KnowledgeKnowledge--BasedBased AuthenticationAuthentication ChallengeChallenge ResponseResponse SystemSystem

Kevin Trilli Director, Product Management VeriSign, Inc.

Bill Andrews Sr. Manager, Product Management Lightbridge, Inc. PurposePurpose andand AgendaAgenda

X Purpose – Explain deployment example for KBA – Cover challenges of quantifying Challenge/Response (C/R)

X Agenda – Overview of VeriSign Authentication Service Bureau – Challenge/Response in Action: On-Line Auction Site – Challenge/Response System Configuration VeriSignVeriSign SecuritySecurity ServicesServices

ProvideProvide CriticalCritical SecuritySecurity andand PaymentPayment InfrastructuresInfrastructures thatthat MaximizeMaximize Efficiency,Efficiency, RemoveRemove Complexity,Complexity, andand ReduceReduce RiskRisk

380,000+ secure sites & servers 90,000+ consumers verified 4,000+ enterprise customers 30,000+ certificates issued 90,000 merchants ~5M payment transactions ~25% of N. America E-Commerce $500M-$700M processed

3 VeriSignVeriSign IntelligenceIntelligence andand ControlControlSM SolutionsSolutions

BusinessBusiness RegulRegulaattooryry BusinessBusiness ParParttnerner CommerCommerccee Provide targeted ContinuitContinuityy ComplianceCompliance IntegrIntegratiatioonn EnablementEnablement Solutions to Network Secure Security, Infrastructure HIPAA, FDA business needs Extranets Payments Continuity Strong Network Application Commerce Authentication Security Security Security With flexibly deployed Intelligent Secure Access Secure Offerings Monitoring & Fraud Protection To Networks Web Services Management

Technology Data Intelligence/ Leveraging Expertise World-Class Assets (Managed Security Services, (enterprise event data, 9 billion ( health monitoring, DNS, PKI, Trust Gateway, DNS transactions, 25% N. event correlation, fraud SSL, Payment Gateway) American payment volume, SSL detection engine) certificate validation) Delivered from Solid AtAtllaas,s, 2244**77 redundancy,redundancy, securesecure operatoperatiioons,ns, PKPKII rroootsots Infrastructure VeriSignVeriSign setset ofof Offerings:Offerings: CredentialingCredentialing andand IDID ProofingProofing ServicesServices

X Credentialing Systems X ID Proofing Services – Managed Strong Authentication Service – Physician Authentication Platform using VeriSign’s AMA – PKI, Strong Database Authentication – Consumer Authentication – Commercial and Public using Lightbridge Services Sector Offerings – Business Authentication f FIPS-140 using D&B Database f Federal Bridge Compliant – In-Person Proofing f Mortgage Banker’s Services Association f Notary f Postal Service ConsumerConsumer AuthenticationAuthentication ServiceService

Various levels of customer authentication

Non intrusive X Tier 1: Identity Verification – Based on application data – Name, Address, Phone – Optional: email, date of birth, drivers license – Custom Risk Score X Tier 2: Interactive Query – Based on credit report – Dynamic “out of wallet” questionnaire X Manual Review – For exception handling and support – 24x7 live person in call center Interactive X Physical Proof – Faxing in passport, drivers license, utility billing VeriSign/Lightbridge Online Identity Management: Authentication in Seconds

CAS Tier 1 validates and verifies consumer data using a unique online fraud model and returns a numeric score indicating the consumer’s relative level of risk. Before completing the transaction the merchant or institution submits the consumer data to Consumer Databases VeriSign/Lightbridge for validation, A consumer verification and authentication. initiates a transaction online. Firewall

Internet CAS SSL Client Authentication Decisioning

E-commerce VeriSign/ System Lightbridge Online Web Server CAS Tier 2 compares the Consumer consumer data to multiple consumer databases, creates a customer profile, and formulates a unique set of “out of wallet” questions which are sent back to the consumer through the merchant web server. Decision Engine After receiving the consumer’s answers, the CAS decision engine scores the answers and returns an authentication decision to the merchant web server. eBayeBay DeploymentDeployment ExampleExample DeploymentDeployment exampleexample

Credit Bureaus Consumer Portal / VeriSign CAS Application Name & Address End Users Public Records XML XML DMV and SSN

Higher Risk Data

Proprietary Blacklists

Real time 24x7x365 Guaranteed Audit Trail Custom XML Interface Transaction support SLA Reporting Configuration Case Study: Online Marketplace

Business Challenge

f Provide a safe and secure marketplace for both buyers and sellers f Track and screen out fraudulent users f Non-intrusive process that is private and confidential

VeriSign Solution Results f Identity verification methods that cross verify f Instant account verification of all users identity information using 50+ data sources f Custom risk score to flag accounts f 24x7 call support to handle exceptions requiring additional monitoring f Leverage VeriSign brand to build consumer f Tier based authentication approach to confidence managing risks Be prepared to provide specific information about your financial data. CAS gathers data about the individual and creates a challenge only the user should know. Successful registration! Ebay User is now ID Verified! C/R Configuration Parameters C/R– Authentication Questions (Automated)

X Credit Card Questions

X Previous Address

X Payment Questions

X Account Number Questions C/R– Authentication Questions (Manual Review)

X Unanswered Automated Questions

X Bank/Institution Questions

X Employment Questions C/RC/R–– ConfigurationConfiguration SettingsSettings

X Allowable Visits: Number of allowable authentication attempts per user in a specified period of time. X Allowable Visits Counter: Period by which authentication attempts counter is reset. X Question Sets: Number of potential automated question sets in a given session X Min./Max: Questions per set: Minimum and Maximum number of automated authentication questions per question set. X Passing Score – Questions Correct: Number of correct answers required for passing automated process. X Passing Score – Percentage Correct: Percentage of correct answers required for passing automated process. X Borderline Score – Questions Correct: Number of correct questions required for Borderline Score. X Borderline Score – Percentage Correct: Percentage of correct questions required for Borderline Score. C/RC/R–– ConfigurationConfiguration SettingsSettings

X Question Variances – Payment Amount Questions: Difference between answeranswer providedprovided andand information in consumer profile on a per question basis.

X Manual Review: Offline Authentication Process handled by the Lightbridge Call Center whereby consumers verbally answer authentication questions. ChallengesChallenges inin QuantifyingQuantifying C/RC/R

X Requires merchant/agency involvement

X Time lag between fraudulent event and knowledge of event

X Fraud data – Sensitive to customers – Inaccurate/lack of reporting

Requires macro view of multiple systems and direct involvement of customer