EYEdentityOnline.com

Needless to say, I’ve been busy regardless the lack of activity here on on the blog. I’ve crisscrossed the U.S. several times and the Atlantic twice as well. Once on business and once more for pleasure.

For my first post after such a long gap, I’m going to chat quickly about two events I attended that tie most directly to this blog. The FTC: ID Proof Positive event in Washington, DC on April 23-24 and the Online Game Developers Conference in Seattle May 10-11.

The FTC event as you can imagine was a bit dry, but I’d like to share one positive line of thinking I heard and one negative.

First the positive. Several speakers actually reiterated an important point: The threat to user confidence is at least as, and probably more, important than the direct $$ losses to online attacks. There is a big disparity between speaking to user communities under constant assault from a dizzying array of attacks and press coverage of millions of user’s identities being compromised on one hand. On the other hand then speaking to financial institutions that point to their “very manageable fraud loss rates”. Indications from the past holiday cycle point out that while total spending was up, the number of folks doing that spending didn’t grow much. Looks like confidence is down except for those already “in”. But if loss rates are still low, there’s no incentive for anyone to get too concerned.

Really? Are we digital life people just so insulated from the rest of the real world that we believe everyone is on the e-bandwagon? Check around you. I’m constantly surprised by the number of people in high-tech sectors that won’t transact online on a dare. The majority of my non-high-tech friends also are very skitish about transacting online. Seems everyone on the e-field should be anxious to get those spectating from the stands to join us and bring their e-money.

Now to the negative. There was a panel late on the 23rd roughly titled “FFIEC 4 Months In”. I almost felt sorry for the FFIEC guidance representative on the panel. Clearly I’m not the only one who believes the latest guidance was so loose as to accomplish almost nothing for consumers, though admittedly it was a boon to us vendors . Here’s a couple interesting high points I noted:

1. When asked about what was and wasn’t actually suitable for online banking he indicated “anomaly detection alone does not satisfy the guidance” [undoubtedly a paraphrase, I’m not that great a note taker]. Wow. It will be interesting to get back with some banks that placed their entire guidance compliance in the hands of anomaly detection. While I am clearly a strong authentication kinda guy, am I against fraud detection? Of course not. I believe in defense in depth as much as any competent security practioner in the virtual or real world, but as the sole security layer of supposed multi-factor authentication, no way.
2. When asked about where things should then next head for MFA, he actually mentioned OTPs as the next big thing for moving up in security levels. Now I can understand why an FFIEC guy (or gal) wouldn’t be up on the cutting edge of security attack vectors, techniques and cracks, but doesn’t he read his own industry press? Citibank wasn’t the only publicly compromised OTP last year. Heck the FFIEC is mentioned specifically in this article, though don’t get me started on the non sequitur of the last line from Mr. Lam.
3. Given #1 and #2 above and that one smart tech guy on the panel had already rained on most of the rest of the FFIEC guidance items as broken and busted, I could hardly spit out my question, “So if this guidance is already full of measures that are compromised, when can we expect FFIEC-2?”. There was a lot of hemming and hawing, but basically the direct answer was, [paraphrased] “The FFIEC doesn’t want to create confusion and pain for the financial institutions. Our last note on these lines was in 2001, sooo…”. Seriously, I swear to you he trailed off. Clearly then it will be years before they step up, if the same gap holds true, they won’t come back with something till 2009. Will other regulators step in? Will they also seriously undershoot the already demonstrable threat level in 2009?

So now onto a more pleasant topic, online gaming. The OGDC was very interesting both from a professional and personal standpoint. When there weren’t direct security or infrastructure sessions, I sat in on a few of the more creative sessions. It was very interesting to listen to some “inside baseball” discussions from those that take technology, story and interfaces to deliver entertainment and that ever elusive “fun”.

Not as much to report there. Couple points pretty well sums it up.

1. Several sessions reported on a data showing that a compromised World of Warcraft (WoW) account is worth twice as much ($10) than a compromised credit card ($5) on the black market.
2. I chatted with a senior developer about his MMO’s need to strengthen authentication against phishing and other social engineering attacks that we gamers increasingly hear about. He indicated that his company preferred to deal with these theft cases as a customer support issue. Should a user’s account get compromised and they login to find all their hard earned loot sold out from under them, the support folks will investigate the logs and try to validate the “supposed victim’s story”. If the story seems true, the stuff can be reinstated. Good luck proving a customer did or didn’t share the account and just get taken by “friendly fraud”.

Now, that is certainly a feasible approach, but I’d be one irritated user as what would stop this from happening again? Especially if the attack was launched with a keylogger just waiting to do it to me again? Doesn’t seem like customer care to me, but then I’m biased, cuz I’m a vendor trying to sell the MMO something, right?. True enough, but doesn’t mean that as a gamer I’m not seriously peeved at this attitude.

Curious as to others thoughts about why a WoW account is so much more valuable than a credit card. My quick and dirty analysis is thus:
* Check the prices online for purchase of a top level character. Looks like starting prices are around $454 running up to $749 for some of the quick searches I ran on this site.
* What do you think will get the FBI or other law enforcement’s attention more: “Our merchant database of 200,000 credit cards was stolen” or “200,000 had all their Shadoweave Robes and other virtual stuff stolen”?

Seems like the old risk / reward equation makes this seem pretty self explanatory, but maybe I’m oversimplifying.

This entry was posted on Friday, June 1st, 2007 at 12:01 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.