Home   |   Companies   |   Browse News   |   Subscribe   |   IIAA   |   ACI   |   RMIA   |   Events  
Search Site


RM Directory
Anti Money Laundering
Associations
Business Continuity
Compliance & Legal
Compliance & Risk Software
Education & Training
ERM
Insurance & Brokers
IT Security & Fraud
OH&S
Recruitment
Regulators
Risk Advisory
Security
 
 
 
 
 
Industry Links
LexisNexis
Human Resources
Lawyers Weekly
 
  NewsAugust 21, 2008
E-fraud arms race not the answer
 
 GOOD RISK management policy and improving attitudes to fraud rather than tougher authentication solutions is the biggest change that needs to occur to improve online security, says fraud specialist Frank Abagnale.

The once infamous cheque fraudster and conman, says stronger authentication methods will always be circumvented, but more dangerous is that they engender a false sense of security.

 “The main philosophical issue I have with stronger authentication is that it makes the security issue ‘checked’ in the mind of executives,” he told Risk Management.

“The issue at hand, first and foremost, is of risk management philosophy, not technology. For example, given the best technology available, should a financial institution not stop how many trials someone has to guess the password, the technology is not going to help.”

 When online banking was introduced, he said, it was assumed that customers were familiar with basic risk management concepts. This was partly to do with the fact that IT departments were put in charge of the new channel.

 “The reason I think this is the core issue, is that, for the most part, IT departments had corporate users in mind before the internet channel was open, and most security implementations have been based on corporate security protocols.”

 This includes secure ID tokens, which make economic sense for companies to give to employees, but not to roll out to millions of customers.

 And these, as well as other similar methods, are already nearing their shelf life, with so called man-in-the-middle attacks and keystroke logging circumventing them, he said.

 “The solution is a collection of different technologies built as layers of protection versus relying on authentication [per se] to save the day,” Abagnale said.

 As with plain clothes police backing up the security checks at airports, he said the same should be occurring online.

 “If history is anything to go by, we will need additional systems to check that our authentication systems did not fail.

“Today, most organisations are not monitoring that and the end result is that they learn of these failures from customers who have been defrauded. You need to monitor the logins after the authentication.”

 See our IT security report this issue
19 June 2008

Send this article to colleague/friend
 

Home |  News Archive |  Advertising |  About Us |  Contact Us |  Privacy Policy

Copyright © Reed Business Information. All material on this site is subject to copyright. All rights reserved. No part of this material may be reproduced, translated, transmitted, framed or stored in a retrieval system for public or private use without the written permission of the publisher.

eNewsletter
 
enter email to register/unregister
2008
Media Kit