Silver Tail at iGaming Summit in San Francisco
The Global iGaming Summit and Expo starts tomorrow at the Westin in San Francisco. I’ll be participating in a panel on preventing fraud in gaming and online environments. It should be a great panel and I’m looking forward to talking to people in the gaming space about the types of attacks they are seeing. I’ve been doing some research ahead of the panel and while money laundering is definitely a big concern for the gaming companies, I’ve been surprised to hear that often only the traditional fraud models are in place. As I learn more about the industry, I’ll keep you apprised.
“Gaming” the games on social network sites
For those of you who haven’t seen it, there is a fascinating post on TechCrunch by Michael Arrington about how various types of ads on social network sites makes millions of dollars by scamming users.
While most of the post talks about how innocent gamers are lured into scams where they are charged money just because they participated in an online survey or game, there is a part of the post that talks about how the super-savvy group has figured out how to game the system.
From the post:
The games that scam the most, win.
And some users aren’t dumb, either. For every user who gets tricked into some fake mobile subscription, there’s another who can beat the system. That’s where the legitimate advertisers, like Netflix and Blockbuster, get hit. Users sign up for a free trial with a credit card, get their game currency, then cancel the membership and start over. Netflix has a policy of only paying for a user once. But game developers use a complex set of partner chains to launder these leads and try to get them through for payment. Netflix sees an overall lowering of quality and pays less for leads. Game developers, desperate to monetize, then search for ever more questionable offers to make up the difference. In the end, the decent advertisers are out, and only the worst of the worst remain.
Left alone, the system really will slide into a full blown disaster.
Of course, gaming these systems is merely a form of business logic abuse – the use of legitimate webpages to perpetrate bad behavior. But can that be detected?
The problem comes from the fact that there are too many layers in the system. I don’t know exactly how the ads work – when someone clicks on the ad who sees that click? The advertiser? The publisher? How many networks in between those two?
If there were some way to see all of the behavior on the legitimate ads, it might be possible to determine who was gaming the system. It would sure be fun to try!
Gaming Incentive Programs on P2P Lending
Lending Club is offering a $50 incentive to refer new lenders to its program. The catch: the $50 can only be used by the new lender to loan out through the program – essentially creating a “free” loan.
At first glance this might seem to get around the usual risk of bad guys signing up a bunch of accounts so that they can earn money since the referring account doesn’t benefit. But, I think this can (and will) still be gamed. If I were a bad actor, I would register as a lender and then refer all of my “friends” (stolen identities of which I have control) and then use the $50 in each account to lend money to other accounts I signed up with stolen identities. This is a form of business logic abuse: using the pages of a website in the way they were intended to perpetrate bad behavior.
I’ll admit, I haven’t looked at the terms of this and there may be terms in place that would make it difficult to game. Since these types of programs are often launched by marketers, they don’t think about how bad actors could make money by gaming the system.
It sounds like Lending Club also has a traditional incentive program - $25 to refer an approved buyer – I wonder if they’ve seen any bad behavior on this campaign yet.
Abuse of Virtual Money: To Regulate or Not to Regulate
The Chinese government has banned the exchange of virtual currency for real world goods or services. Information Week has an article that goes into more details.
It’s not surprising that a government is having to step in to regulate the use of virtual currency in games like World of Warcraft among others. In talking to several companies that provide forms of virtual currency, I’ve found that there are many,
many risks that come along with these types of economic systems. Any time the bad guys can find a way to eek value out of a system, there is incentive to find a way to beat the system.
One advantage to virtual currency, as opposed to real-world currency, is that it is less anonymous. (Take note of this – it is extremely rare that something on the Internet is less anonymous than something in the real world!) In the real-world if you receive stolen money it can be very difficult to track exactly where that money came from.
Online, though, there is often an audit trail that can be followed. Even if the account that gives you the currency is, itself, stolen, there are IP addresses, cookies, etc. that may be helpful in tracking down the perpetrator. Granted, the perpetrator is likely in some other country and hidden behind proxies and Internet cafes, but at least there is somewhere to start.
Will the Chinese government be successful at combatting the abuse of virtual currency? It’s hard to say. But it is likely we will see additional legislation by other countries to try to stave off the nefarious acts that can occur through virtual economies.
Precision hacking – a new term for business logic abuse?
We’ve been having a lot of discussions lately about one term that describes when people use the legitimate function of websites to perpetrate bad behavior. Sometimes the bad behavior can be fraud and sometimes it is just a nuisance.
An example of the nuisance type of bad behavior is the Time “Most Influential People” poll being hacked. Paul Lamere called this exploit “precision hacking”. But I’m worried that using the word “hack” is too technical for the business folks to take seriously. It also puts these types of flaws squarely in the security space when often these are more risk management issues.
Jeremiah Grossman has called this business logic abuse - the abuse of the legitimate business logic of a website. I like the term since it makes sense logically, but I worry that you have to think about it for a while before you understand what it is implying. This can also be called business logic flaws.
What would be really great is to come up with a term like “Phishing” – something that has no real meaning, but that everyone will come to associate with these types of attacks.
Here are some suggestions for possible terms to represent when someone uses the legitimate pages of a website to perpetrate bad behavior. Let me know if you have opinions or if you have other suggestions.
- business logic abuse
- business logic flaws
- business logic exploits
- precision hacking
- swizzling
- e-cheating
- cheeting
- others?
Dancing with the Stars has a business logic exploit???
I found this article amusing. It talks about how people may be gaming the voting system on Dancing with the Stars to keep “the Woz” from being voted off. [He has been voted off now, but it is still interesting to think that his life on Dancing may have been prolonged by people gaming the voting system.]
A quote from the article:
Q Could the Woz’s geek fan base be “fixing” the vote?
A Producers of fan-vote-based shows say publicly that there are safeguards in place to void any automated voting. Privately, they admit the system can be manipulated (multiple user accounts for the online part of the voting) if people really want to go to all the trouble.
I can see lots of reason people would “want to go to all the trouble”, especially when it isn’t all that much trouble for some geeks out there. Gaming the votes on Dancing with the Stars is merely a business logic exploit. Who knew business logic abuses applied to reality tv too!
My thoughts: Way to go geeks! Who thought geeks would have shown interest in dancing?
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
