Blog article
See all stories ยป

An article relating to this blog post on Finextra:

Ukraine arrests key players in $70m Zeus fraud

Ukrainian authorities have arrested five people accused of being "key subjects" in an international criminal ring that used the Zeus Trojan to steal $70 million from online bank accounts.

See article

Nefarious trojans call for two-pronged strategy

Zeus is bad and future versions of malware could be much worse; when will we move beyond the exclusive strategy of trying to detect or block nefarious software? So many security specialists continue to bar the participation of one of the most effective foot-soldiers: the customer. When criminals infect computers to impersonate account-holders the bank, merchant or processor must Deputize the Customer(TM). From alerts to UDLAPs (user-defined  limits and prohibitions, a Javelin acronym), our research show that account-holders and identity-holders are willing and able to join the battle against a common enemy. Banks and merchants necessarily put much focus on protecting the servers and the network, yet when working to stop fraudulent transactions the customer is often treated as though they are unnecessary or even dangerous and the financial institutions deploy an near-exclusive "back-end" fraud-mitigation strategy.

We've been researching customer-involved security and fraud mitigation since our company's inception some seven years ago, and with each year I become ever more convinced that teaming up with the customer is the most effective way to stop the bad people. 

Identity crimes generally involve three types of parties (criminals, service providers and customers), yet our mystery-shop research of banks show that only two are as involved as they could be.

Involving the customer not only is an effective deterrent against crime, our research shows that it pays additional dividends by boosting adoption, cross-sell and loyalty. 


Comments: (4)

A Finextra member
A Finextra member 05 October, 2010, 13:02Be the first to give this comment the thumbs up 0 likes

Asking customers to help fighting cybercrime isn't exactly a new idea. Since many years, the public again and again gets to read some articles providing well-meant advice, usualls culminating in suggesting the use of firewalls and antivirus software that should be updated frequently.

Did this help in the past ? Only gradually, and it certainly did not defeat cybercrime. Will this help in the future ? Certainly no better than it did in the past.

Should we blame individual customers ? No, that makes not much sense. The average PC user is overwhelmed by the complexity contained in his equipment and provided by the Internet. How could you expect that a bus driver, a kindergarten nurse or a retired reverend would be able to fight sophisticated cybercrime ?

Businesses leveraging the Internet sales channel to obtain higher profits and the IT industry should work together to make that environment reasonably secure. And yes, this could be done by simply removing a lot of unnecessary complexity. Do we really need full PC functionality just to browse the Internet and to do some online transactions ? Probably not, a hardwired browser device not accepting any downloaded code (and hence, not accepting any malware) would do.


A Finextra member
A Finextra member 05 October, 2010, 15:51Be the first to give this comment the thumbs up 0 likes


Thank you for your valuable comments. I have two reactions. 

1) From a review of our research data, I'm not in agreement with the following and wonder if you would have research to strengthen your argument: "Did this help in the past ? Only gradually, and it certainly did not defeat cybercrime. Will this help in the future ? Certainly no better than it did in the past.". 

2) The role Javelin calls for in our Safety Scorecards goes well beyond simply education, firewalls and anti-virus software. Based on a US nationally-representative n=5,000 study of the latest actual identity fraud victimization patterns, each year we update a set of fifty highly-specific criteria for customer-involved safety features at either banks and credit card issuers. The features emphasize our Prevention, Detection and Resolution (TM) model to involve consumers in alerting and permissions in order to return control of finances back to the account-holder. We also look for advanced authentication, and certainly we prioritize the usability aspects of security that you make reference to (because unusable or confusing security is no security at all). Certainly the three defensive and educational capabilities you mention are build into our model, but they barely scratch the surface of what our research-based model calls for. 

Amidst increasingly-complex financial sector products, channels and technologies consumers have had steadily declining control over their financial affairs.  In the midst of this, criminals are having a field day. We must tame and use technology to restore control of accounts and identities to their rightful owners, and the solutions for this exist right now. 

No single strategem or solution will defeat cybercrime, yet I believe that financial sector firms are missing a huge opportunity by excluding the impersonated party from the battle. Our data clearly show that consumers and business owners desire to be involved in their security, suffer lower fraud amounts as their involvement increases, and even choose new financial institutions and even merchants based on who is perceived to offer the best customer-involved safety features. 

A Finextra member
A Finextra member 05 October, 2010, 18:02Be the first to give this comment the thumbs up 0 likes


thanks for your comments, and let's have a quick look at those.

1) Even without expensive research reports, it is obvious that cybercrime has been around for quite some time now, and it is on the rise and not shrinking. At this time, there is no development in sight to change this.

2) The research material and advice coming from your company Javelin is probably useful and worth its price, but has not succeeded so far in reverting the current trend. It is not very clear how this could be achieved in the future.

While consumers have been educated and the majority now can detect very simple phishing schemes, there is little they can do against sophisticated cybercrime such as malware downloads from decent but infected websites.

In my previous comment, I did suggest a potential measure (hardwired browser devices) that might help to reduce cybercrime threats. I'd be interested in any comments regarding that topic.


A Finextra member
A Finextra member 05 October, 2010, 19:02Be the first to give this comment the thumbs up 0 likes



I completely agree with everything you've said. I'm realizing that I wasn't as clear as I should have been with my main point, so let me state it more clearly. 

If malware increasingly renders some of CISO and consumer prevention and malware-detection efforts to be useless, than consumer transaction alerts and controls matter all the more. Let's say that my computer is infected with the worst form of trojan that also happens to be undetectable to either me or my financial provider; at that point, previously-set transaction prohibitions and SMS alerts become even more vital. I should add that despite much spending on publicity, the state of today's bank-provided account controls and alerts is woeful or nonexistent. The axiom "there is no silver bullet" certainly applies to what I'm calling for, yet my issue goes even further to say that (according to our structured research) most CISOs aren't even open to consider the value of end-user account controls and alerts. In crimes of impersonation, the impersonated party must be included. 

In specific regard to your comment about hardwired browser devices, we share the view that this emerging method is vital, and that's why we incorporate them in our 50-criteria scoring model. In a world in which banking and payment web sites still allow consumers to use IE6 yet disallow the use of Google Chrome it't high time we incorporate the latest built-into-the-browser capabilities. 

Thanks again for taking the time to dialog. 

Now hiring