Traditional Password Advice: Not to be totally discarded

There is a paper that talks about how traditional advice on creating and maintaining secure passwords is somewhat dated.  The hypothesis of the paper is that since phishing and key logging is so rampant, it is no longer necessary to maintain super secure passwords.  A secure password is just as easily used by a bad guy as a weak password if the consumer gives a way the password through phishing or it is observed through a key logger.  Instead, it’s important to have a semi-secure password so that it is not vulnerable to password guessing.

The paper also talks about the need to have more secure userIDs postulating that bad guys are moving towards horizontal password attacks (guessing the same password against large numbers of accounts).  Strong userIDs is helpful in protecting accounts.

One other thing I want to mention is that it is still important to have different passwords for all of your online accounts.  If the bad guy phishes the password for your bank account, you don’t want them to automatically have access to your social network account, etc.   Even in the case of key logging, if you haven’t logged in to a particular account in a while, if you don’t use the same password across all accounts, the bad guys won’t be able to try your standard password(s) on other accounts.

So, while some of the old password adages may not apply as much any more, some of them are still very appropriate.  Please use different passwords on all of your online accounts!

July 13, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Uncategorized | key logging, password security, Phishing | No Comments Yet

Abuse of Virtual Money: To Regulate or Not to Regulate

The Chinese government has banned the exchange of virtual currency for real world goods or services.  Information Week has an article that goes into more details. 

It’s not surprising that a government is having to step in to regulate the use of virtual currency in games like World of Warcraft among others.  In talking to several companies that provide forms of virtual currency, I’ve found that there are many, many risks that come along with these types of economic systems.  Any time the bad guys can find a way to eek value out of a system, there is incentive to find a way to beat the system. 

One advantage to virtual currency, as opposed to real-world currency, is that it is less anonymous.  (Take note of this – it is extremely rare that something on the Internet is less anonymous than something in the real world!)  In the real-world if you receive stolen money it can be very difficult to track exactly where that money came from.

Online, though, there is often an audit trail that can be followed.  Even if the account that gives you the currency is, itself, stolen, there are IP addresses, cookies, etc. that may be helpful in tracking down the perpetrator.  Granted, the perpetrator is likely in some other country and hidden behind proxies and Internet cafes, but at least there is somewhere to start.

Will the Chinese government be successful at combatting the abuse of virtual currency?  It’s hard to say.  But it is likely we will see additional legislation by other countries to try to stave off the nefarious acts that can occur through virtual economies.

July 6, 2009 Posted by Laura Mather | Fraud, Gaming, Online Fraud | online abuse, virtual money, world of warcraft | No Comments Yet

Why phishers target low value accounts

PCWorld talks about a recent phishing scam on Twitter.  The question in the article is:

In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.

I’ve posted about this before, but it seems prudent to talk about it again.  Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts. 

If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target.  The user is is less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher. 

If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts.  Therefore, the passwords that I do steal would be more likely to be useful on other sites.

Seems like a good idea to be careful about random tweets!

July 5, 2009 Posted by Laura Mather | Online Fraud, Phishing, Social Networks | Online Fraud, Phishing, Social Networks | No Comments Yet

New Webinar: Detecting Man-in-the-Browser

Join us for a Webinar on July 14.

The proliferation of authentication models, device fingerprinting, IP geo-location mapping, and other security technologies has raised the stakes in using stolen online accounts.  Bad actors need to find a way to access users’ accounts without being detected by the systems currently in place.  The rise in malware infections has created a unique opportunity for these bad actors: The ability to access the account through the victim’s own web browser, IP address, and session.  These “Man-in-the-Browser” attacks are extremely difficult to detect and prevent, and are increasing with the spread of malware.

Laura Mather, Founder & VP, Product Marketing at Silver Tail Systems, will define Man-in-the-Browser attacks, explain how they are perpetrated, show a demonstration of an attack, and show the ways these types of attacks can be detected.

Join us for the first session in our Silver Tail Webinar Series, “Detecting Man-in-the-Browser Attacks”.

Title:         Detecting Man-in-the-Browser Attacks: Silver Tail Webinar Series, Part 1
Date:        Tuesday, July 14, 2009
Time:        10:00 AM – 11:00 AM PDT
Register:   https://www2.gotomeeting.com/register/470908250

After registering you will receive a confirmation email containing information about joining the Webinar.

Register Now

June 30, 2009 Posted by Sherrick Murdoff | Detection, Investigation | Detection, Man-in-the-Browser, Online Fraud, Webinar | No Comments Yet

Security Consistency: Should we standardize password requirements?

I saw a presentation earlier this week where a researcher was talking about consumer education with respect to security.  The researcher said that one way to make security education more consistent would be for websites to all have consistent requirements around passwords.  For example, all websites should require that passwords have at least 8 characters and should include on capital letter, one digit, and one punctuation mark.

While I am all for having consistent messaging around security practices and even encouraging users to have secure passwords, I worry about the implications.

Imagine a world where every website had the exact same requirements for passwords.  Even if the passwords were secure, the risk is allowing people to have the same password on every website.  In this case, if the bad actors were able to phish the password for one of my accounts, and they had my email address, they would likely be able to access many of my accounts.

To make matters worse, once the bad actor has the password for one of my accounts, they will be able to login to my email account which will let them do a forgot my password function on almost any other account.

While I applaud researchers for thinking of ways to make security education more consistent, making password requirements consistent has more negative ramifications than benefits.

June 26, 2009 Posted by Laura Mather | Phishing, education | education, online security, Phishing | No Comments Yet

Risk Management and Information Security: Merging into one?

