Fraudsters may be about to meet their match

After some false starts, has the security industry finally come up with an antifraud scheme that works?

I’m reading a rather good book at the moment. Of course, it’s not as good as Bravo Two Zero by Andy McNab, which actually gets better with every read, but I guarantee that anyone who’s responsible for risk management or fraud prevention would find it highly absorbing.

Other People’s Money is the true story of Elliot Castro, Britain’s answer to Frank Abagnale, of Catch Me If You Can fame. In it he gives a rip-roaring account of his time living the high life ­ all at the expense of the credit card companies. Reading about his exploits, it’s hard not to admire someone prepared to take on the banks and card giants with such relish. What is also remarkable about his story is just how poor many of our major institutions’ fraud prevention systems were.

Castro applied classic social engineering techniques to steal the identities of innocent cardholders, and on numerous occasions was able to take advantage of a chaotic and disjointed international enforcement regime to escape long jail sentences.

Things might have improved a bit since then, but there’s still a lot more industry could be doing to mitigate the risk of fraud.

Castro did most of his dirty work over the phone, whereas today the web is the main battleground in the war against fraudsters. One of the solutions in businesses’ anti-fraud arsenal is 3-D Secure protocol, commonly known as Verified by Visa and MasterCard SecureCode. This is the card companies’ grand answer to threats such as phishing and identity fraud. But there’s a problem. 3-D Secure certainly makes life harder for the criminals, but it also causes extra hassle for the customer.

There’s clear evidence now from the merchants that the scheme is proving to be a major barrier to the transaction process ­ Lastminute.com in particular springs to mind as one that has suffered in this respect. The old adage in fraud prevention is that you must try to balance the three prongs of security, cost and usability. Well, despite the card companies promising to cover any fraud losses incurred as a result of 3-D transactions, the scheme comes a cropper on the usability front.

Another real barrier to the scheme’s success is that it just doesn’t inspire confidence in nervous shoppers. As Greg Pierson, founder of anti-fraud firm Iovation, pointed out recently, these schemes whisk users away to an unusual URL from either Visa or MasterCard. Having a strange screen suddenly interfere with the ordering process is increasingly likely to get the phishing alarm bells ringing in consumers. And then there’s the password itself: still static, and still vulnerable to harvesting if your PC is unlucky enough to have had a keylogging Trojan downloaded on it.

So is the one-time password generating device the answer? Well, not really. A new survey by high-street bank Abbey found that out of 1,000 customers, only 32 per cent said they wanted such devices to protect their online transactions. Merchants are hardly likely to go to the great expense of rolling out devices to their customers if all it is going to do is put them off the checkout experience so much that they move to a rival that offers more flexible authentication options.

Another problem with this approach, which closely relates the issues of cost and ease of use, is that there is no standard password-generating device that can work across all e-commerce sites. Without such a system, people will need different devices for different merchants, which is hardly ideal.

The answer to all these problems may lie with VeriSign’s Identity Protection scheme. It features a one-time passcode-generating card as slim as a credit card and is a shared authentication network, which means the user only needs one card. Of course, it will require industry-wide support to offer real value, but there are already some big e-commerce names set to announce that in the UK, according to VeriSign.

Watch this space.