Ping Identity® — One password is all it takes.

Ping Identity > Blogs > Ping Talk 

Ping Talk Blog

Will it be love that finally kills the password?

January 18, 2012, John Fontana | IdM, Internet

John Fontana

Love is officially “stupid,” finally edging out “blind” on the strength of password sharing among lovelorn teens.

This from the New York Times today, a story that teen couples are showing their love for one another by sharing their passwords. And not just for one application, but wherever their digital lives take them: e-mail, Facebook, Twitter.

You laugh at their naïveté, but remember some of these teens will be your employees in four years – maybe less. Perhaps your junior executives within the next six years.

Old habits die hard, especially when socialized at such a young age. And they look like a giant liability when they find their way onto your network. It's not just sharing passwords, but the nonchalance towards snooping through another person's account - "authorized" or not. A lover's today, a friend's tomorrow, the boss's after hours.

[More]




Privacy wins another round as Facebook, FTC agree on proposed settlement

November 29, 2011, John Fontana | Cloud, Internet

John Fontana

First Twitter, then Google and now Facebook; with the FTC (and the public), deception doesn’t pay.

The Federal Trade Commission and Facebook agreed on a proposed settlement Tuesday that requires the social network’s privacy practices be audited every two years for 20 years by an independent third-party. The audits would ensure Facebook's privacy practices meet or exceed the FTC’s orders. The first audit will come in 180 days.

The FTC charged the company deceived consumers by telling them their Facebook data was private even though it was repeatedly shared and made public. The settlement lists five specific orders, including that Facebook is “barred from making misrepresentations about the privacy or security of consumers' personal information.” The other orders include gaining public consent on privacy changes that override personal preferences, hiding information after an account has been deleted, and creating a comprehensive privacy program.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," FTC chairman Jon Leibowitz said in a statement. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

[More]




IIW: What are the technologists thinking?

October 6, 2011, John Fontana | Cloud, Internet

John Fontana

In a few weeks, IIW 13 (formerly called the Internet Identity Workshop) will circle its attendees and get down to the business of hashing out just how user-centric identity is going to get where it wants (needs) to go.

It is certain IIW will hold true to one of the unconference’s mottos: “Whatever happens is the only thing that could have happened.”

And over the years, a lot has happened at these gatherings of deep thinkers where many emerging technologies get started, ignited or buried.

IIW focuses on user-centric identity and how people will manage their identity across the Web. Legal, social, privacy and business issues also are in the mix.

While this is not an end-user conference, what happens at IIW will find its way to end-users and also to enterprise computing. Companies looking to the future of identity, end-user access, privacy, and other topics should take note.

Even if Internet-based user-centric identity is not on the radar, or not welcome within the corporate network, IT should be mindful of the concept of servicing users who ‘bring their own identities.” Major companies such as Bechtel are already accommodating such ID-toting users be they contractors, suppliers or even retirees.

With that in mind, here are five topics that appear will get the lion’s share of attention.

[More]




Identifying with your bank: Visa raising EMV profile in U.S.

September 28, 2011, Sid Sidner | Mobile, Internet

Sid Sidner

(This is the second of two parts. Read Part 1 here.)

In the first half of this series, I reported the announcement from Visa that will drive the switch to EMV smart chip banking cards in the U.S., and why these cards are so powerful. In this half, lets look at the implications of this and how it could effect the world of identity.

Why do EMV bank cards change the world of identity?

Several factors make EMV bank cards so important:

  • Eventually every Internet user in the world will have one or more.
  • They are very secure.
  • They work well with personal computers, mobile devices, and even physical lock systems.
  • The global banking payment network can easily authenticate them and collect fees based on the value of the authentication.

How would EMV bank cards work for identity?

The payment card networks could easily add another transaction for authentication to the dozens of EMV bank card transactions already implemented.

EMV chips can operate in two modes: offline and online. In offline mode, the chip is used to generate one-time passwords or to sign manually entered data. This is how Visa’s DPA (MasterCard/JCB CAP) devices work. VASCO makes the popular DIGIPASS 800 readers. Several other vendors also make these readers. For higher-value transactions, going online has many aspects that enhance security and that ease implementation. In either case, the user would enter their PIN just like in a normal EMV bank card transaction.

Since the payment card network is built on the business concept of charging fees for transactions, relying parties - for the first time - can request a level of assurance (LOA) based on a monetary loss value if the authentication turns out to be fraudulent.

[More]




Identifying with your bank

September 27, 2011, Sid Sidner | Mobile, Internet

Sid Sidner

(This is the first of two parts)

In August, Visa made one of the most important announcements in payments in the last ten years: a specific timetable and set of incentives for adopting the EMV banking smart card standard in the U.S. The United States will finally join the rest of the world in moving from 30-year-old magnetic stripe technology to smart chips.

Visa bankcard (tm)

Adding this last piece to the EMV puzzle may also usher in a new era of ubiquitous strong authentication. With chips in every bank card that feature both contact and NFC contactless technology, adding card readers to mobile devices and personal computers will be an obvious must-have feature.

E- and M-commerce payments can become more secure. More important, identity actions we could never do before, such as  buying boats and cars online, or accessing our personal medical or tax records anywhere, now become practical.

Visa and others envision enabling phones to do EMV via NFC (Near Field Communication).

Before I joined Ping Identity I worked in the payment card industry and dreamed of this day. A joint project in this area is what acquainted me with Ping. I left the industry in frustration so that I could work for a company at the heart of Internet scale identity. Below I describe why chips are important, and outline the forthcoming Part 2 of this blog.

[More]




Pornographers, privacy and you

August 25, 2011, John Fontana | Internet

John Fontana

Is there yet another leak in the personal privacy boat?

