, pin and credit or debit card information, our risk can increase.
ID Vault is a product that can offer on-line banking and shopping customers some protection.
What is ID Vault?
ID Vault offers a USB security token with an embedded smart card chip that it easy to use. There are three steps:
1. Plug your ID Vault in to your USB port.
2. Choose the online account you want to log in to.
3. Enter your ID Vault PIN to unlock your username and password.
ID Vault remembers all of your user names and passwords, which is very helpful in addition to protecting you. You only have to remember a single PIN number. Now you can be automatically signed in with just a few mouse clicks. No more typing isn't just covenant, it's also safer.
You are now logged in to your online account quickly and securely, and can bank, shop and invest online with confidence.
How Does ID Vault Protect You?
ID Vault protects you against phishing, pharming and keystroke logging, three common means of identity theft.
It encrypts and stores usernames and passwords for up to 100 on-line accounts and also credit card information for up to 25 credit cards.
If your ID Vault is stolen, no one can access your information without your PIN.
The System Requirements for ID Vault
* Windows XP or Windows Vista
*Internet Explorer version 6.0 or higher
* Minimum 600 MHz processor
*Minimum 512 MB RAM
*At least 40 MB of free disk space
*One free USB 1 or USB 2 port
*One CD-ROM or DVD drive
What You Should Know About ID Vault
Software reviewers have found ID Vault easy to use. Consumers agree that ID Vault is easy and can be very helpful. However, the biggest consumer complaints regarding ID Vault involve financial institutions and consumer shopping sites that are not compatible with ID Vault. Depending on the diversity of your on-line habits, ID Vault may work with more or less of your favorite on-line transactions. Consumers should research the compatibility of this product with their own favorites before purchasing.
ID Vault is $39.99 at their site and this includes the USB security token with an embedded smart card chip and a one year subscription to ID Vault services. Consumers should note, as their web site discloses that after one year an ID Vault subscription must be renewed at current subscription prices.
Keylogging, phishing and pharming can not only take the cake, but your identity, your money and your credit too. ID Vault can be a helpful tool to protect against identity theft. In addition to identity theft protection, ID Vault can also save you time as it eliminates remembering and retyping password after password as you shop or bank on-line. Everyone has unique shopping habits so all consumers should research whether or not ID Vault is a good match for you.
In times of natural disaster many people desire to help, to make a difference. How can you be generous and safe on line? Find out about an organization that can help you.
In times of crisis, citizens can become more generous than ever. Following the devastating terrorist attacks of 9/11 and the destruction of Hurricane Katrina, people made charitable donations in record numbers. Now our country is cleaning up and rebuilding after Hurricane Ike. As a resident of Houston, I know too well the destruction and the need and also the caring and generous giving of others. While helping and giving to victims of disaster is so important, it is also important that well-meaning contributors not become victims themselves of identity theft. There are many trustworthy, well-organized charities in need of your financial assistance and unfortunately there are many thieving, scamming individuals who want to take advantage of your good intentions and help themselves to your generous contributions.
Instead of becoming fearful of giving, it is important to educate yourself on safe giving to protect yourself from identity theft and to make sure your money goes to the people who really need it.
Lessons learned from Katrina
Most of us would agree that there were many lessons to be learned from Hurricane Katrina. One relates to on-line scams. Before Hurricane Katrina even hit the coast, criminals were setting up websites that included the keyword Katrina along with key words like help and relief in an effort to collect money and personal information. In the weeks following, the FBI reported that it had identified over 4,000 bogus websites that were attempting to take advantage of the goodwill of generous people.
Tips for Dealing with Charities On-line Safely
*Unless you've signed up to receive a newsletters from charities, be skeptical of e-mail solicitations. As a general rule, reputable charities do not solicit donations through e-mails. Many scammers create e-mails that look like they come from a charity name you recognize but links could take you to an unsafe site, unrelated to the reputable charity.
*If you are interested in a charity, start by checking out the actual web address. Most no-profit web addresses end with .org not .com.
*No reputable charity should ask for your social security number or date of birth on line.
*The same goes for solicitations by phone. Say no, or if you are interested, ask for information on the charity to be mailed to you and give no information beyond your mailing address.
