New Webinar: Detecting Man-in-the-Browser
Join us for a Webinar on July 14.
The proliferation of authentication models, device fingerprinting, IP geo-location mapping, and other security technologies has raised the stakes in using stolen online accounts. Bad actors need to find a way to access users’ accounts without being detected by the systems currently in place. The rise in malware infections has created a unique opportunity for these bad actors: The ability to access the account through the victim’s own web browser, IP address, and session. These “Man-in-the-Browser” attacks are extremely difficult to detect and prevent, and are increasing with the spread of malware.
Laura Mather, Founder & VP, Product Marketing at Silver Tail Systems, will define Man-in-the-Browser attacks, explain how they are perpetrated, show a demonstration of an attack, and show the ways these types of attacks can be detected.
Join us for the first session in our Silver Tail Webinar Series, “Detecting Man-in-the-Browser Attacks”.
Title: Detecting Man-in-the-Browser Attacks: Silver Tail Webinar Series, Part 1
Date: Tuesday, July 14, 2009
Time: 10:00 AM – 11:00 AM PDT
Register: https://www2.gotomeeting.com/register/470908250
After registering you will receive a confirmation email containing information about joining the Webinar.
Register Now
Security Consistency: Should we standardize password requirements?
I saw a presentation earlier this week where a researcher was talking about consumer education with respect to security. The researcher said that one way to make security education more consistent would be for websites to all have consistent requirements around passwords. For example, all websites should require that passwords have at least 8 characters and should include on capital letter, one digit, and one punctuation mark.
While I am all for having consistent messaging around security practices and even encouraging users to have secure passwords, I worry about the implications.
Imagine a world where every website had the exact same requirements for passwords. Even if the passwords were secure, the risk is allowing people to have the same password on every website. In this case, if the bad actors were able to phish the password for one of my accounts, and they had my email address, they would likely be able to access many of my accounts.
To make matters worse, once the bad actor has the password for one of my accounts, they will be able to login to my email account which will let them do a forgot my password function on almost any other account.
While I applaud researchers for thinking of ways to make security education more consistent, making password requirements consistent has more negative ramifications than benefits.
Risk Management and Information Security: Merging into one?
Three times in the past two weeks I’ve been privy to a conversation about the difference between risk management and information security. Most organizations have separate functions for risk management and information security. In my past lives I’ve worked in a risk management-like function, but been closely aligned with what was going on in information security.
Even at the RSA conference there was a very clear divide between the two. I attended one session on online fraud and the speaker made the point that he would be giving the only talk at the conference about fraud.
I have to admit that I’ve always found the difference between the two functions to be a bit subtle. I see how the information security folks fight against things like denial of service attacks, SQL injection, cross site scripting, network exploits, etc. And I see how risk management teams balance customer experience with the need to keep money from going out the door. But it seems like it might be time for these two types of teams to start working more closely together.
Isn’t it the case that the information security folks are trying to prevent the initial access while the risk management teams are preventing the final event? If so, it seems like it would be immensely valuable for the two groups to work together more closely. By understanding the combination of the attack vector as well as the motivation it seems like even stronger security/risk management practices could be put into place.
I know of at least one company who has recently combined their info sec and risk management functions. I’ll be curious to see how that works. I’d encourage the two communities to start working more closely together. I argue that we are, after all, fighting the same fight.
Scamming iTunes and Amazon for $300k through Business Logic Abuse
This article talks about how arrests were made of bad guys who stole $300k from iTunes and Amazon through business logic abuse. The simplicity of this scam is impressive.
…the group created several songs, had the songs uploaded to iTunes and Amazon, then used thousands of stolen credit cards to repeatedly purchase the songs from these services.
One might think it is difficult to steal money from a place that only sells digital goods that can only be used by the purchaser, but here’s an example of a relatively straightforward case of using exactly the functionality of the sites – selling and buying digital goods – to launder money out of stolen credit cards.
Fascinating!
Why attacks differ based on geography
I’ve always been confused by why the bad guys target banks in the UK and South America so much differently than they target banks in the US. In the UK and especially in Brazil you hear of extremely sophisticated attacks to steal or covertly use login credentials of unsuspecting consumers. And yet, in the US, the bad guys seem to be most wily about how they get the money out of the account.
Last week I finally got an answer to this.
I was talking to a security expert from a bank in the UK and he explained how banks in the UK and banks in Brazil have been very stringent about protecting the “front door”. Specifically, banks in both of these regions have deployed strong second factor technology, often require client-computer authentication, and do lots of things to make sure it is difficult for a third party to gain access to the account. Because of this, the bad actors have had to develop extremely subtle attack vectors to get past these various protections (for example, Man in the Browser).
Another difference, I’m told, is that in the UK there are so many ex-patriots from other parts of the world that it is easy to both find mules and hide them. This allows for a much easier time of transferring the money out.
In contrast – banks in the US have done some things to protect the front door but many of them put a lot of emphasis on protecting the moment of highest risk – when the money is transferred out. So, the bad actors have to do a better job of disguising themselves at the time of transfer.
Hopefully this sheds some light on why there are different attacks geographically. If you all have other differences, please let me know.
Silver Tail “Best of Show” Video Available
The video demonstration from our Best of Show win at FinovateStartup09 is now available on through the silvertailsystems.com website and the FinovateStartup09 video website. Leading anti-fraud expert and company co-founder, Laura Mather, presented the Silver Tail Forensics product on stage at the conference. She highlighted a Man-in-the-Browser example, showcasing Silver Tail’s unique capability as the only commercial technology for online sites to detect this emerging threat and protect against business logic abuse.
Silver Tail was awarded, Best of Show, voted on by the 300+ attendees at the conference, made of up mostly of financial services firms. The selection was made based on the audience interest in the solution, the compelling need in the financial services market and the presentation given at the conference. Silver Tail was selected as the winner over 57 companies participating in the conference.
The 7 minute video is available here: http://www.finovate.com/startup09vid/silvertailsystems.html
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (4)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
