Gates Versus Jobs: Whose Platform is More Secure?

In the past week I’ve had two different people tell me about a security incident that happened to them. One had her email and Facebook account compromised and the other had his email account stolen. When I talked to them about the various ways this could have happened, both of them said to me, ‘But that can’t be true! I have a Mac!’

While the security community has come to understand that neither Windows nor MacOS is a bullet proof platform, it is taking the general public a lot longer to come to the same conclusions. People who purchased Apple hardware five years ago could almost always safely assume that they wouldn’t be the victim of hackers. What people didn’t understand is that their security at the time had nothing to do with the overall security of their platform versus another. Instead, it came down to one economic factor: return on investment. Simply stated, if the criminals had to choose one platform to infiltrate, which one had the highest potential for victims, and therefore financial returns?  Five years ago the answer was overwhelmingly Windows.

Fast forward to today:  Steve Jobs and Apple have done a wonderful job in both producing consumer-friendly devices and marketing those devices such that the MacOS platform is now part of a much larger percent of the population’s technology. This makes it more lucrative to the criminals to focus some efforts on that platform.

So, for those of you who are frustrated because you bought an Apple device thinking it was more secure, you can blame Steve Jobs. His success has created a market for the criminals that didn’t exist before: your hardware.

August 18, 2011 Posted by Laura Mather | Man-in-the-Browser, risk management, Trust | information security, Man-in-the-Browser, online security | Leave a Comment

Silver Tail launched today!

Now its official: Silver Tail launched with several announcements today. Though we haven’t been completely silent (thank you for continuing to read our blog), we are now ready to take on the market and aggressively lead the fight against business logic abuse. Building this company and this market is not only fun, but rewarding when you see how our patent pending technology is helping companies reduce online fraud losses, protect their brand and increase customer trust.

I want to take a moment to thank our investors, Leapfrog Ventures, Seraph Group, Startup Capital Ventures and our individual investors. They are very supportive in our quest, well beyond the financial aspect. Their guidance has been critical in our growth!

And of course to our customers, without their demand for our solution and their patience now that its getting installed, we would not have the momentum we have today.

Stay tuned as more exciting announcements are coming…

April 20, 2009 Posted by Sherrick Murdoff | business logic abuse, General, Online Fraud, Trust | brand protection, business logic abuse, Online Fraud, Trust | Leave a Comment

Internet Openness – Embrace It, or Let it Go to the Bad Guys

[Below is a guest post from Mary Berk, Ph.D., Lead Product Manager for Fraud at Microsoft Advertising.  Mary's doctorate is in ethics, so Silver Tail asked her to comment on whether or not security professionals should talk publicly about emerging threats on the internet.]

“The organization of our press has truly been a success…. We’ve eliminated that conception of political freedom which holds that everybody has the right to say whatever comes into his head.”  -Adolf Hitler

The internet makes it tough to keep secrets.  In a world where bad guys take advantage of uninformed computer users, that can be a good thing or a bad thing.  In the end, suppression or restriction of this freedom always plays into the hands of the bad guys.  My point is that the freedom to publish online is something that’s here to stay, so instead of fighting it, we need to embrace it and use it to our advantage.

It’s tough, because good guys are always held to some code of responsibility, where publishing some information is almost never ok.  Bad guys don’t have this code — and there’s no honor among thieves.  So when publishing online, good guys are stuck, for better or worse, with using discretion in sharing information widely.  It’s one thing to describe common strategies used by bad guys (phishing emails, password guessing, Craigslist scams), and another to give detailed instructions on how to commit fraud (providing code for creating your own bot, or sharing instructions for mining email addresses).   The first is generally a good thing, and equips the public to be more savvy online; the second, not such a good idea.

While good guys are often restricted by a code of responsibility, the lack of restrictions on fraudsters can be a useful thing.  In a recent personal project I was involved in, we wanted to test the efficacy of a prototype fraud detection system.  The internet was our best source of ways to try to break the system.  Website publishers frustrated with a popular search engine devised an attack on the system as a kind of “payback.”  While these folks were playing dirty (and I certainly don’t condone their practice), the openness of the internet helped us out.  We took the code published by bad guys and used it to attack and train our own system.  So in the end, our system is stronger for it.

So, what’s the right balance for determining how open good guys can be?  There are a couple of ways to slice it, but the question is not settled.  One gut-check test is the “could my mom benefit from this information?” question.  My mom has certainly never heard of a bot, a trojan, or a worm, and she would be mystified by code.  But she can make use of a list of passwords that are most easily hacked.  That’s a pretty strict test (knowing my mom…), but it’s perhaps one end of the spectrum.  Another test is the “strategy versus tactics” question.  If you’re describing general strategies used by bad guys, you’re probably ok.  If you’re giving instructions on how to enact fraud, you might be stepping over the line.

