Brilliance Security Consulting caught up with Brian Czarny (it’s easy, the C is silent, Brian said), Senior Vice President of Marketing for TeleSign, at the Black Hat 2015 Conference in Las Vegas. His explanation of who TeleSign is and what they do is quite fascinating.
Who do big consumer facing internet brands like Tinder, Salesforce, Evernote, and Godaddy turn to when they need help with account security for their web and mobile apps? Often the answer is TeleSign. TeleSign helps these big brand names prevent fraud and reduce risk through the full spectrum of account security including registration, access and usage, as well as recovery.
As an example of the services they provide, Brian explained their relationship with Tinder.
Attackers sometimes create bulk accounts that are then used for phishing attacks and malicious scams. TeleSign provides phone verification to minimize the potential of registration fraud. They make sure the new registrant is who they say they are.
TeleSign provides real-time security intelligence on phone numbers around the world. They maintain a database of information which is used to assign a reputation score which their customers use to determine if additional security precautions, such as issuing a one-time passcode, are warranted.
A simple example would be if a single number is seen registering on multiple sites around the world in an unreasonable amount of time, their system will throw a flag so further investigation can be done.
Keep Friction Down and Conversion Rates High
The challenge for large web based service providers that depend on lots of customers registering at, and then returning to, their site is to keep friction in the user experience down and therefore conversion rates up while protecting their customer’s identity.
These big providers survive only on their reputation which is undoubtedly their most important, and yet most fragile, asset. You only get one shot at creating a good first impression and registration is usually that shot.
Account Access and Usage
Traditional password-based account security can be defeated using stolen credentials, social engineering, and brute force attacks. We have all been frustrated, at one time or another, by multiple failed attempts to access an online account. In the early days of the internet this frustration could often be solved by simply picking up the phone and calling the company with which you have the account. More and more, regrettably, a phone number that connects to a real person is hard to find and almost impossible to find if you’re not already logged-in to your account.
Brian says that making user verification and authentication easy is one of their primary objectives. He explains that this is accomplished for their customers by deploying such strategies as two-factor authentication (2FA) using SMS or voice messages. Other device-based methods such as push notifications, code challenges, or soft tokens are also used.
In the future we will see such strategies as behavioral identity being deployed. In this case a user’s typing speed and behavioral patterns can be analyzed for comparison against the known user of the account.
How do these web companies know if you really did forget your password or if it is a cyber criminal trying to intercept an email challenge-based recovery method to take over your account?
It’s all done using your unique mobile identity. Brian explains that for most users their mobile phone number rarely changes so by sending a one-time passcode via SMS, voice, or push TeleSign can greatly reduce the risk of someone taking over your account during the reset process.
Having been around for 10 years now, TeleSign sees themselves as a pioneer in the mobile identity space yet they continue to innovate.
Studies TeleSign has done show that consumers do not feel safe while online. Many do not understand the terminology associated with 2FA or types of 2FA being used today. In an effort to help consumers feel more safe and better understand these issues, TeleSign launched a consumer education program, branded Turn On 2FA, in early June of this year.
“Like” our Facebook Page to join in the conversation and leave a comment!