This time it’s the work of the House Judiciary Committee, Rep. Debbie Wasserman-Schultz, (D-Fla.) and 25 other co-sponsors, who approved a bill (H.R. 1981) that would require Internet service providers to keep for a minimum of 18 months every IP address they assign to their users when they surf the Web.

Today, some providers keep such records for less than a week.

The reason for the propsed change? So the addresses can aid police in catching child pornographers.

Never mind there is no clear data to support that the IP addresses will crack any cases (that is mostly left to hard drives full of porn).  Never mind you can’t prove who was at the controls behind the address. And never mind that police can already have ISPs save suspect’s records in three-month intervals.

Privacy advocates are already out.

Gregory Nojeim; senior counsel at the Center for Democracy and Technology (CDT) and the Director of its Project on Freedom, Security and Technology, told NPR the bill is “the China-style approach to law enforcement.”

[More]




How to save $50 (but lose your identity)

April 27, 2011, John Fontana | IdM, Cloud, Internet

John Fontana

A story from Reuters details how the perpetrators of the Sony PlayStation Network data breach obtained “people's names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more.”

There was no need to add “…and more,” the first 11 words are scary enough. Along with the fact it took Sony a week to report the breach.

But the soothing next sentence in the Reuters story saying Sony is not seeing any evidence that credit card numbers were stolen, brought a smile to my face.

What a sigh of relief those 77 million breached users must have experienced knowing they would not be on the hook for a $50 fraud charge with their credit card providers. I’ve said it here before, your personal data is valuable. Sony's customers are now a proof point.

At least one user gets it. CNet reports a suit was "filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the U.S. District Court for the Northern District of California. Johns accuses Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

Of course, Sony added that it isn’t completely sure credit card data wasn’t stolen, but it did advise users to place fraud alerts on their accounts.

"Even if it turns out credit card data wasn't stolen, the consequences of this attack are huge,” Fred Cate, director of Indiana University's Center for Applied Cybersecurity Research, told the university’s news service.

[More]




eyePhone; here's looking at you, and you, and you...

April 22, 2011, John Fontana | Internet

John Fontana

Apple is certainly stirring the paranoia pot with its eyePhone and this week’s revelation that the device is dutifully logging your movements.

It’s not really the log activity, actually it’s the questions around why. In Apple’s defense, at the lowest level they are doing what every other cell phone provider does, the issue is where and why the data is stored; and how it might be used. 

We don’t all need to turn into Henry Hill, Ray Liotta’s perfectly paranoid, helicopter-fleeing mobster in the film Good Fellas, but Apple has become another Google Street View Car in a debate about eroding privacy and if it really matters.

Yes, I think it does.

Today, CNet added fuel to the fire reporting that law enforcement worldwide has known about the Apple location collection for the past year, has used it in “criminal” investigations and uses specific applications for extracting the data.

And CNet added that security researchers report some Google Android phones store location information, and researchers suggest that "virtually all Android devices" send some of those coordinates back to Google.

It’s a startling revelation that could blow this issue up into a national uproar. In fact, Rep. Ed Markey, (D) Mass. wrote a letter to Apple CEO Steve Jobs yesterday asking seven questions – ranging from use of the data to procedures to disable the location feature - and requesting answers by May 12.  

Gen X and other social networkers need to come to grips with the fact that their personal data indeed has value and is something to protect.

[More]




Of RSA, Epsilon and human frailty

April 5, 2011, John Fontana | Cloud, Internet

John Fontana

In the 2004 techno cop thriller, I Robot, the serenity of life with computerized robots used as servants and for public services is disturbed by one rogue element – human-like reasoning.

That’s the same element it turns out that disturbed the serenity and shook the foundation of RSA’s SecureID, which was engulfed in a hack a few weeks ago. The hack that was originally described as “extremely sophisticated” now appears to be a common spearphishing attack exploiting a since-patched zero-day vulnerability in Adobe Flash.

In other words, a user was social engineered into opening a file that contained a nasty payload. In addition to his/her rogue tools, the hacker needed only one other item; an email address tied to a potentially lucrative big company domain name. The attack is nothing new and perhaps is one of the frightening aspects in light of the email address thefts in this week's Epsilon revelation.

RSA laid out the anatomy of the attack on its network in a blog post.

The blog describes how an RSA employees pulled an email out of quarantine, opened the enclosed Excel spreadsheet labeled “2011 Recruitment Plan,” and unwittingly launched the exploit. A remote admin tool was installed and used to control the user’s machine. From there, user account exploration and elevation of privileges began to fan out in an attack called an advanced persistent threat (APT).

[More]




Yeah, privacy matters

April 1, 2011, John Fontana | Cloud, Internet

John Fontana

“When companies make privacy pledges, they need to honor them,” Jon Leibowitz, chairman of the FTC, said Wednesday after his agency charged Google with “deceptive privacy practices” as part of a case centered on Google’s rollout of its Buzz social site last year.

The FTC and Google settled with an agreement that will see Google’s privacy practices scrutinized for the next 20 years. Leibowitz said, “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations."

Yes, privacy protection is a big deal.

But Google isn’t the only one under the microscope. Facebook and Twitter have been under the lens as well. And there is a growing tide of federal regulators getting serious about protecting consumers online.

Massachusetts Senator John Kerry’s Internet privacy bill, in the works for months, is evidence of that. Kerry’s goal is to give consumers tighter controls on how their online lives are tracked and used by advertisers.  

The FTC said the framework of the Google ruling establishes best practices that the regulatory agency would like to see implemented elsewhere. Now Gen X and other social networkers need to come to grips with the fact that their personal data indeed has value and is something to protect.

At the going rate, users will be lining up to buy back their grocery lists and anonymity from “personalization” services like Rapleaf or people search engines such as Spokeo.

[More]




More Entries