*It is convenient, safe and economical for you and for charities for you to give on line to reputable charities at their safe sites.
How Can I Check Out Charities & Give On Line Safely?
CharityNavigator.org rates charities and gives you direct links to reputable charities. At CharityNavigator.org you research charities by name, rating (they have a zero to four star rating system) or by city or state.
CharityNavigator.com has many articles on smart giving that are helpful, especially in times of giving following a crisis. They remind us that new, even well-meaning charities are often not equipped to be most effective during times of crisis. They suggest at a minimum to require proof of a 501 C for any new charity and recommend giving to organizations with a strong track record for responding to disasters like the Red Cross that has a four star rating.
You want to help and there are so many people, including the victims of Hurricane Ike, that need your help. Just make sure that as you reach out to help victims, you aren't reeled in by a scam that puts you at risk for identity theft.
Trust Doesn't Come Cheap-Especially with Telephone Calls and Your Credit Card
If phishing doesn't work to get your credit card information, this telephone call just might. It's pretty convincing and without this information to warn consumers could cost you.
They are at it again and this scam is slick.
There is a new telephone credit scam. You'd think it could never work. Everyone knows that you should never, ever give your credit card account information over the phone and that your financial institutions would never ask you for this information by phone or by e-mail.
So how does this new identity theft scam work?
Criminals are calling victims on the phone and claiming that they work for Visa or MasterCard fraud or security department. They tell victims that they have identified a suspicious purchase and are contacting them to verify this purchase.
It seems legit at first because the callers do no ask for your credit card number. In fact they already have it.
This is a transcript of a variation of these identity theft credit card fraud scams:
Caller: 'This is (name), and I'm calling from the Security and Fraud Department at VISA. My Badge number is 18228. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card, issued by (name of bank). Did you purchase an Anti-Telemarketing Program for $499.99 from a company based in New Mexico?'
When victims say "no", the caller continues by saying, 'Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $200 to $499, just under the $500 purchase price that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?'
When victims say "yes," the caller continues - "I will be starting an investigation. If you have any questions, you should call the 1- 800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6-digit number and asks, "Do you need me to read it again?"
Here's the catch!
The caller then says, "I do need to verify you are in possession of this card and that it has not been stolen." He'll ask you to 'turn your card over and look for some numbers saying, "There are 7 numbers; the first 4 are part of your card number, the next 3 are the security Numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he'll say, 'That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?' After you say "no", the caller then thanks you and states, "Don't hesitate to call back if you do."
Victims who participate have then learned that a fraudulent charge for up to $499.00 was immediately made to their credit card.
Why do people fall for this?
*We are used to people asking us for the three digits on the back of the card for verification.
*We feel safe since they never asked us for our card number.
*As credit card companies have stepped up fraud alerts, many people are not suspicious of the call.
*We are panicked to get an almost $500.00 charge removed quickly.
Remember, that in addition to credit card and banks never asking you for your credit card or bank account numbers over the phone or e-mail, nor would they ask you for the three digit verification on the back of your card.
What should you do to avoid being the victim of identity theft and a credit card scam?
*If you receive such a call, or an e-mail for that matter, make no response by phone or e-mail. Hang up and call the number on your card and ask for the fraud department to verify if you do have a problem.
*Don't let statements sit around. Open them immediately to look for fraud while the trail is still hot.
*Report any scams, whether you became a victim or were just intended prey, to the local authorities to help prevent others from falling victim to identity theft.
It seems that identity thieves stay one step ahead of us on the learning curve. We learn to never give out our card numbers over the phone, and so they steal card numbers other ways and rewrite their scripts to get out security codes. Being aware of these scams is the best way to protect and prevent from becoming the next victim of identity theft.
How To Control Who Has Access? Authentication and Access Control Services and Solutions
Two Factor Authentication What is it, how does it work, and why is two factor authenticaion better than just one factor authentication?
In this interview with Paul Herbka from South Seas Corporation (services and solutions based out of Colorado), we go in depth in a discussion of two-factor authentication, and why it's important for any individual or business to seriously consider two factor authentication for any sensitive data.
You can listen to the interview, and/or read the transcript below
The following is a presentation of IdentityTheftSecrets.com.
