• Two-Factor Authentication- send a one-time passcode to the user’s phone and require re-entry back into the merchant site
• Require re-entry of a credit card number
• Require the user to answer a knowledge-based challenge (although the answer to these can be easily guessed or socially engineered.)

Building a model to detect anomalies on a user-by-user basis and having a comprehensive challenge framework to use when an anomaly is detected is an effective strategy to combatting ATO, while minimizing the impact on user experience.

1. 50 million accounts have been compromised with email address and salted passwords
2. Living Social as a precautionary measure is asking all users to reset their passwords
3. No news on how the hack was perpetrated

So there is a little bit of good news here. "What might that be?" you’re probably asking. Well the security folks at LivingSocial did salt their passwords which makes any attack against the hashed passwords much harder. When you salt a hashed password, that means when you try and log in to the site, what’s happening on the back end is the salt, a few bytes of random data, is combined with your password. Then it is hashed and stored in the database, “HASHING ALGORITHM” is run on (SALT + Password) which creates a “HASH."

Why is this good? Well let’s say the passwords were hashed and then not salted. When this happens someone can get a dictionary or a list of commonly used passwords then you figure out what hashing algorithm that the site was using (typically SHA2 or if the site is very old MD5) and then you just calculate hashes against the big hash list and compare your hashed dictionary to the stolen accounts. If the site has hashed passwords however you need to create this big dictionary hash list separately for every single user. That takes a really long time! Hashing protects all 50 million passwords from getting cracked. What is does not protect against is a single account being cracked.
 
Ok so now should you change your password? Yeah probably. So what can websites do?

1. Use two-factor authentication (2FA)
   If LivingSocial has used 2FA then it wouldn’t matter if user passwords were stolen, the accounts wouldn’t have been able to be compromised unless the attacker had the password (something the user knows) and had the 2FA device (a mobile phone in the case of TeleSign, which is something the user has). To get into an account you want there to be two components, one you know and one you have.
2. Salting is good, double salting is better. If they had double salted their passwords and stored the second salt somewhere other than the database it would be impossible to crack them.
3. Don’t use MD5 or SHA2 as a hashing algorithm use bcrypt. Basically SHA2 is super-fast, relatively speaking bcrypt is slow and makes hash breaking impossible on a large scale.

Read about it here: https://krebsonsecurity.com/2012/06/how-companies-can-beef-up-password-security/
 
I hope LivingSocial follows up their announcement with a detailed post mortem. The way the community gets better about security is by understanding what mistakes were made, embarrassing as they may be. There are some things they could do better to protect their users, but they’ve taken the first important step in telling people something happened, let’s hope they follow up with changes so that this can’t happen again.
 

• Falsely inflating the number of celebrity or company followers to create the appearance of popularity, influence, and a larger share of voice
• Propagate spammy tweets for “recreational” medicines or other annoying offers
• Bolster SEO efforts by creating 100s of  tweets with links to a website or eCommerce page
• Hijacking Twitter's trending topics to get people to click links
• Embedding malicious Bit.ly links to install malware

Should you care that Justin Bieber has fake followers?

Maybe. If you are an advertiser, the answer is an aggressive yes! Kim Kardashian is known to have commanded $10,000 per tweet back in 2010 at the height of her celebrity. That 10K is based not only on her presumed influence, but also on the number of potential customers who will see that tweet. Additionally, if you advertise through twitter instead of asking a celebrity to tweet that they love your FroYo, your demographic and reach are not accurate if twitter isn’t doing anything to regulate their account sign-ups.

If you’re just an average user, you’re affected too.
I’m sure Viagra is great, Cialis is probably dandy too, but I'm never going to buy it so please stop serving up the offer.

Since Twitter’s main source of revenue is from advertising, I’m going to assume that they were not too pleased to hear about Justin Bieber’s followers. But, they have larger problems to solve. I’m a marketer, I should love twitter and I used to. I managed a personal account, a business account, I helped sign-up the exec team and encouraged them to tweet. I stopped all that a few months ago when my account was hacked multiple times. I just got sick of friends and colleagues forwarding me my tweets about having their “pictures from last night.”

There is a really simple and elegant solution for all of this. Your phone number. A phone number is the only unique identifier that we have as humans. You can figure out my user name and password, you can steal my SSN, you could even open email accounts in my name and pretend to be me, but you’ll be challenged to steal my phone and my phone number.

Twitter – ask me for my phone number! I’d happy give it to you to protect my account and to show you that I am a legitimate person.  Ask for my phone number during the registration process to ensure I am who I say I am.  And then have me re-verify with that phone number if I’m posting something suspicious.

While you’re collecting my number take a look at the type of phone and the subscriber status.  If it is a VoIP number or a disconnect phone number, chances are that it is a fake account. Do what many companies are already doing. Protect your users' accounts and improve their experience by associating their phone number with their account.

In the beginning there was only ASCII. ASCII is the basic language that all other character sets are based on.  ASCII characters are the uppercase and lower case letters A to Z, plus some basic punctuation. ASCII is a universal set of characters, every device everywhere understands what ASCII is.  At the dawn of SMS 20 years ago, ASCII characters were the only ones you could reliably send in an SMS message.

