I’ve been protecting assets against hackers and fraudsters on the internet since 1995, when I was working at Paramount Pictures and was responsible for sites like startrek.com and their various other properties. In 2000 I helped start a company that was eventually bought by Microsoft that stopped spam and other malware in the cloud. When we started the company in 2000, spam wasn’t a big problem, somewhere around 2002 to 2003 spam became a huge problem and just kept growing.
I never intended on spending the last 16 years dealing with fraud and hacking on the internet but at some point in time it just became a critical part of running a successful business online.
During my last 5 years at Microsoft we really perfected our ability to block spam from hitting users inboxes. We used to measure our success in two ways: how much we blocked and eventually how much we let through to the users inbox (spam in the inbox or SITI). The reason we measured it both ways was that our effectiveness of blocking became so good (well over 99%) that it was much more meaningful to end users to say how much we let through to them as an individual. From a strategic perspective, Microsoft also had two ways at looking at spam. First we stopped it by filtering or blocking by reputation, second we stopped it at the source by going after the spammers command and control centers. The second strategy seems like it may be more effective in a macro sense in the long run, when large botnets would go offline (typically this involved some legal action as well) we would see huge drops in spam volume and as of late last year and early this year these drops seems to have become permanent.
In looking at the fraud landscape over the last 10 years in fighting spam and malware I started to become a big believer in end user security. It started with me personally but then it expanded to what I can do to help make users more secure. Fraud is a huge problem. In doing personal credit card transaction over the last several users on the internet I’d say that I get my credit card stolen and a fraudulent transaction put on it every 24 months or so. This is really bad. For websites, I’ve never had an important account cracked, however I’ve gone to what for most people would be extreme measures in using very random credentials so that my password can’t be cracked and if the underlying users database is stolen, which is happening ever more frequently, then the person doing the stealing gets a credential that will only work for that site. There has to be a better way.
TeleSign allows our customer to integrate our API into their authentication stream. The primary use case today for TeleSign is either allowing websites to verify users (e.g. take the user’s phone number and see if it actually belongs to them) or for one-time passwords (OTP). When using our OTP technology, the user almost doesn’t care anymore what their password is. Really the password is just a gate that causes an OTP to be sent to a user’s phone. When the user gets their OTP and then enters it into the site, the site then puts an encrypted cookie on the users machine for a certain period of time (usually 30 days) at which point the user is verified and then secured for that session and ones moving forward.
When using our OTP technology, the user almost doesn’t care anymore what their password is.
At RSA in 2004, Bill Gates said that the password was dead. Really it is. No one should feel safe authenticating into a site with just a password, there needs to be a second factor. The best way to fight fraud is to protect yourself and protect your personal information. If the site you’re using offers OTP, you should use it. Google and Facebook offer this. Many banks offer this. If there’s a place that you keep information that you don’t want to become public you should really look and see what more you can do then just using a password that you’re probably also using in a bunch of other places.