Identity Theft Secrets: Welcome back to IdentityTheftSecrets. This is Jonathan Kraft and I am here again today with Paul Herbka who is the President of the Information Systems Security Association here in Denver, Colorado; as well as the Vice President of South Seas Corporation which is headquartered in Littleton, Colorado. He is a certified Identity Theft Risk Management Specialist by the Institute of Fraud Risk Management and he holds the state contract for encryption in the State of Colorado as well as Arizona and I know you've spoken at a bunch of different conferences. So Paul, thank you very much for taking a few minutes with us today.
South Seas VP (on two factor authentication): Thank you and I appreciate the opportunity to get to speak with people and share some information with them. I know a lot of times people know they need different solutions or have questions about different technology that has been out there, and really need help clarifying what's real, what's not. Also cutting through some of the marketing hype from the different vendors, right? I mean we all know that they all say they're Number 1 and they're the best -- and they slice, they dice, they solve every problem! We in fact know that's not true, but there are a lot of solutions that are out there that do solve problems and so it's good to know which ones do what and which ones work well.
Identity Theft Secrets: Right? And given the award for Winner's Choice Award for blah, blah, blah. You know, "three out of four doctors approve us" and they only interviewed four doctors who already buy their products so...(laughs).
South Seas VP (on two factor authentication): Exactly.
Identity Theft Secrets: Well today I just wanted to take a few minutes here and talk to you about two -factor authentication. I know you know quite a bit about this and definitely some people have had some questions about it. So what is two-factor authentication?
South Seas VP (on two factor authentication): Absolutely. So two-factor authentication falls under a category of "strong" authentication. The two-factor authentication means that they have two factors, right? So it's something they have and something they know. Or it's something they are and something they know. So something they have might be like a little Smart Card or a key fob or a token which holds some information and then something they know would be like a password or a PIN or a pass phrase to unlock that information on that Smart Card or token or what not. Or if they are using biometrics, then two-factor authentication might be something they have like their fingerprint or an iris read, an iris scan and then a password or a PIN or something that goes with that as well. So it's just like the name implies, its two factors, right? It's something you have or something you are and then also something you know. So that it's not just one factor. It's like a log-in and password, right? So typical credentials are a log-in and password in most places. Well, that's all just something you know and that can be stolen, that can be faked. Someone in New Zealand could take that information and pretend that they're me logging into something in New Zealand when in fact, it's not me. So by adding stronger authentication or by adding two factors to it, now not only do they have to have something that I know that might be easy to get, but they are also need to have that other factor whether it's something I have or something that I am. And that way it's much stronger authentication.
Identity Theft Secrets: So you, as a company, South Seas Corporation, talks a lot to companies about solutions they can put into place. Two-factor authentication is obviously more involved than just a simple log-in and password. When do you recommend that to companies?
South Seas VP (on two factor authentication): Well, we recommend it to companies when they have data that they need to be secure and when they have a lot of mobility for that. Because as we know, it used to be you'd put down my firewall and you locked your network and then everything inside your building was safe. You locked your front door, you locked your firewall down and you were good. Well now, as we've become a mobile environment and everyone wants to work remotely and maybe they VPN through a FSL VPN or an IPsec VPN and then tunnel in remotely. While that's a secure connection, the PC they're using to get onto that may already be owned by a Root Kit or a Trojan or a botnet. And therefore if it's a hotel kiosk, or a different friend's computer, it's a home computer that maybe doesn't have the same security standards, now then that log-in and password might be gotten and therefore it's not as secure.
If you're a larger corporation and you've got something secure or even if you're a smaller corporation but you're using either ... you're in the financial world, you're in the banking, you're doing payment cards or you're receiving and storing credit cards and you fall under Payment Card Industry (PCI), SOX, HIPAA; any of those, you'd want to use a stronger authentication because what we're finding is passwords just aren't good enough anymore. If you have a breach or you have an issue and you say, "well, yeah, but we had passwords." It's kind of ..., gee, you didn't really use your best effort. You did kind of well, ok; and even then if you ask, "are they strong passwords or were they written down on a sticky underneath keyboards?" The answer is usually, "oopps, well yeah they might have been." And so it's harder to control that.
