Business Logic Abuse Makes Headlines: Nordstrom Defrauded of $1.4M
Four years ago I started talking about business logic abuse. In fact, Jeremiah Grossman introduced the term to me and in the first couple of years I had to do a lot of explaining about what it meant and how it could have significant impact on organizations.
Last week there was an article by Mike Lennon of Security Week that talked about how criminals used business logic abuse on the Nordstrom website to steal approximately $1.4M in commissions and rebates. First of all, I’d like to applaud the growing recognition that Business Logic abuse is part of the evolving nature of online fraud and cybercrime. To give you some insight, the attack was a little tricky: two brothers had figured out that by using a coupon site called FatWallet, they could get cash back for purchases. They also figured out how to submit an order to Nordstrom that was blocked. In the end, no credit card was charged, no merchandise was shipped, but Nordstrom credited FatWallet for the transaction and FatWallet passed along the cash back for the fake purchases.
In the article, Mike refers to the attack as “fraudulent payments.” I find that interesting since Nordstrom’s fraud department would likely not be the department to deal with this. For most e-tailers, the fraud department only deals with credit card charge backs and this case is clearly not that. It is likely the security group that would address this, showing that the line between fraud prevention and security continues to blur.
This is an ingenious attack and it’s critical for online entities to realize that these types of attacks are becoming more and more frequent and more and more challenging to detect.
Stopping Business Logic Attacks Does Not Have to be Cumbersome
My previous blog referenced an article by Imperva about business logic attacks. In that blog I talked about how it can be relatively simple to detect business logic attacks.
I realized that I also wanted to comment on the mitigation aspect of the article. The first assertion of the mitigation piece is that all business logic attacks are robotic. I can tell you definitely that they are not. There are many business logic attacks I have seen that have obviously be carried out by a human who is using trial and error to identify ways to take advantage of the legitimate business logic of a website.
To that end, the article says that the way to stop the business logic attacks is to divert the robotic behavior by challenging anything that looks like a business logic attack. While that can absolutely be a way to address the robotic attacks, it is quite expensive. It means that every time you identify a new attack against the site, the application must be changed to include a challenge when a bot is detected.
There are other ways to deter business logic attacks. The best way is to remove the incentive for the attack. For example, if someone is registering for your sweepstakes thousands of times, do some post-processing that eliminates multiple IP address or multiple email domain entries.
As you understand the reason behind the attack, you can find ways to discourage the attack by removing the goal of the attacker instead of changing the business logic.
Finovate gets secure!
Today was my fourth Finovate conference. It has been interesting to see the morphing of the show and the content.
In the past couple of shows there has been an abundance of both mobile and iPad devices. In the spring it was amazing to see iPad devices already being demo’d since the iPad had only been out for a few weeks. There were even more today. It’s crazy what people can do with an iPad.
This time there were a few security companies demoing. I demo’d of course. But also PinPoint, SecureKey, and Guardian Analytics. It’s great to see innovation happening in the financial technology space!
Twitter shows that XSS is still viable
I’m always trying to find simple explanations to some of the complicated attacks out there. This week there was the Twitter exploit that ran rampant for a day or so. The good news is, I found a great explanation about the exploit. The better news is, the explanation is from a trusted colleague, Gary Warner. And better still, Gary references my friends and colleagues Robert Hansen and Jeremiah Grossman! You can see Gary’s post here.
What’s important to notice is that this attack was a form of business logic abuse. The perpetrator was able to use the functionality of the html in the way Twitter intended it to be used, but for annoying – and possibly destructive – consequences.
If you have any interest in this topic, I highly recommend Gary’s blog.
Scammers as Vigilantes?
Brian Krebs has another very intriguing post about $600,000 being stolen from the Catholic Diocese of Des Moines. This follows the usual storyline – victim’s computer had malware and malware was used to steal money.
Where the story diverges from the usual is that the criminals told the mules that these stolen funds were going to be sent to the victims of sex abuse associated with the Catholic church. Do I think the funds will really go to the victims? No. What I think is that the criminals have found a new way to convince mules that what the crime being perpetrated is for a good cause. It’s essentially a new spin on the “you are sending money to build orphanages in third world countries” bit.
Anyone out there think that this money was really going to abuse victims?
Facebook bug or business logic abuse?
