Summary
Should spread betting websites be using two factor authentication and shorter session timeouts?Background
The spread betting company, Spreadex, recently sued a customer in a London court for £50,000 which the customer had lost through trades in Spreadex. The customer claimed that the transactions had been made by his girlfriend's young son. The boy had access to the laptop to play games over a number of days, and seems to have initiated the transactions which caused the losses.Interestingly, the court found for the customer on the basis that he couldn't be expected to read through all the pages of terms and conditions and, thus, the contract was unfair. We'll see if Spreadex appeals.
The Security Angle
However from a security perspective it throws up a number of interesting issues.The first point to make is that spread betting websites involves money. As the court case shows, a customer can make or lose a significant amount of money on the website. When hard cash is involved, you really need to think about the security mechanisms. This applies to both the punter and the website.
The consumer needs to be careful about the environment where he uses the application. If he uses the PC to make bets worth thousands of pounds then you have to question whether the PC can also be used as a general toy.
Website Security
But the focus of this blog is on website security. Given the value and classification of data that spread betting sites process then the types of security controls build into the application are important. So here are a number of thoughts:Is single factor authentication sufficient to protect these financial transactions? Most online banking websites use some form of two-factor authentication to authorise transactions. Like online banks, the spread betting application involves significant transactions. Should they not consider using two factor authentication also? No doubt this would be an expensive undertaking and could well be overkill. Another option would be forcing the user to reenter their password when a transaction is initiated. This would probably have prevented this incident.
Timeouts are also an important security mechanism. After a period of inactivity the application session should timeout. The next time the customer uses the application, he should be forced to logon again. Absolute timeouts force a session to terminate after a defined period of time, regardless of whether the user has been active or not. Could shorter timeouts have helped in this situation?
Now, these type of security mechanisms hit directly into the usability/security conundrum. The more security controls you have, the more user unfriendly the application becomes. So it can be a difficult balancing act.
Bottom line is that you need to consider your security requirements at the start of any development project. A threat analysis should not only cover direct threats against your application, but also cover threats which happen on the end-user environment.
Useful Links:
- The Register: Online bookie can't scoop £50k losses made by 5-year-old
- Metro: Boy, 5, made £50,000 loss on spread-betting website
Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot
Have to agree with you Alexis, entering some other form of authentication at transaction commit time should be a requirement here... whether its re-entering the original login details or a completely separate verification code, I'd expect it in cases such as this where the losses aren't necessarily limited by what's in your account.
ReplyDeleteIt is this dynamic commitment in the basic leadership process that depends on established matched betting truths whether they be occasions, declarations or the specialized examination of outline designs that characterizes hypothesis from betting or gambling.
ReplyDeleteBankroll the board is a significant segment of any internet betting movement. Most site will enable you to pulled back all or a portion of your cash whenever without punishment.
ReplyDeletebermain judi secara leluasa di lend-shop
Your betting bank and staking ought to be adjusted for the technique you use. You should progress of time, set yourself up for the likelihood of a more awful than normal grouping of failures through reception of an adequate number of units in your betting bank.new betting sites
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteIn the event that poker is your game, stick to it. The more you play poker, the more you become better at the game. daftar poker apk android terbaik beserta keuntungannya by monclerjacketsoutletshop
ReplyDeleteThey will charge you a modest quantity and you would most likely play the game. Try not to surge with fervor however play the game effortlessly utilizing your mind power and instinct.
ReplyDeletepoker1001 poker online terbaru
ReplyDeleteThe following thing that you should think about with regards to finding the estimation of your poker chips is their general appearance. Bandar Judi Slot
I more concern about user account security through de day, when some body tell me their account got hacked.. but on reality maybe he just lied about it, better to see about situs sabung ayam online
ReplyDeleteIn the event that this were the situation that would positively take all the energy from the game itself. click here
ReplyDeleteYou have worked nicely with your insights that makes our work easy.Singapore online betting site The information you have provided is really factual and significant for us. Keep sharing these types of article, Thank you.
ReplyDeleteI appreciate your efforts which you have put into this article. This post provides a good idea aboutonline bet Singapore .Genuinely, it is a useful article to increase our knowledge. Thanks for sharing such articles here.
ReplyDeleteI am very thankful to you that you have shared this great information with us. Here I find some different kind of knowledge, and it is useful for everyone. Thanks for share it.casino fishing game malaysia
ReplyDeleteI generally check this kind of article and I found your article which is related to my interest.Toto 4D lottery Singapore Genuinely it is good and instructive information. Thankful to you for sharing an article like this.
ReplyDeleteA very delightful article that you have shared here.Online Sportsbook Betting Website Singapore Your blog is a valuable and engaging article for us, and also I will share it with my companions who need this info. Thankful to you for sharing an article like this.
ReplyDeleteExcellent knowledge, You are providing important knowledge. It is really helpful and factual information for us and everyone to increase knowledge. Continue sharing your data. Thank you. Read more info about casino hire
ReplyDeleteI generally check this kind of article and I found your article which is related to my interest.online betting site fish hunter Genuinely it is good and instructive information. Thankful to you for sharing an article like this.
ReplyDeleteYou've posted a fantastic and useful piece of information here about best gambling site from singapore. I am grateful that you simply shared this helpful information with us. Please continue to be informed in this manner. Thank you so much for sharing it.
ReplyDeleteA very delightful article that you have shared here. Your blog is a valuable and engaging article for us, and also I will share it with my companions who need this info, Best Online Betting Sites Malaysia Thankful to you for sharing an article like this.
ReplyDeleteA very delightful article that you have shared here. Your blog is a valuable and engaging article for us, and also I will share it with my companions who need this info, Instant Win Lottery Games to play Online Thankful to you for sharing an article like this.
ReplyDeleteI will share it with my other friends as the information is really very useful. Keep sharing your excellent work. Read more info about Fruit Shop Megaways Slot
ReplyDelete