Blog article
See all stories »

Online Fraud Trends in 2009 and Beyond

Last week I listened intently when a particular question was posed during the Q&A session of a web seminar discussing online fraud trends...

Q:"You [seminar hosts] are a token provider. Given that you're telling us how trojans are bypassing authentication, what are you now telling your customers to do??" 

A:"We are all well aware and recognise the threats posed by trojans, and it really gets down to a layered security approach is always needed. There is no silver bullet, so what you need to look at when implementing a token strategy is whether this is your sole strategy from a risk perspective your organisation is looking to count on, or are you looking to build additional complementary layers to help mitigate your risk, or possibly trade off with other forms of authentication. You should build out a layered security approach."

So before you all moan about yet another reference to that infamous bullet with a silverish shiny colouring, and cry "if I had a dollar/euro/pound, for every time I heard that"

What I found of greater significance is the recognition?, validation? that "layered security" is the way to go which could lead to ultimately, but not necessarily a sole token authentication strategy.

Nearly 4000 Finextra readers have read my previous blog entry - HAPPY 30th BIRTHDAY MVC! - Here's the missing 'S' where I discussed....

Perhaps it's the absence of a much needed Security layer for the past 30 years that has resulted in some of the world's most recent online problems?? Surely it is now time for an evolution of this model to enable security and business logic, rules & policies to be entered, enforced and managed all from a separate layer. Hence 18+month release cycles and inflexible change request queues hitting hard on business delivery capabilities.

Is this an industry recognition that we are using sledge hammers to crack nuts, and the sledge hammers are starting to look a little frail against the evolution of nuts? (so to speak!)

As they say, hindsight is a wonderful thing! or is that the silver bullet to which we all refer? If so, I'm off to the hindsight shop to buy some.

In summary, I agreed with the answer provided, and in the meantime I look forward to opening the doors to my brand new Layered Security Approach store.




Comments: (9)

A Finextra member
A Finextra member 23 June, 2009, 14:09Be the first to give this comment the thumbs up 0 likes

Have you read the the "Analysis of a Botnet Takeover" by Santa Barbara University. Its amazing that inner 10 days more than 15 millions of credential data of users can be observed and misused. These numbers include mailbox accounts, emails, from data, HTTP, FTP , POP, SMTP accounts as well as windows passwords. This study gives a complete overview of how fraud can be made by identity theft via botnets. It ugly.  But on the same time the authors are talking about the weak PASSWORDS that we are all using.
So imagine not to have password any more... no unmasking while typing in, no narrowing by languages or keyboards, no hacking, no trojans, no phishing, no complexity of letters, digits etc. ... Just have a look at

A Finextra member
A Finextra member 23 June, 2009, 14:40Be the first to give this comment the thumbs up 0 likes

Thanks for your comment Heinrich, you refer to an authentication flavour I have seen previously (refer or a variation on a theme.

I'm most interested to hear opinions on baking a security layer into the architectural design of e-business applications as opposed to a silo approach of implementing specific authentication projects, and the change management resource intensive approach typically adopted for delivery.



A Finextra member
A Finextra member 24 June, 2009, 09:00Be the first to give this comment the thumbs up 0 likes

Hello Stuart,you´re just thinking that you know the method of WebLookOn already. I tell you, you don´t. You mentioned passfaces, vidoop, etc.. they are all weaker than any password because they are unmasked in the moment they appear at login. WebLookOn is (so far) the ONLY challenge&Response method that never unmaskes the secret. This is so important because every other authentication method - also multi factors - unmask at least one of their secrets. So simply thinking: eliminating all methods that are unmasking secrets would be the easiest way to secure the whole web...

A Finextra member
A Finextra member 24 June, 2009, 13:03Be the first to give this comment the thumbs up 0 likes

I'm certainly not suggesting I know the finer details of the authentication solution to which you refer....I'm merely highlighting that infrastructure, and architectural design has a huge (if not bigger?) role to play in securing web applications.....and if a security layer was available to an organisation which either was already in existence within their architecture, or could be deployed rapidly with no code changes required, then they'd be free to trial, test, and choose whatever form of authentication the organisation, and more importantly the customer is happy to adopt, whether that be a token, SMS message, static password, scramble pad, and so on...