Identity Theft Secrets: So then you recommend if they've got some sort of secure information that really needs to be secured and they've got people connecting in through some sort of virtual connection, virtual private network so that they can actually have some sort of more robust solution for authentication.
South Seas VP (on two factor authentication): Exactly. The other example ... so all those definitely ... and then the other example would be someone who often logs in remotely or logs in front of other customers. So if I have to log-in and authenticate with my log-in and password, whether I'm a network administrator, or a system administrator, help-desk troubleshooter or someone that's out in the field and I'm collecting data, then they're going to see that. And if they see if over and over and over, or even like the teacher, then the student is going to pick up and it's not going to take long for them to find that log-in and password.
In fact, I was just told of a scam that they're using to get the PINs at a certain resort, it actually happened at multiple resorts, but this in particular happened at a resort in Mexico where they were hiring young boys to go and just learn one PIN number a day from people using the ATMs and then they would have that. So that was a password and it's secure as long as no one finds it but just by watching someone do it over and over, you're going to learn that PIN or password so that's why they're no longer secure.
Identity Theft Secrets: That's very interesting. So two-factor authentication would be having some sort of thumbprint scanner or retinal scan plus something you know. Who are the major players in offering solutions in this area?
South Seas VP (on two factor authentication): There are several, probably the most well-known one is RSA. In fact, they have a large secure world conference. But RSA Security; they were now bought by EMC. So they're part of EMC, but their own division. Then there's also another company called Aladdin, Aladdin Knowledgeware and their tagline is "Securing the Global Village."
So those are two of the leading ones and they provide all the different types, they've got the Smart Cards which look like a credit card-sized thing. It has a little Smart Card on it. Or they have the USB tokens which are Smart Cards in a USB form factor because most PCs now have a USB or multiple USB ports. Rather than having to find one with a Smart Card reader built in, they can just plug it into the USB drive and it has that encrypted Smart Card right on there and it can read it on any of those PCs.
And then they also have ones that are called OTP or One-Time Passwords and what those are used for is for remote VPN access in. So the RSA version uses a changing code that every 60 seconds changes and in that way you put that in plus your PIN, depending on how you have it configured and you get remote access. And the nice thing about it is then that code is no longer valid after sixty seconds. That code's not valid, so even if someone watches me and writes down that code, it's no longer good within a minute and so it makes you more secure.
So both of those companies provide those and they also have other ones that are combination tokens; where they have the Smart Card as well as the changing code or one-time password. They also have some where they're the Smart Card and then they also have a Flash drive which is actually memory you can store in, just like a thumb drive only it can also be encrypted or it comes encrypted. So those are some cool options out there.
There's several other companies that do that; we actually work with the top five. Then there's several companies that also work with the biometrics whether it's a thumb drive or fingerprint reader or if it's an iris scan or a retinal scan. So the cool thing is there's a variety of options out there. What we find is that the easiest to use and the least expensive is actually going to be usually the USB Smart Card and/or the USB Smart Card and One-Time Password tokens and again, you only need the one-time password piece of a token or a part of a solution if you're using that for remote FSLVPN or IPsec VPN.
Now there are some that don't require a certificate or a client or that log-in and so some examples of that would be F5's SLVPN product called the Fire Pass and that's a client list one where all you need is the log-in and password, but again you're back to, is the client that you're using secure? So there's multiple different solutions out there and it's just a variety of what fits with you. What are you doing to protect it and what else is protected from that appliance in to your infrastructure?
Identity Theft Secrets: Sure, wow. That's a lot of things for people to think about when they're thinking about this. I imagine it's kind of difficult for somebody to do this on their own.
South Seas VP (on two factor authentication): Yes and it's funny because a lot of people call us and say, hey we just need to buy some tokens or some Smart Cards or something like that. Then when we start asking the questions, well how are you using it or why are you using it and are you using it in conjunction with this or that? You have this kind of checklist of things to go through; they realize, wow, this is bigger than I thought! And then when you add to that, that "you may want to look at certificates."
Certificates are another type of credential like a log-in and password. Only a certificate can't be fooled or spoofed, it's much more secure. So I can assign certificates to people that they carry on their token and then they digitally sign email or they sign other documents or they get access to specific databases or file shares or applications based on that certificate authenticating them as saying they are who they are and they have the right credentials for it.
