The Water Balloon
The water balloon: Thinking about the response
One of the mantras in fighting fraud is that it is critical to anticipate where your fraud response will push the bad guys. Invariably, when you put a protection mechanism in place, the bad guys find some other way to perpetrate their behavior. This is known as the water balloon – when you squeeze a water balloon, the amount of water doesn’t decrease, it just goes somewhere else. Sometimes that means the bad guys will target someone else – which is usually a good thing. But sometimes that means they will find a new way to target you.
By attempting to anticipate where the bad behavior will move, you can make a decision about whether or not the protection mechanism you are considering will be worthwhile. If the bad guys move to another fraud type that makes them a) harder to detect or b) harder to stop, it might be the best decision to not launch your protection mechanism.
Another aspect is the cost of the protection you put in place. Bruce Schneier often talks about the cost of security and how that impacts what countermeasures a company should employ. In a recent blog he said, “… a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits.” Sound advice, and make sure to consider all costs of fraud including brand erosion, customer loss, bad press, loss of trust, etc. because fraud is more than just the loss of money.
Of course, predicting bad guy behavior is very difficult – hence the need to be able to think like a bad guy – but it is critical to make a best estimate as to the response to make sure that you aren’t causing more harm than good.
No comments yet.
Leave a comment
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
