This blog does not deal with the Internet security side of the equation very often, but I saw a post on the Hyperion Digital Identity Forum that I thought was interesting.

According to that post eBay in the United Kingdom may now be implementing a location based authentication scheme which aims to protect its users from being hacked. This is an interesting step towards account protection, provided of course that you never access your eBay account on business trips or vacations.

Perhaps the best way to implement this would be on an opt-in basis?

I am a regular reader of Steven Davis PlayNoEvil Blog, as should anyone be who is interested in game security and online fraud. Through one of the Playnoevil posts I learned about a string of posts on the WoW.com site relating to account security.

I think these are a very useful read for anyone interested in protecting online accounts, including individuals, game companies and policy makers.

For government departments that are considering developing a forensic audit capacity I would recommend the article written by Alan Gilmore in the Financial Management Institute of Canada’s FMI*IGF Journal Volume 20, No. 1, Autumn 2008. The article is published in both English and French and is available from the Financial Management Institute’s website.

There is a great article in the April 2009 edition of Canadian Security Magazine on the use of Social Media for real time intelligence gathering during crisis situations. The article features commentary by Jeannette Sutton and Leysia Palen of University of Colorado Natural Hazards Center.

Are these tools the complete solution to crisis management? Probably not, but having multiple sources providing information on a given incident can only can only lead to better decision making in real time. Furthermore, although the article doesn’t address this, having multiple witness accounts of a given incident can help with post crisis investigation as well.

There are several resources that I use frequently to learn about counterfeiting and intellectual property fraud cases that happen globally. This kind of research gives you a sense of what is happening in which jurisdiction (i.e. hotspots). They are also useful for determining which law enforcement agency you might want to engage with or which investigative or legal firms have an IP protection practices in a given geographical area.

The first is the International Chamber of Commerce BASCAP Initiative. This is essentially a portal for research on anti-counterfeiting activities around the world. You can research by geographical location, items of interest or enforcement agency which allows you to get some very good, very specific information.

The second source is the Knockoff Report, produced by Rob Holmes of IP Cybercrime in California. His blog focuses on brand protection activities and articles from both a policing and a private sector perspective (note the referral to the Gamasutra article on Sony PSP piracy).

Both of the above sites have e-news letters that you can subscribe to.

Honourable mention goes to the World Health Organizations IMPACT site and to the Interpol Site. The WHO IMPACT site provides some great information on counterfeit drugs and it also provides a mechanism to report incidences of counterfeit medicine, unfortunately it does not appear to be updated very often.

The Interpol site describes some of the initiatives that this organization has been involved with to help stop the spread of counterfeit goods, including medicines.

Finally, and I can’t believe I almost forgot, there is the Linked In Group on Anti-Counterfeiting.

In November 2008 I provided readers with a link to the European Network and Information Security Agency’s paper on privacy and security in virtual worlds. At the time I didn’t realize that the same organization had also had published a paper specifically looking at virtual worlds aimed at children called “Children on virtual worlds: What parents should know.” Readers may also be interested in that paper.

The Canadian Office of the Privacy Commissioner has recently posted a research paper on their website. The paper, which was written in April 2008, describes privacy concerns relating to virtual worlds, specifically Second Life.

It is titled “Second Life: Privacy in Virtual Worlds” and it provides a general background on these environments, some of the marquis cases that have affected user’s privacy and finally analyzes some of these concerns against the principles set forth in the Privacy Act.

It is a good read for researchers, but will also give virtual world/mmorpg businesses a sense of the direction that Canadian privacy authorities are heading in with respect to these environments.

For readers who are interested in what activities that Governments are involved in with respect to virtual worlds, you may wish to visit the Federal Consortium of Virtual Worlds. The presentations, videos and other information posted there will provide readers with a view into how different agencies are using virtual worlds for training; networking, modeling, research and communication. You’ll also get a sense of which private sector companies are meeting these demands.

Another place you may wish to check out is the Digital Ontario Island in Second Life. There are various kiosks and buildings that users can visit which cover things such as tourism and investment opportunities (personally I think the Muskoka chairs are a nice touch).