Ok, I get it, international SMS is complicated, now what?

If your business needs international reach with SMS, make sure to ask these questions of any potential vendor:

• What countries do you support sending SMS messages to? If you need global reach, make sure your provider supports the countries you're interested in.  A lot of aggregators specialize in specific countries or regions. Only a few have worldwide reach.
• What languages and encodings does your provider support? US based providers might only support sending messages in plain ASCII. European providers  probably support GSM. Better providers will let you send your message to them in UTF-8 and do any necessary conversions for you.
• Does your provider automatically normalize messages when it is necessary? If you're trying to send a message and the recipient can't receive it in the language you sent it in, does your provider try to send it as plain ASCII for you automatically?

Understanding all the intricacies of International SMS messaging can be daunting, especially if your provider doesn't give you much help. However, if global reach is a necessity for your business, taking the time to find a provider that understands these details can take much of the sting out of it.

1. Give your users choice.  As a best practice, the leading global web properties give their users the choice of receiving an authentication code via SMS or voice call.  While SMS-based authentication is much more prevalent, we should not forget that some people may actually prefer voice-based authentication.  In fact, 53% of adult cell phone owners questioned in a survey conducted by the Pew Internet and American Life Project on Americans and Text Messaging said they preferred receiving a voice call to a text message.a  Plus, the voice option equips your end users with an easy alternative if they experience any SMS delivery issues.
2. Reach more users.  While landline usage is declining, 48% of US homes still have and use a landline (according to a study by the Centers of Disease Control who looked at phone usage in H1 2012). Moreover, some users do not have SMS plans and are charged per message and many older users are simply not comfortable using text messaging.  
3. Reach more markets. In certain countries, even in large markets like Japan, SMS is inherently challenging.  Therefore, offering a voice option is sometimes the only way to reach these markets.  For companies looking to reach a truly global user base, voice messaging is a practical alternative and complement to SMS-based authentication.
4. Meet ADA Mandates. Consider the Americans with Disabilities Act (ADA) whose charter is to ensure that everyone regardless of disability has an equal opportunity to enjoy consumer and business services.  So, if your organization is ONLY offering SMS-based authentication, how are you helping serve the needs of the blind. Approximately 2.5 million people in the United States are “legally blind” and, many of them have some residual vision. Only about 5% of blind people use Braille for reading; many people who are legally blind are able to read large print.  Plus, there are millions more who have “low vision” with some significant impairment that substantially limits their ability to see well under different circumstances.  Given the increasing popularity of two-factor authentication, SMS-based authentication is a genuine challenge for the blind who cannot easily read the one-time passcodes delivered to their mobile phones.
5. Lower your helpdesk costs. If your business relies exclusively on SMS, some end users will end up requesting SMS messages to their non-SMS-enabled phones or they will call a help desk to request an authentication code.  Based on our experience with the world’s largest web properties, this translates into more calls to your call/support center and negatively impact customer satisfaction. As a result, companies pay extra costs on two fronts: they pay for the extra SMS messages and for the support costs associated when customers call a help desk to request their one-time passcodes.
6. Add some personalization. Customers can customize the voice message by using their own voice talent or the voice of a familiar character (e.g., an online gaming company using the voice of a popular character to deliver the one-time passcode). As more companies explore creative ways to add stickiness to their online service, personalized messaging is a novel and cost-effective approach.  

OK, I’m sold on voice-based authentication, now what?  

Once you decide that you want to complement SMS-based authentication with a voice option, make sure to ask these questions of any potential vendor:

• Do you offer voice-based authentication? This may be a little obvious, but many authentication providers and SMS aggregators only offer SMS.  Offering the voice option means that the vendor should have invested in the infrastructure, the network and carrier relationships to delivery a quality service.
   
• Can you deliver the voice messages to the countries where your users are located? Ideally, the solution provider has a global footprint, but it also means localizing the voice messages into the languages and dialects of your users.
   
• Can you detect the phone types of your users?  With PhoneID, TeleSign can detect the phone type so companies can send SMS messages to SMS-enabled phones and voice calls to landline phones.
   
• Does the provider have connections to Tier 1 global providers? How do you know if you’re dealing with Tier 1 global providers?  You can often hear in the quality of the voice call.  With Tier 2 providers, you will often experience latency (i.e., delays on the call), jitter (refers to the variability of the latency), and packet loss.  Just as it's important to hear what someone says in the order they say it, it's also important to hear all of what they're saying. If you miss one out of every 5words or 5 words all at once, chances are you're not going to understand much of the conversation. This is packet loss.  This happens when voice packets are dropped by network routers, switches become congested (lost packets), or packets are discarded by the jitter buffer.

• Does your provider offer failover routes for voice? Like SMS, you want to use a provider who employs failovers at an operator and country level so if one carrier/operator is experiencing difficulties, you can immediately failover to another operator to ensures optimal delivery rates.
   