By putting that on a secure two-factor authentication token, you now have a secure certificate that's being securely held and requires something they are or have with something they know before they can even unlock that certificate. So you can get very, very secure and again, is the average Joe Blow going to do this for their home computer? No. But if you fall under SOX-compliance or PCI-compliance or HIPAA-compliance, or if you have any kind of personal data that you need to protect or corporate data, or you know corporate secrets that you need to protect for development, research and development, that's when you definitely want to use two-factor strong authentication.
Identity Theft Secrets: This is like a whole different language world. I mean I think what's interesting ... I remember having a Hotmail account back in 1996 that was in high school. And I told one of my friends, "why don't you just email me at my hotmail address at "whatever"@hotmail.com." And one of my friends goes, "what is that some kind of porn site?" Like they were laughing at me about hotmail. Well today, hotmail is unambiguous, everybody understands what hotmail is.
Do you see, and it sort of feels like right now the words, I mean "download" happened that way and "www" happened that way where people were ... it was like this whole foreign concept and now it's just part of our everyday language. Do you see, I mean this is sort of a side topic, but do you see "certificates" and "token" and those kinds of words becoming mainstream usage?
South Seas VP (on two factor authentication): I do. I see in the future, and the future being obviously closer because of technology and the cycles that it brings; it used to be I'd say it was 5 to 10 years out. Now it's, I'd say 3 to 5 years out, where people are going to be carrying around a token that'll have their security certificate on it and that's what they'll use for work. They may even use it for even like an example, E*TRADE uses that for their larger customers and their larger accounts because they know they need to secure that and they don't know where the end-user is going to log-in. They realize the problem of botnets and all the other Trojans and issues that are out there and so they said, "how can we limit our risk and limit our exposure?" So I really see that people are going to be using that now for corporations, for security, for logging in.
The other cool thing about it is that this technology can be coupled or married with our RFIB or the ability to actually do building security so PAC or physical access so you can integrate it with your physical access. So now I can turn around the token that lets me into my building and then let's me into my computer. And then with that certificate lets me log into different applications, different network components, different applications on the web. And it understands and stores all my information so no longer is it a password that I'm carrying around, it's a token and my pass phrase that allows me to get into all these different things is now all stored on one little thing that fits on my key ring.
Identity Theft Secrets: You've done this with probably quite a few companies. Can you tell me about a company that's actually been able to use a two-factor authentication solution and what it was for?
South Seas VP (on two factor authentication): Absolutely. There's actually two examples; one is a company that had a lot of remote users and they were a retail company and they ended up having a lot of issues with lost or breached passwords and log-ins and what not. And so they decided that they wanted to use two-factor authentication and as a result they now don't have to worry about that. If an issue is ... or if a token is lost, they can just de-issue that token, issue a new token for the customer and then Fed Ex it to wherever they need to be and in the meantime they can still get into their system, if they need to, without a token. So that's one example.
Another example is another customer who had just a bunch of people that were mobile, out in the field all of the time and their biggest problem was that they kept forgetting passwords because they had to make them so strong because they were typing them in front of customers. So now what they've done is they've made it to where they have a token and because they can just put the token in and then type in the password, it doesn't matter if the people learn that password because without that token, it's useless. So it really solved that issue of people fat-fingering or forgetting their password because it had to be so long and complex, by just adding the second factor of having that token, of something you have, they were actually able to make it much easier for the end-user which made the whole experience of computing and doing their work easier and smoother just by adding a simple solution.
Identity Theft Secrets: Now I hear the people who are fearing Armageddon coming (laughs) and they look at the book of Revelations in the Bible or they look at other things that have happened along the way as far as people's information becoming more secure and less secure at the same time. Because when we can be identified on one little token with information out of our mind and well that information that what we are; but as we've seen in the past, both retinal scans and fingerprint scans be faked; people become very concerned about this kind of thing. And they go, "well if I have two-factor authentication that's great, but if that means I've got to carry around one of these little tokens, and it means that that token now becomes as valuable as if it were actually me when someone can fake my retinal scan or fake my thumbprint;" do you get much of that from people? Or I imagine the people who are calling you probably aren't in that arena, but how do you respond to those kinds of people?
