Sriram Natarajan - Credit Risk Fraud Cards Professional - Gurgaon 11 May, 2008, 07:14 0 likes

Dean. What you received is nothing but one of the many variants of the famous Nigerian '419' scam. With so much publicity to the '419' letters and emails, the fraudsters have decided to be more creative. I keep receiving emails from a London address that I have won a British Government lottery! Fraudsters are getting creative by the day.

A Finextra member 11 May, 2008, 12:01 0 likes

Yes, I had another one advising me about the 'new' Merrill Lynch business site where ML has deployed new internet security features. I'll bet!

Logic suggests that they'll just get better. Eventually no-one will pay attention to any emails.

A Finextra member 12 May, 2008, 09:25 0 likes

Hi Dean,

"Your" email and all junk emails are only viable when it costs virtually nothing to send out millions of emails. I have read there are over 100 billion spam emails sent every day and clearly this has absolutely no benefit to anyone other than senders of spam.

IMHO it would be easy to stop this torrent by having a minimal charge per email sent of say 1 penny/cent/yen. I realise that some non-profit organisations would not like this but surely it would be worthwhile to reduce the amount of spam.

A Finextra member 12 May, 2008, 11:05 0 likes

Hi Tony,

I agree, I can't see any reason why people wouldn't pay say 1 cent, but I think it would only solve some of the spam emails and I suspect none of the phishing, and often they are 'sent' by unknowing third parties anyway. Phishing is profitable and is becoming increasingly targeted and spam must make money otherwise spammers would find something else to do.

A solution which I think would work might be by verifying the sender to the recipient before they open the email. People could choose not to open spam, or they could open it and would not really need to worry about danger, except malicious code, but certainly not  experience fraud as a result. Ideally it shouldn't matter if your machine got a virus or a trojan, your transactions should still be safe, after all it's not like it'd be a surprise, and hoping for the best is certainly no defense, look where that's got us.

I have designed a low cost solution which verifies the sender and the fee could perhaps be less than a penny if enough custom was forthcoming. We haven't actively marketed it although we've had some interest from brands keen on getting their requested advertising actually read, but that will a be part of our next phase offering which is more aimed at them. I figure we'll just give it to our customers as a bonus, at least they'll read our and our clients email. 

I don't think it can go on much longer, too many legitimate businesses are missing out on the benefits of a trusted email channel. Wouldn't you get warm and fuzzy feelings about your bank if they verified their email to you?

The solutions we propose are integrated so that in the first instance you probably wouldn't open the fake bank email. Secondly, if you did accidentally end up at a fake bank site, the fake site would be unlikely to succeed in actually tricking you into performing a transaction and it would undoubtably fail when put to the test by our transaction verification system.

There are some pretty smart evildoers out there and even I can imagine an exploit which uses the real customer's computer in a loop through a fake bank site and back to the customer and then to the real bank's site. This type of attack would probably defeat most web based defenses because the attacker is using a known device from an accepted location.

For instance, sophisticated 'decision making' risk software like Cyota software detects various details of the transaction which may alert the transaction system to things such as the customer and the fraudster being in either in different places or out of character places. Our security does too, and it is also capable of escalating the defenses to defeat even the abovementioned type of attack. So even if someone tricks you, and it could happen to any of us, the transaction would raise an alarm and fail to complete.

The most common (at the moment) and easiest attack is to steal your details and use them later. Bank software is getting better at recognising these attacks and they have handed out a bunch of gadgets to make it a little safer, but the gadgets are unfortunately limited to what they are, sealed units, so they can't really adapt to defeat new threats, and they would fail in the above example for instance, even if you had a token gadget.

The mobile phone solution can adapt to new threats as they arise, and while I can't actually imagine any attacks succeeding with what we have now, let alone in the future, we are still trying to find a flaw, but if we do - we'll just adapt.

A Finextra member 12 May, 2008, 15:10 0 likes

Now i'm not an expert in this field, but to me the idea of charging for each of the Gazillions (if this isn't a number it should be) of emails sent around the globe every day seems crazy.

Quite apart from the expense involved in setting up the payment systems needed to handle all the transactions in various different currencies. Who would the money go to?  How would it be collected?  And surely this would be far too expensive for people in developing nations, who now use email as a vital communication tool.

Personally I think the money would be more wisely spent on developing better software to detect unwanted emails before they ever get to you inbox and educating those people not so computer literate to spot one when they see it!..  

A Finextra member 14 May, 2008, 03:19 0 likes

Very good point about charging for it, although I would predict that in 5 years such payment mechanisms might be in place, however making people pay is probably not the ideal solution.

Having some multi-brained multi-lingual computer system decide what I do and don't read isn't my ideal either, even though I grant we'll be stuck with some variation due to surveillance anyway. 

Making the senders authenticate at the point of sending would go a good way towards at least identifying the sending computers/user, unknowing or otherwise, and then we could do something about it. Participants in any system would first, prohibit any mass messaging unless from authenticated parties. An adjustment at the mail server.

That way third world residents without the infrastructure to authenticate would at least be able to send email to people they knew for free.

More people already have the means to authenticate in their hands, than the total number with even access to the internet, so I think the answer is obvious. 

Authenticate senders and while you're at it you could authenticate recipients.