Silver Tail named to Bank Technology News “Future Now” list

We are thrilled to report that Silver Tail has been named to the Bank Technology News Future Now list.  Other companies on this list include IBM, JP Morgan Chase, and SAS.

Karen Epper Hoffman does a great job describing Silver Tail’s technology.

For Silver Tail Systems, the trick to sussing potential fraudsters is to track how the crowd acts and see what doesn’t fit. This concept of applying what the company’s founder and vp of product marketing Laura Mather calls “crowd sourcing” to fraud identification and mitigation is what sets Silver Tail apart.

In addition, it is clear that Silver Tail is hot technology for the financial services industry.

Jim Bruene, the founder and CEO of Online Financial Innovations in Seattle, says Silver Tail Systems has impressed the banking industry with their novel approach to the fraud issue. Presenting at his firm’s Finovate conference this spring, Silver Tail made a big splash with the audience and was voted best presenter in the show. [Silver Tail was also previously cited as one of the 10 Tech Companies to Watch by Bank Technology News.]

We have an amazing team at Silver Tail and we’re thrilled to see that the financial services industry sees the fraud prevention vision we are achieving.

August 28, 2009 Posted by Laura Mather | Fraud, business logic abuse | bank technology news, Online Fraud | No Comments Yet

Do XSS and SQL Injection break website code?

Here’s a philosophical question for all of your security nerds (like me) out there: Do exploits like XSS (cross-site scripting) and SQL injection break a website?  Or are they uses of legitimate functionality of a website?

I often define “business logic abuse” as: the use of legitimate pages of a website to perpetrate malicious activity.  When defining business logic abuse I try to point out that this is different from XSS and SQL injection in that XSS and SQL injection use the website in a way that was NOT intended.

Lately, I’ve been called to task on this definition.  Some people say that especially XSS holes are often in place to allow marketing people to redirect customers away from their website.  I agree with that, but still claim that they were not intended to direct customers to phishing sites or sites with drive-by downloads or other sites of other malicious intents.

For those of you who follow this blog and are experts in XSS and SQL injection (and other such vulnerabilities), I’d very much appreciate your opinion on whether my definition of business logic abuse infringes on your fields of expertise.  If so, I’m going to have to come up with a new definition!

August 24, 2009 Posted by Laura Mather | business logic abuse | cross-site-scripting, XSS, SQL injection | 5 Comments

APWG Meeting – Tacoma, October, 2009

To continue the trend of posting about upcoming events, the APWG is having their e-Crime Summit in Tacoma, WA.  The Member’s-only meeting will be October 19.  October 20-21 is the research portion of the meeting.

Silver Tail’s Founder and CTO, Mike Eynon, will be speaking with David Gottlieb from eBay about Business Logic Abuse: Menacing the Electronic Storefront: Business Logic Attacks Against the Online Enterprise.

I’d highly recommend attending this event if you have the chance.   Not only will the content of the meeting be super interesting, but the attendees are the decision makers and go-to-people for fighting online crime.  In addition, travel to Tacoma is not too outrageous for most people.

If you are planning to attend, let me know, as it would be great to set up in-person meetings with those of you who will be there.

August 20, 2009 Posted by Laura Mather | Phishing, business logic abuse | APWG, business logic abuse, events | No Comments Yet

Silver Tail Webinar: Dissecting Zeus, the #1 Bank Trojan

We are pleased to announce our next webinar!  Silver Tail’s founder Laura Mather, Ph.D., will dissect Zeus, the #1 bank Trojan. Zeus is used to attack us daily and was recently seen in a number of high profile bank theft cases including the $415,000 ACH theft from Bullitt County, Kentucky.

This webinar will do a deep dive into Zeus illustrating:
• How Zeus is distributed to infect your customers’ PCs
• How Zeus works including the command and control
• How criminals use Zeus to target your financial institution or website including theft of security images, secret questions and two-factor authentication credentials
• How Zeus circumvents our most sophisticated defenses, and,
• How Zeus supports the larger underground economy

We will also fire up our Zeus malware to demonstrate a Zeus attack on a financial institution showing three perspectives:  the victim (consumer), the Zeus Trojan (“Man in the Middle”), and the bank’s web server.

