Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

RSA Conference Thoughts: Part I

Yesterday kicked off another RSA Conference. I was honored to attend the eFraud Global Forum. The caliber of presenters and attendees at this event is always fantastic.

There have already been some themes I am hearing as part of this year’s conference. The obvious one is mobile threats. What has surprised me about the commentary around mobile is that people are somewhat optimistic about how we will address it. Many have commented on how mobile is different from trying to secure the browser or the operating system. When we were trying to protect browsers and operating systems, we were starting from scratch. Mobile is different. We’re starting from a great baseline, namely everything we learned with desktops and browsers, so that does provide us with an edge.

That’s not to say that mobile will be easy, however: it won’t. But it should be easier for a couple of reasons. First, many of the calls that are used by mobile apps are the same calls used by web browsers. Therefore, the security around those calls should already be quite strong. Second, even though there are several mobile platforms, they are each managed by very large corporations who already have processes in place for dealing with escalations, getting patches out quickly, etc.

There are a few other reasons mobile will be easier, but it’s time for the next event so I’ll cover those another time! More on RSA Conference soon!

February 29, 2012 Posted by | Detection | , , | Leave a Comment

The Groundswell of Internet Governance Initiatives

Although I haven’t blogged about it yet, I have been thinking a lot about the SOPA initiative from a few weeks ago.  I’m not sure we’ve ever seen an issue that encourages multiple major internet properties (Google, Craigslist, Wikipedia, etc.) to band together.  With SOPA there was true collegiality about how the Internet should not be governed.

Personally, I’m glad SOPA was discarded.  While I see the need for a way to police the Internet, for intellectual property concerns as well as other issues, the ramifications of SOPA were too heavy handed.

And yesterday I was an observer in an electronic conversation about how the UN may someday (soon?) be considering how the Internet is governed.  An editorial about this issue can be found here.

As with most political discussions, there are factions on both sides of this debate.  The trends I’m seeing are that most people in the security field do not want to see UN control over the Internet while it sounds like many countries are looking to control the Internet as a way of monetizing and/or policing it.

The one thing I most agree with at this time is that the UN will likely not move quickly on this.

My question is: how long will it take before some semblance of governance has settled across the Internet?  It seems like we are still years away.  Anyone have comments?

February 23, 2012 Posted by | information security | | Leave a Comment

Did Google Make the Right Move to Protect the Android Market?

Just last week, Wired’s Gadget Lab wrote about Google’s Android security improvements, and how they plan to make the platform more secure for users. As noted in the post, the draw for the Android platform lies in its openness, but at the same time, this presents a number of security challenges for the operating system.

So how does Google plan to make Android more secure? The company unveiled a new security service for Android that aims to auto-scan uploaded Android applications to detect potentially malicious apps more quickly – ideally before users download them. The service searches for threats without requiring any pre-approval process so that the platform can remain as “open” as always.

Some of my initial thoughts about this announcement are skeptical in all honesty. In “controlling” the security of the platform, Google is taking the stance that they know more about mobile security than anyone else, including the security professionals who’ve been detecting threats, and stopping attacks for 30+ years.

By creating the “sandbox security” model within Android, Google has in fact raised the bar for WHO can create malware for Android, and what the potential is for that malware, but in doing this, they’ve completely locked out the good guys. Consider the case where either Android or iOS have a security hole (all the methods for jail-breaking fit in this category). Bad actors can run at full speed until Android or iOS block the hole. Meanwhile, security pros are locked out from doing anything on the device that would detect this.

Ultimately it is clear that both Google and Apple had the foresight to recognize that AV and other signature detection is dead, but they closed the door on allowing newer, more innovative solutions. This is a problem for many security professionals unless you’re under the assumption that the client is untrustworthy no matter the platform. Only the server-side can be trusted when it comes to detecting threats, and that is the mentality and direction that the market needs to go in order to effectively “secure” mobile (and all other types of) platforms.

 

February 15, 2012 Posted by | Detection | , | Leave a Comment

Silver Tail Systems and MasterCard Join Together to Protect E-Commerce Websites

As the former director of Information Security at Sears, I have seen my fair share of malicious activity executed against an e-commerce site. Defending against account takeovers, data scraping and other criminal attacks is a top priority for security teams. However, it remains a never-ending challenge, particularly if you don’t have the right tools in place to give you the information and visibility you need to thwart bad actors.

MasterCard Worldwide recognizes this is an uphill battle for their merchants, and they have joined with Silver Tail Systems to make sure that e-commerce merchants have access to web session intelligence technology that will help combat online fraud in a way that traditional solutions cannot.