A confluence of events has occurred both in the media and in my own consulting practice which has caused me to consider evolving concepts of background due diligence in a Web 2.0 environment.

From a marketing/public relations perspective businesses now have the opportunity to connect with and engage consumers ways never thought possible before. On a transactional level you can make the deal with an avatar and pay with Paypal, Liberty Reserve or perhaps even Linden dollars.

Some aspects of these types of transactions aren’t new. Legitimate businesses and the not-so-legitimate businesses have been negotiating transactions on the Internet for a long time. Whether it was in a chat room, on a bulletin board or some sort of auction site, people have been finding a way to connect and to transact on line.

Regulatory agencies haven’t always been so quick to react either. In fact it was only recently that different tax authorities around the world have begun to tackle the eBay power seller issue.

What is interesting from a fraud prevention and risk management perspective is that many of these communities are largely self policed. We have rating systems for sellers, and there are always other forum participants that are willing to oust a bad business person on the forum.

This modified honour system may be okay for some types of businesses and some types of transactions, but for others it is never going to be enough. For large, sensitive transactions where your company’s reputation is at stake; or you have a fiduciary duty to your clients I strongly believe you have to know who you are dealing with in real life. It sounds like common sense, but things are moving very quickly at the moment and sometimes common sense gets a little less attention than it deserves.

Consider this; there are many interesting corporate, social, political and legal trends happening all at the same time. There is the rise of corporate virtual worlds where you can either hold private meetings or connect directly with customers. On the political front there was the incident a few weeks ago where a British politician was impersonated in Second Life (it was a funny story, and there are arguments to be made that politicians have a lesser expectation of privacy than the average joe-avatar, but it is illustrative none the less).

It also seems that the legal world still seems to be grappling with the concept of identity and Web 2.0. It was only recently that a court in Australia allowed papers to be served via a Facebook profile. Of course we’re still waiting to hear the final outcome of the Lori Drew case.

Now to circle back to the point in all of this, in a previous life during the immediate post-dot-com, Enron, Worldcom, 9-11 era where know your client requirements grew substantially I spent a significant amount of time doing background due diligence.

It was in the context of commercial transactions and these kinds of inquiries became standard practice for large financiers that had a fiduciary duty to their own investors; but if you would have tried to sell this service two years prior you would have been met with blank stares. Times had changed then and I sense that they are changing now.

The first question we were always trying to answer was “Is this person actually who they say they are?” Only then would we start looking at other issues around financial stability, reputation, conflicts of interest and so on.

Seems kind of rudimentary doesn’t it? Maybe so, but identification and authentication is something that many people from the technology, financial and legal communities have been tackling for a very, very long time. Regardless I strongly urge you to say something to the effect of “That is a great idea! One question though…how do we know this is really them?” the next time your organization is considering a large dollar, high value or high risk transaction through some sort of Web 2.0 platform where you are buying into the other party’s reputation.

Whether it is a technology solution or it is flying somewhere to meet them and shake their hand; you must satisfy yourself that you have answered this question.

If you are looking for further information on this subject, and depending on the context of your inquires I recommend the “Identity, Anonymity and Privacy” chapter in Protecting Games (so far a great read by the way) or the Digital Identity Forum.

According to an article on Reuters Myspace has found and removed some 90,000 sex offenders from its site over the last two years using the help of a kind of a national sex offender registry that it created using the help of a company called Sentinel Safe Tech Holdings Corp.

The article indicates that Connecticut Attorney General Richard Blumenthal, who was the person behind these inquiries, has also issued a similar subpoena to Facebook. It appears that Facebook has not formally responded to the subpoena as yet, but Facebook’s Chief Privacy Officer, stated that the site “has not yet had to handle a case of a registered sex offender meeting a minor through Facebook.”

The article did not specify whether a similar subpoena was issued to any of the other gazillion social networking sites or other platforms, but we may be hearing about this issue more in the future.