• Does your provider auto-correct phone numbers? Often when users are prompted to enter their phone number for authentication they forget to account for regional peculiarities.  For example, you need to drop the leading zero in the UK, but you need to add a “9” to the area code when placing a voice call to Argentina.  Believe it or not, this auto-correcting can improve deliverability by as much as 20% in some markets.

Adding voice-based authentication as an option to SMS delivery just makes plain business, practical and ethical sense. After all, it's a matter of winning over your customers by equipping them with rock-solid security and excellent user experience. The good news is that you no longer have to sacrifice one for the other.
 

Source: pewinternet.org/Reports/2011/Cell-Phone-Texting-2011.aspx

The upcoming Mobile World Congress in Barcelona, Spain, is the mobile industry's biggest showcase of new devices.

A lot of the focus will likely surround the development of new quad-core smartphones with 1080p HD screens.  There will also be plenty of buzz around the Windows Phone 8 (phones & tablets) as well as new Android phones from Nokia, HTC, and Samsung  (even if they’re not debuting the Galaxy S4).  We can expect the swirling debates to continue as to whether BlackBerry and Microsoft can still compete as underdogs in a world now dominated by Android and iOS.  

Blah, blah, blah…

I’m way more intrigued by the ecosystem behind the handsets and how it will change the every day lives of today’s businesses and their customers. Things like how global messaging is evolving, the rise of B2C and application-to-person (A2P) text messaging, online security/privacy, and information protection in the cloud are just more interesting. 

There is so much going on just in the world of A2P SMS. The A2P market is expected to be worth $70.1 billion and overtake person-to-person (P2P) SMS by 2016 (Juniper Research, 2011). This is not surprising given the rise of mission-critical, service-enabling messages used to cement customer relationships. Example include:

• Confirm deliveries: With SMS, companies can track packages and maintain inventory levels every time as stock arrives. Transactional-based triggers allow alerts to be set up based on when inventory levels get too low, when assets are disposed, and the like. Plus, messages can give exact delivery times and dates, so your customers know you when their package is going to be delivered.
• Send product alerts: Text messages enable businesses to provide excellent customer service and deliver new product notifications cheaply and easily.
• Appointment Reminders: Doctors, dentists, financial planners and a wide range of business professionals can leverage SMS for automating appointment reminders.
• Status Alerts: Many cloud-based technology firms are looking to use text messaging for system alerts (e.g., when an individual or server are reaching capacity thresholds).  This also includes airlines notifying customers when there are flight changes or delays so they can make alternative arrangements if need be. 

With the acquisition of Routo Telecommunications (rebranded as TeleSign Mobile), we’re a mobile operator in our own right with network access and direct connections to global operators.  This not only enhances TeleSign’s suite of security and authentication solutions, but enable us to provide these types of emerging mission-critical SMS services to the largest global web properties. 

NOTE: If you happen to be going to MWC, I encourage you to stop by the TeleSign Mobile stand (Hall 8.1, Stand81J38) to learn more about this exciting new partnership.  

So, if you get tired of the bells and whistles of the new phones, make sure to peel back the onion and explore all the new areas of growth that make up this evolving ecosystem.

Today we are excited to announce another unconventional move. We have joined forces with TeleSign, the leading provider of phone-based fraud prevention and intelligent authentication, and are re-launching under a new brand name, TeleSign Mobile.

TeleSign has spent years enabling some of the world's largest online companies use innovative means to combat fraud and verify identity, and the user's mobile device has become a tremendously powerful component in delivering these services. By acquiring RoutoMessaging, TeleSign gains greater control over how messages are delivered to users, which leads to a higher quality service, as well as access to network-level data to ensure that transactions are occurring in a trusted environment.

By re-launching as TeleSign Mobile, a dedicated messaging and data services division, we can use our renowned mobile messaging network to mobilise even more services and business processes for TeleSign's customers, as well as the many enterprises we serve today.

TeleSign Mobile will continue to stand for global reach, mission-critical reliability, and trust - all values our colleagues at TeleSign share. And we will continue to do things a little differently from the rest of the industry. So watch this space, as the most exciting news is yet to be written.

Our official press release can be read here, and we have prepared answers to some of the questions we imagine you may have. We hope you are as excited as us about what the future holds for TeleSign Mobile, and as always we would love to hear from you if you'd like to get in touch.

7.8 trillion text messages were sent in 2011 and that number was expected to reach about 9.6 trillion in 2012 (Source: Portio Research). 

• Is the cost of support included in the service? If not, what is the cost of support?
• Do they offer phone and email based support?
• Do they offer emergency (24x7) phone support?
• Do they offer integration support andor offer best practices guidance?
• Can they provide guidance on the optimal user experience or user interface?
• Do they offer proactive alerting?
• Do they offer access to a client portal and provide troubleshooting tools?
• Do they offer canned and ad hoc (i.e. customized) reporting?
• Do they offer SLAs and Service Level Objectives (uptime, technical support response times)?
• Can the provider provide best practices on fraud prevention and risk mitigation?

These six questions will quickly separate the mission-critical contenders from the pretenders, and will help ensure the highest possible delivery percentages, the lowest levels of fraud, and the very best customer experience.