Cybercriminals today are more advanced than ever, and by monitoring keystrokes and the sites that malware-infected PCs visit, they are able to gather the information they need to make fraudulent purchases, steal funds, sell personal data and more. Silver Tail Systems monitors the entire clickstream for both users and the population, and by performing behavioral analysis, we can differentiate normal activity from malicious intent based on normal patterns for a particular user or group.

This approach is revolutionary, and we are the first to join with one of the leading payments technology companies to offer advanced protection for e-commerce merchants worldwide. This alliance validates that web session intelligence is key to preventing online malicious behavior, identifying fraud, and safeguarding e-commerce sites and customers from devastating web-based attacks.

We are looking forward to working closely with MasterCard and its merchants throughout the coming years.

February 9, 2012 Posted by | Fraud, information security, Online Fraud, Payment | , | Leave a Comment

Silver Tail Systems and MasterCard Join Forces to Secure Digital Payments for E-Commerce Merchants

I am thrilled to announce that MasterCard Worldwide and Silver Tail Systems have established a new relationship that enables ecommerce merchants to leverage web-session intelligence technology to help combat online fraud. In 2011 we saw ecommerce cybercrime surge at the Navigation Layer, and it continues to evolve in ways that traditional tools cannot always fully address.

According to the 2011 Identity Fraud Survey Report, new account fraud, in which accounts are opened without the victim’s knowledge, is harder to detect and is the most likely to severely impact the victims. The report stated that this cost victims $17B in 2010 alone. Additionally, the mean consumer out-of-pocket cost due to identity fraud increased 63% from $387 in 2009 to $631 per incident in 2010.

Transaction monitoring is critical, but behavioral analysis at both the user and population level has become even more so. Fraudsters are shifting their focus to attack the Navigation Layer of websites, where transactions take place. The ability to distinguish malicious activity from normal behavior in real time during the shopping experience is the key to protecting merchants, and in turn, consumers.

This alliance between Silver Tail Systems and MasterCard is the first of its kind. Not only will it enhance the security parameters for digital commerce, it will set the standard for the industry’s other financial networks in the fight against cybercrime. Together, we are helping to ensure that organizations are better equipped with the latest technology to spot malware or robotic (“bots”) attacks on their online payments systems.

As today’s eCommerce transactions reach record levels, both merchants and consumers are focused on identifying the safest and smartest ways to conduct online transactions. We are thrilled to lead the charge in reducing fraud for online merchants withone of the most well-known payments technology companies in the world, and this relationship will truly take cyber security one step further.

February 8, 2012 Posted by | Detection, Fraud | , , | Leave a Comment

Being Proactive About Data Protection

On Monday, January 30th HelpNetSecurity.com posted an interesting article–When it Comes to Customer Data Protection, Firms are Phoning it In—which highlights research from credit reporting firm Experian and the Ponemon Institute in their survey of 500 IT professionals. According to the article, those who had experienced a data breach at their organization found that 60% of respondents said the customer data that was lost or stolen was not encrypted. I’m in 100% agreement with Ozz Fonesca of Experian Data Breach Resolution, in that these breaches could have been prevented.

The problem isn’t that companies just don’t want to encrypt their sensitive information, it’s the lack of knowledge on the security front-lines that tends to be the issue. Implementing security systems is complex and when IT professionals aren’t directly working with a CSO or risk professional, there is significant room for error. It doesn’t surprise me that following the data breach, 61% of respondents said their organizations increased their security budget and 28% hired additional IT security staff. This is the appropriate next step but in this situation, it’s a bit too late.

As I discussed in a previous blog post—E-Commerce and Mobile Payments are Expected to Grow in 2012–mobile payments and e-commerce will continue to grow over time and this industry presents somewhat of a greenfield to cybercriminals, so merchants must take steps to better protect their customers’ data. This will be increasingly important as mobile payment devices become common in brick-and-mortar stores – as is the case with cosmetics company Sephora, which has deployed dozens of iPads as mobile point-of-sale devices in several of its stores and in several new stores, they are relying solely on mobile devices for their points of payment.

With 73% of respondents saying their organization did not offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans, and alerts, to victims, I predict this will be even more of a concern as 2012 progresses. One worry I have is that people will begin to fear the internet, meaning purchasing items off Amazon or eBay, logging into their online bank accounts, etc. At the end of the day, there are thousands of online threats in cyberspace lurking to cripple an end-user. I’m endorsing that organizations take that extra step, which could be a simple training program, and be proactive before these data breaches become even more of an epidemic.

February 1, 2012 Posted by | education, Fraud, information security, Man-in-the-Browser, Online Fraud | , | 1 Comment

   

Follow

Get every new post delivered to your Inbox.