South Seas VP (on two factor authentication): Well there are really three responses. The first response is as we are becoming a more connected society and a more connected world, definitely there are some of those fears whether it's from the Logan's Run era to the "Big Brother is watching us and do we want to give all our database information to them?" And really I'd like to say that to one extent the law is already there and this is just another way of implementing that.
If we look at social security numbers which have been around for forever it seems, right? They haven't been, but it seems that way. With just that, I can go out and wreak havoc in someone's life and gain those other pieces of information that are already public knowledge and wreak havoc in their life.
I would tell them to be concerned just about a token seems ... I mean you could be just as concerned about having a social security number which we already all have and it's already in databases everywhere as well. So half of me would say, you could worry about it but it's just one more thing that you could worry about and I wouldn't waste the time.
The other option is there are ways to make it more secure and there's always... right? It may cost more, but there are always ways to make things more secure and within that we can also, and this is technology that is already out there and is being used, is you can make this into a chip that someone shoots into your arm and just like they use it for tracking dogs now -- you can use this to track humans and identify humans and store medical records and store a bunch of other things on there and I know those are already being used today. And the whole issue of medical records of being out there is another issue and that ... you know, half of me says there are things we need to be concerned about, that becomes very much an issue especially with medical identity theft, but at the same time it's kind of like trying to hold back a tidal wave with putting a finger in a hole in a damn and then there's five more holes that are sprouting leaks. I'm not sure this is something that you can stop; so half of me would say don't waste your time trying to stop it. Instead, find the best solution and find the best "mousetrap" that's going to help make you secure and your information secure.
And then the last item would be -- just worry about everything and try to hide. But that's not much of a life.
Identity Theft Secrets: Right, go crawl under a rock and that might be ... that's about it!
South Seas VP (on two factor authentication): Exactly.
Identity Theft Secrets: I actually learned about a website called EscapeArtist.com. This isn't like, for anybody listening to this, I'm not like promoting it or whatever. But Tim Ferriss recommended it in "The Four Hour Work Week," I don't know if he "recommended" it, but he referenced it in "The Four Hour Work Week." And it's a very interesting website for the people who really want to go get lost and for the people who this is really a concern for; escapeartist.com is a good place to start as a resource if you really are interested in figuring out how to live under a rock. So!
But I'm kind of with you there Paul; I think its unfortunate maybe that a lot of our privacy has been eroded. But it's been eroded since I've been around on the planet you know. I was assigned a social security number at birth and all of my information has been irretrievably out there since probably the mid-80's and if not, definitely by the mid-90's with the advent of the internet and all those databases being hacked and information being posted all over the place. So I'm kind of with you though I think. Find the best solution and create it for yourself!
South Seas VP (on two factor authentication): Exactly!
Identity Theft Secrets: So tokens and certificates. What else can they be used for -- going back to the topic here. Outside of medical, can you think of other applications for them like going to the hospital obviously or getting into your workplace. Can you think of other applications that might be of interest for people?
South Seas VP (on two factor authentication): Absolutely. In fact there's a bunch of scenarios. And one of the cool things if you look at it - one of the problems and frustrations of people within IT and people that are using technology have, is that it used to be you had one password, maybe two. And now maybe you have 5 or 10. If you're in the IT world, you have maybe 15 or 20 and they all have different times that they change and they're for different websites and different log-ins and different accounts and different check-ups and follow-up. And the more you do online, the more accounts you have. The cool thing is you can now store all those different credentials whether it's a certificate, a log-in and password for a specific website or application. So people that are doing online banking, this is a way to make that more secure, right?
So am I saying throw the baby out with the bath water? No! I'm just saying hey maybe you use clean water with the baby and it's a better solution. And make it a little more secure, maybe you make it safer; maybe you make it so the baby can sit up so it's not going drown. Whatever the solution is, make it a better solution.
