Friday, 15 June 2012

Spread Betting Websites and Security Controls

Summary

Should spread betting websites be using two factor authentication and shorter session timeouts?

Background

The spread betting company, Spreadex, recently sued a customer in a London court for £50,000 which the customer had lost through trades in Spreadex. The customer claimed that the transactions had been made by his girlfriend's young son. The boy had access to the laptop to play games over a number of days, and seems to have initiated the transactions which caused the losses.

Interestingly, the court found for the customer on the basis that he couldn't be expected to read through all the pages of terms and conditions and, thus, the contract was unfair. We'll see if Spreadex appeals.

The Security Angle

However from a security perspective it throws up a number of interesting issues.

The first point to make is that spread betting websites involves money. As the court case shows, a customer can make or lose a significant amount of money on the website. When hard cash is involved, you really need to think about the security mechanisms.  This applies to both the punter and the website.

The consumer needs to be careful about the environment where he uses the application. If he uses the PC to make bets worth thousands of pounds then you have to question whether the PC can also be used as a general toy.

Website Security

But the focus of this blog is on website security. Given the value and classification of data that spread betting sites process then the types of security controls build into the application are important. So here are a number of thoughts:

Is single factor authentication sufficient to protect these financial transactions? Most online banking websites use some form of two-factor authentication to authorise transactions. Like online banks, the spread betting application involves significant transactions. Should they not consider using two factor authentication also? No doubt this would be an expensive undertaking and could well be overkill. Another option would be forcing the user to reenter their password when a transaction is initiated. This would probably have prevented this incident.

Timeouts are also an important security mechanism. After a period of inactivity the application session should timeout. The next time the customer uses the application, he should be forced to logon again. Absolute timeouts force a session to terminate after a defined period of time, regardless of whether the user has been active or not. Could shorter timeouts have helped in this situation?

Now, these type of security mechanisms hit directly into the usability/security conundrum. The more security controls you have, the more user unfriendly the application  becomes. So it can be a difficult balancing act.

Bottom line is that you need to consider your security requirements at the start of any development project. A threat analysis should not only cover direct threats against your application, but  also cover threats which happen on the end-user environment.

Useful Links:

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

16 comments:

  1. Have to agree with you Alexis, entering some other form of authentication at transaction commit time should be a requirement here... whether its re-entering the original login details or a completely separate verification code, I'd expect it in cases such as this where the losses aren't necessarily limited by what's in your account.

    ReplyDelete
  2. It is this dynamic commitment in the basic leadership process that depends on established matched betting truths whether they be occasions, declarations or the specialized examination of outline designs that characterizes hypothesis from betting or gambling.

    ReplyDelete
  3. Bankroll the board is a significant segment of any internet betting movement. Most site will enable you to pulled back all or a portion of your cash whenever without punishment.
    bermain judi secara leluasa di lend-shop

    ReplyDelete
  4. Your betting bank and staking ought to be adjusted for the technique you use. You should progress of time, set yourself up for the likelihood of a more awful than normal grouping of failures through reception of an adequate number of units in your betting bank.new betting sites

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. In the event that poker is your game, stick to it. The more you play poker, the more you become better at the game. daftar poker apk android terbaik beserta keuntungannya by monclerjacketsoutletshop

    ReplyDelete
  7. They will charge you a modest quantity and you would most likely play the game. Try not to surge with fervor however play the game effortlessly utilizing your mind power and instinct.
    poker1001 poker online terbaru

    ReplyDelete

  8. The following thing that you should think about with regards to finding the estimation of your poker chips is their general appearance. Bandar Judi Slot

    ReplyDelete
  9. I more concern about user account security through de day, when some body tell me their account got hacked.. but on reality maybe he just lied about it, better to see about situs sabung ayam online

    ReplyDelete
  10. In the event that this were the situation that would positively take all the energy from the game itself. click here

    ReplyDelete
  11. This content is written very well. Your use of formatting when making your points makes your observations very clear and easy to understand. Thank you. agen bola online

    ReplyDelete
  12. You have worked nicely with your insights that makes our work easy.Singapore online betting site The information you have provided is really factual and significant for us. Keep sharing these types of article, Thank you.

    ReplyDelete
  13. I am very thankful to you that you have shared this information with us. I got some different kind of knowledge from your web page, and it is really helpful for everyone. Thanks for share it. Read more info about Legit Fixed Matches

    ReplyDelete
  14. I appreciate your efforts which you have put into this article. This post provides a good idea aboutonline bet Singapore .Genuinely, it is a useful article to increase our knowledge. Thanks for sharing such articles here.

    ReplyDelete
  15. You are giving such interesting information. It is great and beneficial info for us, I really enjoyed reading it. singapore trusted betting site Thankful to you for sharing an article like this.

    ReplyDelete
  16. Very well written article. It was an awesome article to read. Complete rich content and fully informative. I totally Loved it. Read more info about real fixed matches

    ReplyDelete