Wednesday, August 15, 2007

Politicians up the ante about online fraud

UK politicians it seems are getting all hot and bothered about online fraud, particularly in the banking sector, with the release this week of a UK parliamentary report entitled, "Personal Internet Security", which describes the internet as a “playground for criminals”.

No new revelations there, then. The internet has been used by criminals pretty much since its inception, so why are the politicians suddenly getting hot under the collar about it? Well it seems that the report's authors, the House of Lords Science and Technology Committee, has gone and given themselves a major dose of the 'spooks' by compiling damning statistics and evidence that suggest online fraud is an epidemic.

Not only is online fraud being perpetrated by organized crime gangs (nothing new there either) instead of the teenage-hacker-in-his-bedroom with nothing better to do, the report states, but they have also succeeded in remaining largely "invisible".

The report reels off a damning array of statistics including VeriSign's predictions that the level of “bad traffic” (Denial of Service attacks, email spam, phishing) was peaking at 170 times the basic level of Internet traffic; by 2010 it is predicted to be 500 times the basic level.

The report highlighted the vulnerability of online banking to fraudulent activity, citing figures published by the UK bank payments association, APACS, which recorded more than 1,500 “unique” phishing attacks directed at UK banks in September 2006, up from just 18 in January 2005. US banks are the most targeted by phishing, with their losses totalling approximately $2 billion.

The UK parliamentary report recommends the establishment of a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. It also talked about deployment of security software at ISP level (not that old chestnut), the need for a dedicated regulator for the online world (Hmmm!) and for Government to increase banks' fraud liability.

It did not take long for the security software industry to leap on the parliamentary band wagon, coming out and touting the latest and greatest authentication technologies including two factor authentication (which uses two different methods for authenticating someone's identity), and the most amazing suggestion I have heard so far, a "pattern-based" approach based on peoples' ability to remember patterns to offer a more secure, yet more simple (surely not?) means of authentication, other than the much maligned Chip and PIN.

No one is disputing the need for stronger more robust means of authenticating someone's identity. However, some of the newer technologies being touted are expensive to deploy and complex to implement. Furthermore, a lot of these technologies only provide authentication up to a point. With pin and password for example, it may authenticate a user to an online site or banking application, but it does not provide an iron-clad guarantee that person is who they say they are.

What is even more alarming is that multinational corporations sending high volume payments via their banking partners, have desk drawers full of security tokens and fobs which only provide authentication at the corporate level, but do not identify the individual sending a payment and whether they are authorized to do so.



It seems the banks have been caught napping and have been too busy trying to push their proprietary identity management and information security technologies on customers in an effort to lock them in.

Well no one wants to be locked in, they want to be able to bank online or send payments electronically without the risk of someone intervening in that transaction and altering payment details for fraudulent purposes.

What is even more surprising is that banks have been sitting on a solution for the last eight years. It is called IdenTrust, which uses PKI encrypted digital certificates to verify someone is who they say they are.

The advantage of IdenTrust is that the banks behind it have already invested $170 million in ensuring IdenTrust digital certificates are binding in more than 175 countries and interoperable cross-border between banks.

So with a solution to stronger means of authentication staring them in the face and the chance to deliver a single identity management solution instead of a multitude of different ones, why on earth does the industry continue to perpetuate their own proprietary versions of digital certificates and other security technologies that do not actually vouch for someone's identity?

Mind you if we have entrusted banks with our money, can we entrust them with our identities? The argument in banks favour is that they already hold a lot of theinformation necessary to authenticate someone is who they say they are, although admittedly some of this documentation may be fraudulent.

The security software services industry also has to ask itself does it want to continue to perpetuate solutions that sound like a prop from a James Bond film but are difficult and expensive to implement for widespread use.

No comments: