Predictions for Online Fraud in 2010
It’s that time of year again – when everyone makes predictions about the year to come. I’ve seen a lot of talk about how malware will continue to increase and social networks will continue to be a communication vehicle of choice for the online criminals. While I agree with both of these, there are some predictions of my own I’d like to add.
What we will see in online fraud in 2010:
- The criminals will be at approximately the same sophistication level at the end of the year as they are now. This may be counter-intuitive. Because web sites are constantly improving their protections, the criminals are constantly having to improve their methods of attack. This is true, but only to a point. Recently, the criminals have found new ways of exploiting websites – for example, Man in the Browser attacks. The security teams I work with are aware of these attacks, and some have done a good job putting mechanisms in place to fight them, but most are still scrambling to find a way to identify, defend against, and prevent these attacks. Because of this, there is currently no incentive for the criminals to innovate – what they have is working, they have just started using it, and there are many more ways to use these current techniques for financial gain than have already been exploited.
- There will continue to be an increase in the number of news stories about online fraud. Many of us who have worked in the fraud prevention area for years know that online fraud has always been a big problem. But only in the last year or so has there been a proliferation of news reports about the big fraud events. I don’t know why this has started lately. Are the data breach notification laws making more people aware of these types of fraud? Are people more willing to talk about when this happens to them? Whatever the reason, the number of news stories about fraud events – large and small, but mostly large – will continue to grow.
- Despite the increase in news stories, we will not see a large decrease in consumer confidence with the online channel. I’ve been expecting a bigger impact to online usage associated with online fraud, but that hasn’t come to fruition. And now that the demographics of online users is shifting more quickly towards those who have grown up with the internet, it becomes less and less likely that criminal events will significantly impact online usage.
- There will be an increase in “non-traditional” online fraud. In 2009 there were many cases of criminals benefiting from something other than transferring money out of a stolen bank account or using a stolen credit card. For example, we saw criminals stealing pizzas from Dominos, having Apple send them free iPods, and opening vast numbers of bank accounts to steal the money given away as an “incentive”. Because websites have put controls around the traditional ways criminals steal money, the criminals are going to continue to get creative about how they are able to make money from these websites. This may seem to contradict point 1 above, but I don’t think it does. This doesn’t require the criminal to use new technology. Instead, they will just use a different part of the website to perpetrate their crime.
- Websites will need more and more efficient means of detecting new attacks and investigating them to stay ahead of the criminals. Because websites are trying to cut costs everywhere they can, the risk and security teams for these sites will need ways to more quickly identify new attacks, and determining the extent of these attacks.
Now that I’ve listed my predictions for the year, I also want to list a prediction/concern about the decade. In the 2000-2009 decade, we saw a huge growth in how the internet is used in everyday life and business. In the next 10 years I predict that we will find more ways to use the internet and new ways to share information that go beyond the internet. With the amazing speed at which we are developing and adopting technology, I worry about whether or not our security/risk tools and processes can keep up.
Does anyone have additional thoughts on the coming year or the coming decade?
12 Scams of Christmas
This is my last post of the year and given that it is the holidays, I wanted to do something a little festive. Granted, fraud is in no way festive. But maybe protecting yourself from fraud is??
Either way, McAfee released a report on the “12 Scams of Christmas“. While this is relevant now, most of what the recommend is also relevant the rest of the year – everything except maybe the Christmas carol one, thought that would apply year-round to popular songs’ lyrics. The criminals are just trying to get you to their websites and they are going to use whatever they think will get you there.
It seems appropriate to close out the year with ways to keep you, and your loved ones, safe. Take a look at the report and hopefully it will make for a very happy (and safe) 2010.
Happy holidays everyone! I’ll look forward to talking to you in the new year.
The Psychology of Being Scammed
I’ve always been fascinated by how criminals – both online and offline – are able to manipulate victims into being conned. A couple of weeks ago, Bruce Schneier referenced an article that talks about exactly this topic: “Understanding scam victims: seven principles for systems security.”
While the article describes many of the psychological implications that most of us who fight online crime know intimately, it was intriguing to see them all written down in one place. And the fact that one of the authors of the article is the producer and star of “The Real Hustle” – a British show that cons people on camera – makes it even more compelling. Who knew academia and tv stars would be able to produce such interesting work?
The six principles that con artists use are:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Something that came to mind for me is where phishing fits into the above 6 categories. It’s well known that phishers often use scare tactics. For example, the phishing email might say “You must update your password and social security number within the next two hours or we will close your account and take all of your money.” Is that part of the “Distraction principle”? To me it seems more like “urgency” – giving people very little time to think so that they don’t process the red flags that might exist.
Does there need to be another principle added for urgency? Maybe some of you have some other principles that need to be added.
Gartner emphasizes the need for monitoring the behavior on all web traffic
This article talks about a report recently released by Gartner. The summary of the report is:
Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.
Although I haven’t seen the report myself, the article talks about how it goes into detail on what the layered approach should be. “Gartner recommends that organisations firstly monitor user access behaviour, by analysing all of a user’s web traffic and spotting any automated programs.”
In case anyone was wondering, this is exactly what Silver Tail’s Forensics product does! We monitor all website traffic for anomalous behavior including that by automated programs.
