Silver Tail Selected #2 on Top Tech Companies to Watch – Bank Technology News!

Silver Tail was selected as #2 in the “Top 10 Companies to Watch” by American Banker / Bank Technology News!! The Editor-in-Chief & author, Rebecca Sausner, did a fantastic job of describing what Silver Tail does in an easy to understand and accurate article. Rebecca further mentioned, “Silver Tail plans to federate its findings about attacks, allowing each of its customers to benefit from the experience of others.” From the feedback we get from customers, it sounds like the industry should band together to combat the the criminals in the same way the criminals band together to combat the industry.

It’s fantastic to see more awareness generated for the detection and disruption of online fraud, especially around business logic abuse. Also, we appreciate the support from Bill Bradway at Bradway Research. We agree that the pain our founders, Laura Mather and Mike Eynon, experienced at eBay and PayPal fighting online fraud gives them some street cred! No better way to build the right solution than to have that direct experience.

The Top 10 article is here. What great companies to be associated with in the Top 10 (Fidelity, Mastercard, Oracle…)!

The Silver Tail article is here.

BTW: This follows our recent Best of Show win at FinovateStartup09 in San Francisco, voted on by financial services firms. The financial services firms appear to be taking notice!

May 29, 2009 Posted by Sherrick Murdoff | General, business logic abuse | business logic abuse, Federation, financial services, Online Fraud, Top 10 | No Comments Yet

Concern about web security at financial institutions

Russ McRee’s post on The need for financial web application security rung true for me.  While the bad actors are finding ways to make money through e-commerce and even social network websites, the finance sector will always be a target since that’s where the money is.

It can be super tough to harden a website against online attacks.  Russ does a great job calling out some of the things that are especially troublesome, but this dovetails nicely into the presentation Jeremiah Grossman gave yesterday (link to follow).  Jeremiah’s presentation said that cross-site scripting and cross-site request forgery are major problems, but business logic flaws are becoming more and more prevalent. 

Unfortunately, websites of all types are going to need to start defending themselves against all of these types of attacks – both the technical kind and the business logic kind.

May 20, 2009 Posted by Laura Mather | Business Logic Flaw, Detection, Online Fraud, Social Networks, business logic abuse | business logic flaws, cross-site request forgery, cross-site-scripting, financial institutions, Social Networks | No Comments Yet

Business logic flaws on the rise, according to new report by WhiteHat

WhiteHat Systems released its seventh installment of the WhiteHat Website Security Statistics Report today, with a webinar tomorrow by Jeremiah Grossman going through the top ten most prevalent website security issues.

According to WhiteHat, the top ten vulnerabilities remain largely unchanged, with Cross-Site Scripting continuing to top the list.  However, “business logic flaws, an often-overlooked issue that enables hackers to take advantage of the functionality of a site, occupied more than half of the top spots.”

This should be great awareness for business logic flaws and the impact they can have on websites. At Silver Tail, we are always looking to raise the mind share on business logic abuse and business logic flaws because these rising threats are causing companies a tremendous amount of pain today. Bad guys now target the legitimate business logic of website to perpetrate their fraud, and its extremely difficult to detect and disrupt.

The webinar should be very interesting – check it out: Tuesday, May 19, 2009 at 11:00 a.m. PT / 2:00 p.m. ET.

http://www.whitehatsec.com/home/events/events.html

May 18, 2009 Posted by Sherrick Murdoff | Business Logic Flaw, business logic abuse | business logic abuse, business logic flaws | No Comments Yet

Who came up with the term phishing?

Does anyone out there know who came up with the term phishing?  I see references to it being a combination of “fishing” and “phreaking”, but I thought there was a government or industry group who first evangelized using the term.  Maybe it was the FTC or the FSTC?

I remember being at eBay and calling that type of fraud “spoofing” and being annoyed that the branding of the fraud had been changed.  In the end it was good to have a term like phishing that everyone could use.

Anyone remember who originally used (or evangelized) the term phishing?

May 13, 2009 Posted by Laura Mather | General, Phishing | | 2 Comments

Anti-Phishing Education Messaging

The APWG has an amazing new initiative for educating consumers.  When a phish site is shut down, ISPs are asked to redirect any clicks to the APWG’s redirect education page instead of showing a 404 error. 

The power of this comes from leveraging the “teachable moment”: consumers are more likely to absorb a lesson if it is presented at the precise moment of the bad action (something my colleagues – Lorrie and PK – at CMU have studied in-depth).

This initiative is starting to get real traction.  Several brands are already participating and I’ve been contacted by many more this week to get started.  It’s a very exciting initiative to give consumers a consistent message from a group like the APWG at exactly the right time in the consumer’s online experience.  American Banker has published an article about it (warning – you have to have a subscription to see the article – sorry).

In a similar vein, another colleague – Dave Piscitello – has a blog post on anti-phishing messaging on Gaia.  It’s great to see anti-phishing messaging is getting to be more pervasive, especially given that the threats are very real.

Finally, for those of you attending the APWG conference next week, there is a cool video – it gives an overview of the topics to be covered in Barcelona.

May 8, 2009 Posted by Laura Mather | Phishing, education | APWG, awareness, Phishing | No Comments Yet

Precision hacking – a new term for business logic abuse?

We’ve been having a lot of discussions lately about one term that describes when people use the legitimate function of websites to perpetrate bad behavior.  Sometimes the bad behavior can be fraud and sometimes it is just a nuisance. 

An example of the nuisance type of bad behavior is the Time “Most Influential People” poll being hacked.  Paul Lamere called this exploit “precision hacking”.  But I’m worried that using the word “hack” is too technical for the business folks to take seriously.  It also puts these types of flaws squarely in the security space when often these are more risk management issues.

Jeremiah Grossman has called this business logic abuse - the abuse of the legitimate business logic of a website.  I like the term since it makes sense logically, but I worry that you have to think about it for a while before you understand what it is implying.  This can also be called business logic flaws.

What would be really great is to come up with a term like “Phishing” – something that has no real meaning, but that everyone will come to associate with these types of attacks.

Here are some suggestions for possible terms to represent when someone uses the legitimate pages of a website to perpetrate bad behavior.  Let me know if you have opinions or if you have other suggestions.

• business logic abuse
• business logic flaws
• business logic exploits
• precision hacking
• swizzling
• e-cheating
• cheeting
• others?

May 5, 2009 Posted by Laura Mather | Business Logic Flaw, Fraud, Gaming, Online Fraud, Phishing, business logic abuse | business logic abuse, Online Fraud | 6 Comments