Experts: Cybercrime-Stopping Strategies Fall Short

Government — and industry — executives are moving forward with plans to increase the use of authentication technologies, and prevent fraud online. The Direct Marketing Association, based in Chicago, last week issued a set of rules for its members, and the federal government, a few days earlier, did the same for financial institutions.

Trouble is, experts tell the E-Commerce Times, authentication technologies may not be enough to stop the world’s most sophisticated spammers and cyber-criminals.

Wrong Focus?

“The focus should be on preventing fraudulent transactions, rather than making personal data harder to steal,” wrote security consultant and IT security book author Bruce Schneier in his blog. “Phishing is not an authentication problem. But is a problem with fraudulent transactions. Two-factor authentication will not stop phishers from using fraudulent Web sites, and Trojan horse programs that follow consumers right into their valid accounts.”

What’s more, the concept of “two-factor authentication” — promoted by the DMA and the federal government’s Federal Financial Institutions Examination Council (FFEIC) — is anything but new. An array of banks in the UK have been moving to two-factor authentication for transactions online, and, by the end of this year, all major banks in England, Northern Ireland, Scotland and Wales, plus MasterCard and Visa, will be using the technology for telephone banking.

Marketers in the United States — in the midst of an online marketing bloom — are eager to be seen to be doing something to prevent theft too. The DMA estimates that legitimate commercial e-mail resulted in US$39 billion in sales last year, including close to $10 billion in sales from small businesses. This includes well-known brands, like Macy’s, Mercedes-Benz, Hasbro, Home Depot, Proctor & Gamble and smaller firms, too.

Seeking Authenticity

All DMA members using e-mail for marketing are — within three months — going to be required to use e-mail authentication systems that verify the authenticity of all e-mail messages they send.

“Consumers can have more confidence they are getting a legitimate, valid offer from a trusted source,” said John A. Greco, Jr., president and chief executive officer of the DMA. “Marketers get fewer false positives, increased deliverability and better protection for their brands from illegal use. It’s a win-win for everybody.”

One firm that is making headway selling multi-level authentication technology is Verid, which is working with six of the world’s top 25 financial services companies, and uses something called Knowledge Based Authentication (KBA), which is said to have “floored” observers who saw a recent demo.

But some are not so sure that technology is the answer.

A new study, released two weeks ago by Tokyo-based Trend Micro, an anti-virus technology developer, indicates that smaller organizations, with a lack of IT support, are not able to handle security threats effectively. Requiring them to have security measures does not mean that they will actually be able to afford it. The study said that “resource-strapped organizations” with little or no IT support face a challenge in protecting themselves from malware, or attackers.

Problems for Small Firms

“Encounters with security threats are rising faster in smaller organizations, but these same organizations are restricted by time, cost, and available resources,” said Steve Quane, general manager of Trend Micro’s small and medium business operations.

One potential solution is, ultimately, to make marketers themselves responsible for any losses that occur to their customers. “Financial institutions should be made legally responsible for their customers’ fraud losses, including consequential damages,” said Schneier.