It’s exciting to see analysts talking about how what we are doing is the next thing that websites need to protect themselves from fraud!
See the Recording of Silver Tail’s Webinar on Proactively Identifying New Fraud Threats
The webinar this week was another resounding success. For those of you who missed it, you can get to a recording of it here.
In the webinar we talk through 5 case studies of how criminals are able to make money in “unexpected ways” through websites. Then we talk about how critical it is to detect these threats as soon as possible. Finally, we show a demo of our system and how it can be used to proactively detect these threats and investigate them quickly so that the cost of having the threats live for weeks is significantly reduced.
This was a great webinar and if you are facing fraud threats, I recommend you take the time to watch the recording.
Silver Tail Best of Show Video
At long last, the video of our Best of Show presentation at Finovate has been posted online. The Finovate format was 7 minutes of demo – no power point slides allowed. In this presentation we gave a first look at our Mitigation product. I’m happy to say the product has gotten a lot better since this presentation (September), but if you are interested in an early version of Silver Tail’s Mitigation product, it might be worth checking out this video.
Enjoy!
Webinar: Proactively Detecting New Online Threats
Silver Tail’s next webinar will be on the proactive detection of new online threats.
When asked, “What keeps you up at night?” Risk Managers invariably respond: “The threat I don’t know about.” In today’s world, this is the right answer. Javelin Strategy and Research showed 50% of identity theft will be detected by consumers. It is apparent that the unseen threat will cause tomorrow’s pain. If you worry about the undetected attack vector, how long it will take your organization to discover the threat, and the cost and duration of the investigation, this webinar is for you!
Silver Tail founders fought online fraud at eBay and PayPal for years, which inspired the creation of Silver Tail’s Forensics product to identify and stop fraud attacks as they emerge. Unlike products requiring signatures to detect attacks, Silver Tail notifies website analysts about attacks in real time – whether or not a signature was known ahead of time. Silver Tail also provides an immediate view of the full session of the attack and the context of that attack within the rest of the website’s traffic, enabling the analyst to quickly understand the impact of the attack and determine next steps for addressing it.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
Turning the Other e-Cheek
I just read an interesting article on the company Symbiot’s plans to enable counter-strikes against hackers. The article spends a lot of time talking about the negative aspects of fighting back against electronic criminals. The examples given for how Symbiot’s product can strike back include creating a DOS attack against the evil-doer and hacking the attacker’s machine to disable or destroy assets gained illicitly. Not knowing much about Symbiot, or the specifics of their product, the first question that arises with a lot of security professionals is, “What about if the remote ‘evil-doer’ is an innocent consumer’s machine?”
Regardless, of how Symbiot does what they do, the arguments against them focus on whether or not the good guys should fight back against these online criminals. In other words, regardless of how, people quoted in the article generally believe we on the right side of the law should not hit back, and that Symbiot should be flogged for enabling such a thing.
Whether or not Symbiot’s product is good or bad, I think they are getting folks to at least think about security from another perspective. I do want to say that neither I nor Silver Tail advocates going on the offensive with online bad-guys, but I do wonder if it’s right for all of us to just sit and let this happen while only playing a reactive role? One of the arguments in the article centers on the fact that fighting back only escalates the fight. Well, we aren’t fighting back now, and the bad guys seem to be escalating all on their own just fine!
I have to admit that at least a couple times in the last 10 years I have thought it would be cool to hack back, but have never done so. I’d bet many of us are in the same club; probably for some of the reasons mentioned in the article around the legalities. Plus, with malware, your odds of ‘shooting an innocent’ are substantially higher.
… but OMIGOSH wouldn’t it be fun???
Bad guys on Social Network sites
I’ve posted about this a few times before, but I’m always encouraged when I see others picking up on the risks posed on social networking sites. Although it’s not surprising, it seems the criminals have increased their deviousness (there I go – making up words!) again.
Larry Magid wrote an article on how the criminals are using the latest social networking features to victimize innocent social network users. Some of the threats are as “benign” as signing you up for additional cell phone services, but others attempt to perpetrate various forms of identity theft by asking for personal information or gaining access to information that is on your profile.
There is some general advice offered in the article:
…beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.
Seems like a good idea.
This is probably my last post before the holiday. Happy Thanksgiving, everyone!
Rick Astley and the Hail Mary: The convergence of password guessing and pop culture
There has been a flurry of posts and articles lately that talk about the Rick Astley worm that is infecting iPhones in Australia. (For example, this one.) It sounds like the worm is similar to the Melissa virus: there was no malicious intent initially. Unfortunately, it’s difficult to say what the bad guys will do with it.
The part about this that fascinates me is how this has morphed into a discussion about online criminals doing password guessing. This blog gives several references to a cloud of computers that is doing brute force password guessing against ssh accounts. Paul Raven points out that password guessing is still useful. Of course, most of your attempts to guess a password will be wrong, but if you perform a lot of guesses, even a small percentage of those guesses results in a fair amount of exploits. (Hence the reference to the Hail Mary – it’s unlikely, but when it happens the payoff can be big.)
Who knew that Rick Astley would gain his second wave of popularity from a mobile phone virus?
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- January 2010 (1)
- December 2009 (6)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
