Verisign to check where you're coming from


A story from CNet details a new e-commerce security service from Verisign (corporate press release also available) that aims to pair your credit card information with the location of the network address that you are coming from.

On the surface, it sounds like a good idea: if you have a US credit card, the network address of your computer should be in the us... right?

Not necessarily.

The EFF has urged caution due to privacy and anonymity concerns, but I'm not as concerned about that as I am about false-negatives.

Those of us who travel abroad (I'm not doing as much as I used to, but still quite a bit more than most) have a tendency to access e-commerce sites when we are out of the country. In the past, services like PayPal and eBay have made life difficult by complaining about logins coming from overseas with no good reason.

Even worse, there are some algorithms that incorrectly identify the origin of packets on the internet. Since there is no geographical identifier, these systems depend on information available from the various NICs or Network Information Centers (such as ARIN or APNIC) that keep databases of which IP numbers are assigned to whom. However, these database can be tricky and sometimes misleading as companies with presence in multiple countries often move IP addresses between facilities without regard for physical location.

Hopefully the folks at Verisign were more careful or allow some reasonable mechanism for proving that you are genuine when accessing from "suspect" locations, but I fear that's not the case.