Three times in the past two weeks I’ve been privy to a conversation about the difference between risk management and information security.  Most organizations have separate functions for risk management and information security.  In my past lives I’ve worked in a risk management-like function, but been closely aligned with what was going on in information security.

Even at the RSA conference there was a very clear divide between the two.  I attended one session on online fraud and the speaker made the point that he would be giving the only talk at the conference about fraud.

I have to admit that I’ve always found the difference between the two functions to be a bit subtle.  I see how the information security folks fight against things like denial of service attacks, SQL injection, cross site scripting, network exploits, etc.  And I see how risk management teams balance customer experience with the need to keep money from going out the door.  But it seems like it might be time for these two types of teams to start working more closely together.

Isn’t it the case that the information security folks are trying to prevent the initial access while the risk management teams are preventing the final event?  If so, it seems like it would be immensely valuable for the two groups to work together more closely.  By understanding the combination of the attack vector as well as the motivation it seems like even stronger security/risk management practices could be put into place.

I know of at least one company who has recently combined their info sec and risk management functions.  I’ll be curious to see how that works.  I’d encourage the two communities to start working more closely together.  I argue that we are, after all, fighting the same fight.

June 22, 2009 Posted by Laura Mather | Fraud, Online Fraud, information security, risk management | information security, Online Fraud, risk management | 4 Comments

Scamming iTunes and Amazon for $300k through Business Logic Abuse

This article talks about how arrests were made of bad guys who stole $300k from iTunes and Amazon through business logic abuse.  The simplicity of this scam is impressive.

…the group created several songs, had the songs uploaded to iTunes and Amazon, then used thousands of stolen credit cards to repeatedly purchase the songs from these services.

One might think it is difficult to steal money from a place that only sells digital goods that can only be used by the purchaser, but here’s an example of a relatively straightforward case of using exactly the functionality of the sites – selling and buying digital goods – to launder money out of stolen credit cards.

Fascinating!

June 17, 2009 Posted by Laura Mather | Online Fraud, business logic abuse | business logic abuse, Online Fraud | No Comments Yet

Why attacks differ based on geography

I’ve always been confused by why the bad guys target banks in the UK and South America so much differently than they target banks in the US.  In the UK and especially in Brazil you hear of extremely sophisticated attacks to steal or covertly use login credentials of unsuspecting consumers.  And yet, in the US, the bad guys seem to be most wily about how they get the money out of the account.

Last week I finally got an answer to this.

I was talking to a security expert from a bank in the UK and he explained how banks in the UK and banks in Brazil have been very stringent about protecting the “front door”.  Specifically, banks in both of these regions have deployed strong second factor technology, often require client-computer authentication, and do lots of things to make sure it is difficult for a third party to gain access to the account.  Because of this, the bad actors have had to develop extremely subtle attack vectors to get past these various protections (for example, Man in the Browser).

Another difference, I’m told, is that in the UK there are so many ex-patriots from other parts of the world that it is easy to both find mules and hide them.  This allows for a much easier time of transferring the money out.

In contrast – banks in the US have done some things to protect the front door but many of them put a lot of emphasis on protecting the moment of highest risk – when the money is transferred out.  So, the bad actors have to do a better job of disguising themselves at the time of transfer.

Hopefully this sheds some light on why there are different attacks geographically.  If you all have other differences, please let me know.

June 11, 2009 Posted by Laura Mather | General | | No Comments Yet

Silver Tail “Best of Show” Video Available

The video demonstration from our Best of Show win at FinovateStartup09 is now available on through the silvertailsystems.com website and the FinovateStartup09 video website. Leading anti-fraud expert and company co-founder, Laura Mather, presented the Silver Tail Forensics product on stage at the conference. She highlighted a Man-in-the-Browser example, showcasing Silver Tail’s unique capability as the only commercial technology for online sites to detect this emerging threat and protect against business logic abuse.

Silver Tail was awarded, Best of Show, voted on by the 300+ attendees at the conference, made of up mostly of financial services firms. The selection was made based on the audience interest in the solution, the compelling need in the financial services market and the presentation given at the conference. Silver Tail was selected as the winner over 57 companies participating in the conference.

The 7 minute video is available here: http://www.finovate.com/startup09vid/silvertailsystems.html

June 3, 2009 Posted by Sherrick Murdoff | General, business logic abuse | award, Best of Show, business logic abuse, Man-in-the-Browser, video | No Comments Yet

Silver Tail Selected #2 on Top Tech Companies to Watch – Bank Technology News!

Silver Tail was selected as #2 in the “Top 10 Companies to Watch” by American Banker / Bank Technology News!! The Editor-in-Chief & author, Rebecca Sausner, did a fantastic job of describing what Silver Tail does in an easy to understand and accurate article. Rebecca further mentioned, “Silver Tail plans to federate its findings about attacks, allowing each of its customers to benefit from the experience of others.” From the feedback we get from customers, it sounds like the industry should band together to combat the the criminals in the same way the criminals band together to combat the industry.

It’s fantastic to see more awareness generated for the detection and disruption of online fraud, especially around business logic abuse. Also, we appreciate the support from Bill Bradway at Bradway Research. We agree that the pain our founders, Laura Mather and Mike Eynon, experienced at eBay and PayPal fighting online fraud gives them some street cred! No better way to build the right solution than to have that direct experience.

The Top 10 article is here. What great companies to be associated with in the Top 10 (Fidelity, Mastercard, Oracle…)!

The Silver Tail article is here.

BTW: This follows our recent Best of Show win at FinovateStartup09 in San Francisco, voted on by financial services firms. The financial services firms appear to be taking notice!

May 29, 2009 Posted by Sherrick Murdoff | General, business logic abuse | business logic abuse, Federation, financial services, Online Fraud, Top 10 | No Comments Yet