Experts debate fight against online fraud

At the E-crime Congress, speakers warn that two-factor authentication will not stop online fraud

Two-factor authentication devices are unlikely to make a big dent in online fraud levels, according to leading industry experts speaking at the annual E-crime Congress in London today.

Ross Anderson, professor of security engineering at Cambridge University, argued that card cloning and real-time man-in-the-middle attacks could easily circumvent the kind of two-factor device security soon to be rolled-out by Barclays and already used by Alliance and Leicester customers.

"I think one bank will introduce the system, it will be rapidly defeated and then rapidly forgotten," Anderson added. "What is critical for combating phishing is asset recovery – banks that can recover 90 percent of the stolen funds at the moment of the phishing attack don't usually get phished again."

Mikko Hypponen, chief research officer of web security specialist F-Secure, agreed that man-in-the-middle attacks would be difficult to mitigate against, requiring cumbersome client-side installations that firms may be reluctant to push onto their customers.

"When two-factor becomes commonplace, the criminals will move to the softer targets [that do not have it], but even when all the banks have it they will still attack them – we see them using man-in-the-middle already," Hypponen warned.

There was also criticism of the role web hosting firms and registrars play in the phishing epidemic. Joseph Sullivan of PayPal warned in his opening keynote that phishing represents a real threat to e-commerce and internet safety, and argued that domain registrar records of site owners should be tightened up so that phishers can be found more easily.

Sullivan also called for legislation that will encourage web hosters to take down malicious sites without being held legally responsible.

But others maintained that without international cooperation and strong globally enforceable laws, this will be impossible to achieve. Charlie Abrahams of anti-phishing and brand protection specialist MarkMonitor explained that in remote geographies there is often a longer time delay in getting phishing sites taken down - "not necessarily because they are trying to be devious but sometimes because of the language or cultural issues".

Elsewhere, there was criticism of the lack of engagement between law enforcers and the security vendor community. Cambridge University's Anderson said that "people don't take the initiative in fighting fraud when it's in other people's gardens" and added that it needs to be moved further up the agenda.

Director general of the Serious Organised Crime Agency (Soca), Bill Hughes, tried to reassure attendees that the organisation is now addressing these matters, and also engaging much more with foreign law enforcement agencies.

"It's rubbish what was written in the media about Soca not dealing with e-crime," Hughes argued. "The [criminals form] loose relationships based on skills and technical knowledge around the world, so we've also focused on building sustainable relationships [with international] partners."