You may have heard of the vulnerability on Facebook that has been exposed. If you enter an email address and a password, Facebook will tell you the password is wrong, but show you the picture and full name of the person corresponding to the email address. This is a treasure trove for phishers since it gives the first and last name associated with an email address – something that is often used by companies to give their customers confidence that the email is really from the company.
I’m wondering whether this feature was a bug on Facebook’s part or if this was meant to be a helpful feature. I’m guessing some Facebook engineer thought it would be cool to show you the name and picture associated with your account if you got your email address wrong and the implications for exposing this information were never considered.
Anyone have more information on why this happened?
Square – a place for criminals?
There’s a fascinating new technology on the market. It’s called Square and it allows any iphone user to accept credit cards as a form of payment.
First, I have to say this is quite cool. Owning a small business has shown me that many things that seem to be quite convenient for bigger businesses (benefits, 401k, hiring, etc.) are quite challenging for small businesses. So, I’m all for making things like credit card transactions more convenient for small businesses.
My concern is whether or not this makes it easier for criminals to put credit cards through the credit card system. Granted, these terminals are for situations where the credit card is present so that makes the possibility of them being used for stolen credit cards much less likely than an online service. Also, it does accept a signature, so maybe that helps in fraud detection. I don’t know how much signatures are used any more to detect fraud.
The question I see is whether or not this exposes an API that allows criminals to submit credit card numbers, cash them out or verify them, without having to have a legitimate business. Can a criminal sign up for this service and essentially use the API to submit cards? If so, where is the fraud checks? Does Square do that?
If others know more about this service, I’d be very curious what you’ve heard/seen/experienced.
Using 1 cent transfers to validate account numbers
Here’s an intriguing new form of business logic abuse…criminals in Europe have used the banking system’s transfer system to confirm bank account numbers.
…criminals attempt to transfer the sum of 1 euro cent to several accoun
ts at a particular bank, using account numbers they have generated at random. If the payment gets rejected by the bank, then the account number does not exist – but if the transfer goes through successfully, then the crooks know they have stumbled upon a genuine account number….
Armed with the account number, the crooks then start transferring sums of money out of that account, disguised as payments for supposed purchases or services.
And why is this a form of business logic abuse? Because the criminals are using a legitimate function – transferring money between accounts – to confirm account numbers. This is analogous to password guessing – guess the credential (in this case the account number) and then get response to whether or not you were correct.
You can see the full article here.
“Gaming” the games on social network sites
For those of you who haven’t seen it, there is a fascinating post on TechCrunch by Michael Arrington about how various types of ads on social network sites makes millions of dollars by scamming users.
While most of the post talks about how innocent gamers are lured into scams where they are charged money just because they participated in an online survey or game, there is a part of the post that talks about how the super-savvy group has figured out how to game the system.
From the post:
The games that scam the most, win.
And some users aren’t dumb, either. For every user who gets tricked into some fake mobile subscription, there’s another who can beat the system. That’s where the legitimate advertisers, like Netflix and Blockbuster, get hit. Users sign up for a free trial with a credit card, get their game currency, then cancel the membership and start over. Netflix has a policy of only paying for a user once. But game developers use a complex set of partner chains to launder these leads and try to get them through for payment. Netflix sees an overall lowering of quality and pays less for leads. Game developers, desperate to monetize, then search for ever more questionable offers to make up the difference. In the end, the decent advertisers are out, and only the worst of the worst remain.
Left alone, the system really will slide into a full blown disaster.
Of course, gaming these systems is merely a form of business logic abuse – the use of legitimate webpages to perpetrate bad behavior. But can that be detected?
The problem comes from the fact that there are too many layers in the system. I don’t know exactly how the ads work – when someone clicks on the ad who sees that click? The advertiser? The publisher? How many networks in between those two?
If there were some way to see all of the behavior on the legitimate ads, it might be possible to determine who was gaming the system. It would sure be fun to try!
Silver Tail Article in FSTC Innovator
The new edition to FSTC Innovator is available now. It features an article I wrote on how the threat landscape for financial institutions is evolving. No longer are criminals only transferring money out of accounts. Now they are also scraping check images for multi-channel fraud, gaming incentive programs, etc.
It talks about how the criminals are extremely motivated and have a vast amount of resources and just looking for traditional fraud is no longer good enough.
You can get a copy of the Innovator here.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