On the opposing side of the argument, a separate report commissioned by the National Association of Attorneys General called “Enhancing Child Safety & Online Technologies” finds that “the image presented by the media of an older male deceiving and preying on a young child does not paint an accurate picture of the nature of the majority of sexual solicitations.” The report also found cyber-bullying is in fact a much larger problem.

Interestingly, a Wired article described how Connecticut Attorney General Richard Blumentha and South Carolina Attorney General Henry McMaster were two of the avid dissenters of the report’s findings. They may now be gathering evidence to help bolster their case.

From an academic perspective it may be completely accurate that the majority of solicitations that youth receive on-line are from other youth. It may also be accurate that media and other sources play up the threat of predators on social networking sites because they make good headlines but 90,000 registered sex offenders on a given social networking site is a pretty big number and warrants some consideration. It certainly creates a confusing environment for parents and lawmakers alike.

There was no indication in the article that all of the 90,000 offenders were actually using the social networking site to prey on youth, but rather that this was a proactive gesture on the part of Myspace to remove the offenders based on the information that they compiled in their sex-offender database. The article also seems to indicate that the 90,000 includes only US citizens. MySpace is an international platform so it makes one wonder if similar statistics would be found elsewhere.

To be honest I’m still making my way through the 278 pages of the Attorneys General report, but one paragraph in the Executive Summary did grab my attention. The report does indicate that the best way to protect children on line is comprehensive and multifaceted. Specifically it states:

“Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online.”

Not an easy task, but if you believe the old saying that it takes a village to raise a child then this statement couldn’t be more accurate.

For more information on child safety on line parents can visit any number of great sites, including US based www.WiredSafey.org and www.connectsafely.org. The site www.kidsintheknow.ca is a Canadian site that is a great resource which is affiliated with www.cybertip.ca. Finally there is a United Kingdom based site called www.bullying.co.uk if you’re looking for resources on cyber-bullying.

Depending on the virtual world, social network or MMO that you’re looking into the developers of that world will do their best to create an environment that includes the ability to compete, grow in social status or simply allow the user to express themselves through tools and attire that they can affix to either their social networking page or their avatar (or both).

Now that they have created the environment where that “character development” can happen the next step is to monetize it. There are several different strategies that they might choose to do so, from tailored solutions to the use of payment cards, Internet wallets, or payments through mobile telephone.

I came across this video from the 2008 Virtual Goods Summit that features the following panelists:

Lex Bayer – Founder & CEO, Spare Change Payments
Christian DeBaun – Director of Business Development, PayByCash
Gene Hoffman, Jr. – Chairman & CEO, Vindicia
David Marcus – CEO, Zong a part of Echovox, Inc.
Tim Pechmann – President, GMG Entertainment

The moderator is Paul Thind – GM North America, Sulake Corp.

Although there is no real representation on the panel, platform owners can also use third party sites to help facilitate item sales and RMT that would act as an intermediary on their behalf and therefore likely assume some of the fraud risk.

For the most part these payment platforms apply to MMOs and VWs as well as social networking sites.

This will give viewers a good overview of some of the different options for payment facilitation. Given that credit card charge-backs are such a huge issue, this is also an opportunity to hear how platform owners can transfer at least some of the payment risk to consumers.

Which one is the best solution? That will be business model and platform specific. My thought is that it will be driven largely by the marketing choices that the game platform makes (i.e. which geographic markets it chooses, which age demographics it targets, etc.)

These are interesting solutions from a fraud prevention perspective, but they also present interesting challenges and opportunities from an investigative perspective. How much does PayByCash know about where their cards are purchased for example? If virtual goods are being used as a payment mechanism how are you going to track that if the offender is using a payment card? The data may be more rich if a mobile telephone payment is used but who has the best records? The payment company or the mobile telephone company or both?

Some of these issues with respect to mobile telephone payments were discussed at the World Bank Workshop on Mobile Telephone Payments that I discussed in an earlier post.

I am interested to hear what the community’s thoughts are on these different platforms. Feel free to leave a comment or email me directly.