If you enjoyed our Man in the Browser webinar you’re sure to love this look at one of the biggest threats to online banking. No one in the financial services or e-commerce communities can afford not to understand the risk Zeus poses.

Date: September 1, 2009

Time: 10am Pacific time

Register: https://www2.gotomeeting.com/register/428252746

We look forward to seeing you on September 1!

August 17, 2009 Posted by Laura Mather | Fraud, Online Fraud, information security, risk management | | No Comments Yet

Jeremiah Grossman’s View on Security Religions

As mentioned in a previous post, Jeremiah Grossman (pictured) and Trey Ford gave a presentation at BlackHat about business logic abuse.  I understand the talk was very popular.

Jeremiah has a poston his blog that goes into a little more depth on how websites look at security in two different ways: in depth or in breadth. 

Each organization must decide for themselves the level of risk they are willing to accept. Security managers are asked to provide budgetary guidance by articulating that spending “$X on Y, will reduce of risk of loss of $A by B%.” These decisions have given rise to two prevailing, but opposing security religions — Depth and Breadth. Graciously referred to as religions for how their value is typically justified resembles more of a belief system rather than rooted in science or metrics.

This is a very interesting post with lots of commentary on the different types of bad guys and the different ways to look at defense.   As an added advantage, there is a link at the bottom to an upcoming encore of the BlackHat presentation!

August 13, 2009 Posted by Laura Mather | Fraud, Online Fraud, Prevention, business logic abuse | business logic abuse, security | No Comments Yet

Mike Eynon to Speak at OWASP – Sept 2 in NY

For those of you on the east coast, Silver Tail’s CTO, Mike Eynon, will be speaking at the NY/NJ chapter meeting of OWASP on the evening of Sept 2.  You can find more information about the meeting here.

Mike’s talk is “Beyond the OWASP Top Ten” where he will discuss how detection methods for everything from viruses to firewalls are in the process of transitioning from signature-based detection to behavior-based detection.  Of course, this ties in perfectly to how Silver Tail uses behavior-based detection to identify new threats on websites.

If you are in the NY area, we’d be thrilled to set up in-person meetings.  Please send us an email.  You can find out contact information here.

We’ll look forward to seeing you all in NY!

August 10, 2009 Posted by Laura Mather | Online Fraud, behavior analysis, business logic abuse | | No Comments Yet

Silver Tail Selected to Present at Finovate2009!

Great news!  Silver Tail was selected to present at Finovate2009.  We’re thrilled to have been chosen alongside other companies like Fidelity and Intuit.  We’ll be giving a demo of our Man in the Browser detection and mitigation solutions, so this event should be super exciting.

Additional information about Finovate2009 can be found here.

If any of you are planning to be at Finovate2009 or will be in the New York area around September 29, let us know.  We’d be thrilled to meet with you in person.  You can find information about contacting us here.

August 6, 2009 Posted by Laura Mather | Man-in-the-Browser, Online Fraud | | No Comments Yet

Gaming Incentive Programs on P2P Lending

Lending Club is offering a $50 incentive to refer new lenders to its program.  The catch: the $50 can only be used by the new lender to loan out through the program – essentially creating a “free” loan. 

At first glance this might seem to get around the usual risk of bad guys signing up a bunch of accounts so that they can earn money since the referring account doesn’t benefit.  But, I think this can (and will) still be gamed.  If I were a bad actor, I would register as a lender and then refer all of my “friends” (stolen identities of which I have control) and then use the $50 in each account to lend money to other accounts I signed up with stolen identities.  This is a form of business logic abuse: using the pages of a website in the way they were intended to perpetrate bad behavior.

I’ll admit, I haven’t looked at the terms of this and there may be terms in place that would make it difficult to game.  Since these types of programs are often launched by marketers, they don’t think about how bad actors could make money by gaming the system.

It sounds like Lending Club also has a traditional incentive program - $25 to refer an approved buyer – I wonder if they’ve seen any bad behavior on this campaign yet.

August 4, 2009 Posted by Laura Mather | Fraud, Gaming, Online Fraud, business logic abuse | business logic abuse, incentive programs | 1 Comment