If I blogged on authentication options we'd be here until eternity...might be an interesting one though to see where it ends up other than a big punch up amongst authentication vendors!




A Finextra member
A Finextra member 25 June, 2009, 14:32Be the first to give this comment the thumbs up 0 likes

Stuart you´re right: this blog shouldnt become a vendors punch court.. but I believe it should be a discussion platform on how we could change things that are no more sustainable. I strongly believe that one of these is this fkg password. And as long as guys like you tell, that the user should have the choice of what he wants to use I tell you that there will be no change to the better. Why? I one wants to change something then one must eliminate the weakest and worst things. I do not say anything against SMS, token, biometry, etc. etc but I am striktly fighting against the PASSWORD. And I hope I´ll get some assistance on this blogging. CU

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 27 June, 2009, 11:01Be the first to give this comment the thumbs up 0 likes

You're getting about aren't you Heinrich!! Not sure which of your blog posts led me to the site, but thanks as it was fun. I've commented on another string, but in case you miss that one ...


I must admit I do like Heinrich's WebLookOn, and think it could catch on. Not as a security solution, mind you, as it fails for the same reason as all the other OTP generating systems, but as a new super-fiendish Su Doku. Too many of the grid based systems coming through at the moment are far too easy to find the known secret and just aren't fun to crack. As the site says 'have fun' and I'll confess I did  - it took over an hour to find the secret given three data sets (though if you wish to play at home you'll have to get a friend to set it up, else you'll know the images you're after), but I've got bored of all the Su Doku Ken Kens in the newspapers, so this was a breath of fresh air (though, if I'm splitting hairs, from the initial 'select the picture of a reptile' I'd point out that a frog is actually an amphibian).

A Finextra member
A Finextra member 29 June, 2009, 08:37Be the first to give this comment the thumbs up 0 likes

Hi Andrew, we´ll optimize that captcha :-) so thanks for calling attention to it. I do´nt want to disappoint you, but WebLookon is not an OTP generating system at all, but I 100% agree with you that it is´nt a pure security solution. That´s what we never wanted to be, because it would be senseless to go against hard- and software based, biometry or multi-factor solutions. They are just too weak in comparison to WebLookOn and its patented algorithms - they ALL USE PASSWORDS in parallel !!!! - and they are far to expensive when thinking about global webuse...we want to go WITH them by just eliminating the password.
Andrew, you said you can crack it that easely like a sudoku in the newspaper. OK lets have a try :-) I´ve just generated a WebLookon Key with the Key-ID: "a.churchill" - its yours from now on!. So just enter this key-ID in the foreseen field on our webpage A login console will open, proving your knowledge of the key-secret belonging to the key-ID "a.churchill". So you should make it in half an hour ;-(

Here some hints for Andrew and all of you:
You have four rounds per login (it takes you no longer than 8-10 secs)
If you answer one round incorrect, than the next time two additional rounds have to be answered correctly
If you failed ten times in a row, then you´re out for the next 12 hours.
If answers to rounds are given extremely fast, then the system will interrupt (brute force attack)
If the system realizes suspicious logintrials, IPs get blocked for a period of time (DDoS, DoS)
Remember; the numbers (digits) are one time codes!(man in the middle)
Aah yeah for men in the middle: you see 6 numbers first > therefore 6∧4 = 1296 choices; if you´re wrong once than 6∧6 = 46656; if you´re wrong 3times then 6∧8 = 1679616 and so on. The thing is, you will realize very soon that right guessing one time does not give you the key-secret! Remember Passwords: one time correct = always correct. 
So have fun

A Finextra member
A Finextra member 29 June, 2009, 10:53Be the first to give this comment the thumbs up 0 likes

Hi Heinrich - wasn't it you that said "this blog shouldnt become a vendors punch court.."



ding, ding...round 1


A Finextra member
A Finextra member 29 June, 2009, 14:19Be the first to give this comment the thumbs up 0 likes

uups, yeah i did but to kill the password IS THE TREND IN 2009  ;-))

Cu in Vienna ? Ebaday

Now hiring