But the myriad of applications out there are untouched. In fact, if you have a full PKI infrastructure within your enterprise, you can now use these tokens and your certificates for just about anything. So now, instead of having to remember 20 passwords or 30 passwords, I can remember one long pass phrase that unlocks my token and now my token is smart enough to know that on this website, here is my log-in and password which changes every 45 days. And on this other website, here is my different log-in and password, different credentials, different set of credentials. And now as I can start using certificates for them they're more secure, they can be verified and they are much harder to fake. Right now, overall there'll always be, they'll learn how to fake them but then we'll learn how to make them harder, one of those leapfrog or cat-and-mouse games where the current technology won't be as strong as its needed and therefore they'll come out with a newer technology. But as you do that you can continue to store on the tokens and it gives you freedom. And so now people learn one pass phrase as the human and then let the token store the 20 different pass phrases or log-ins and passwords or the certificate and log-in and password combinations that are needed for the different applications; whether it's a secure website or a secure network share or whatever they're trying to access.
So really when people start seeing that "wow, you mean I can carry one token and just learn one pass phrase or one password and then I can get into all these different things?" I can maybe do my online banking and I can log-in to my different accounts, I can log-in at work. I can log-in into my email and my other email, like you mentioned, my hotmail account, my email account, whatever different email accounts you have. Now they become excited about that. And so that's really where I think it's going to take off in the next 2-3, definitely within the next 5 years, people will be carrying around tokens on their key chains just like another type of key merely because the benefit and the use of that being able to carry around one thing and use it for multiple things - people like that.
Identity Theft Secrets: Well without question it is a "brave new world" we're moving into -- to use a literary reference in there.
South Seas VP (on two factor authentication): Yes it is.
Identity Theft Secrets: I mean it's, I guess with or without the people who decide to participate, it's going to happen. So I think out of this, I would say to people, just decide how you're going to participate. Don't let it just "happen" to you. Just decide how you're going to participate and decide to be ok with that. Instead of just letting it happen to you; where the majority of people will probably just let it happen to them. But I think it's really fascinating to talk about these topics and I really appreciate you taking the time to talk about two-factor authentication and how all of this kind of ties in together with everyday average users and how their lives are going to change because of it over the next 2 to 3 to 5 to 10 years for sure.
Where can people get in touch with you if they'd like to get more training or solutions for this for their companies or for themselves or installation help, anything like that?
South Seas VP (on two factor authentication): Absolutely. We'd be happy to help them whether it's just understanding the technology or kind of wading through the different solutions out there. Or more importantly, once they've decided hey, here's what we want to do, what combinations of solutions works best and is going to grow with the environment that they need?
So probably the best way to get a hold of us, we have a toll-free number: its 1-866-794-1655. That's 1-866-794-1655. Or they can email me, Paul Herbka; my email is pherbka, p as in paul, h-e-r-b as in bravo, k-a@SouthSeasCorp.com. So that's South and then seas, like the 7 seas, Corp dot com. So pherbka@SouthSeasCorp.com.or 1-866-794-1655. Again, we'd love to help them just understand the different options out there. And again we help with implementations and trainings nationwide. We've also done a few worldwide roll-outs; but for the most part, we work within the United States. Again, we are headquartered in Colorado and would love to help anyone looking at two-factor authentication.
Identity Theft Secrets: And if they mention they heard about it at IdentityTheftSecrets at least you'll know what base they're starting from.
South Seas VP (on two factor authentication): In fact, we will give them a discount, I can offer them a 2% discount ...
Identity Theft Secrets: That's nice!
South Seas VP (on two factor authentication): Yeah! If they mention that they heard about this on your website, we can give them a 2% discount. They will have to mention that upfront and make it clear. So if we're already working with customers and then they come across this, it's too late. But if they mention that upfront, we can certainly help them with that.
Identity Theft Secrets: Wow, that's great! I didn't even know we could do that. Nifty!
South Seas VP (on two factor authentication): Absolutely, anything for you and your customers.
Identity Theft Secrets: Well just user base really, I don't really even have any customers through the site but a very good, active group of people who are very interested in helping protect people in this space. So obviously we're adding you to the mix and I really appreciate your knowledge and you taking the time to talk with us about two-factor authentication again.
This has been an audio interview with IdentityTheftSecrets.com. We can be found online at www.i-d-e-n-t-i-t-y-t-h-e-f-t-s-e-c-r-e-t-s.com. IdentityTheftSecrets.com.