Of course, different businesses may need to slice this differently.  An e-commerce site, for example, needs to ensure customers that the site is safe, without alarming them.  This site will probably do best to publish tutorials or general descriptions.  But out there on the net, the discussions can roam more freely.

In the end, my take is that the democracy of the internet, and the freedom to publish online, is here to stay.  We can embrace it, or let it fall into the hands of bad guys.

April 15, 2009 Posted by Mary Berk | Cost of fraud, Fraud, Investigation, Prevention, Trust | ethics, Internet openness, Online Fraud | Leave a Comment

Part 6: Dot-Con follow up

I’ve been getting some great feedback about this series of blogs.  Much thanks to everyone who has been reading them and passing along links to friends.

As part of this investigation I talked to someone at the FBI about ic3.gov and other things people can do when they fall victim to these types of scams.  Here were his thoughts.

1. Report the crime.  This could be entering your information at ic3.gov, going to your local police, contacting the website where the fraud was initiated (if it was initiated through a particular website) or all of the above.  If you don’t report the crime, then there is no chance law enforcement will catch the criminal.  And, if the perpetrator is caught, the only possibility of you getting restitution (in the unlikely event there is restitution), you definitely won’t get restitution unless you report it.  Whatever you do – don’t try to take these criminals down yourself.  By continuing to interact with these people you are only putting yourself more in harms way.  Let the experts – law enforcement – do their jobs.
2. Have appropriate expectations.  Finding and prosecuting these criminals takes time.  It could be years before you hear anything about this.  I know victims want more immediate retribution, but unfortunately, that is extremely rare.
3. [This may be the most important one.] If law enforcement follows up with you later about additional details or needs you to sign a form that you were victimized, PLEASE help them.  There are too many cases where the perpetrator finally goes to trial and because it is years later, law enforcement isn’t able to get victim cooperation.  Don’t let the hard work of the law enforcement agents go to waste!

As I mentioned earlier, I’m hoping to put together an initiative to get the word out about what people to do once they’ve been victimized online.  I’m hoping to work with the APWG, the NCSA, and maybe getsafeonline.org to make this happen.  Please let me know if you want to participate.

Hopefully this series has gotten you thinking about what it is like to be a victim.  I think it is critical that we, as online crime fighters, maintain the perspective of the people for whom we are fighting.

April 1, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, law enforcement, Online Fraud, Phishing, victim | 1 Comment

Part 5: Dot-Con – Online fraud from the victim’s perspective

My previous posts described Paul and Scott, the scams they fell for, and the things they did to try to get help.  In talking to Paul and Scott, I came to realize that I had very little understanding of electronic crime from the victim’s perspective.  I have spent my professional life trying to thwart these online criminals through policies and technology, driven by the belief that it was the right thing to do.  But hearing the frustration, tedium, and finally hopelessness that Paul and Scott have endured because they were fooled by schemes that were very convincing and seemed legitimate has reawakened the purpose of my pursuit.  More than I ever I want to stop these scams.

At the moment, my main concern is this: the bad guys have found a loophole in the system that allows them to exploit people like Paul and Scott and get away with it.  By keeping the final “take” for each victim relatively low (within $10k or so), and by having geographically diverse victims, the bad guys make it extremely difficult for law enforcement to determine when there might be a mass crime spree taking place.

In talking to someone from the FBI, it sounds like it is generally believed the bad guys aren’t targeting the low dollar amounts to stay under the radar.  But, since the amounts in these cases are low, they do tend to go a bit more under-reported/under-investigated than the higher dollar amounts.  There are groups within law enforcement that not only collect the data from the victims (through ic3.gov), but also link that data to more prolific online fraud networks like botnets, spam rings, etc.  This is great news!

So, there are places to report this: ic3.gov.  I don’t think law enforcement usually spends much on marketing, so that might be why the message about this site isn’t out there.

What I’m wondering has two parts.

1) Is ic3.gov the best place to report these types of crimes?  Are there other such databases/aggregators?

2) Whatever place is the best – can we get the message out about how to respond to this type of fraud?  Just because law enforcement doesn’t have a marketing budget, doesn’t mean the message can’t get out there.  Maybe we can help.

If anyone out there knows has thoughts on these questions, I’d be very interested to hear them.  I’m going to start exploring this topic further.  I’ll be soliciting help from my friends at the Anti-Phishing Working Group (APWG) to do this, but if any of you out there would like to participate in this quest, please let me know.  I think the questions above are fundamental to moving the fight against online fraud forward.

March 30, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Prevention, Social engineering, Trust | law enforcement, Phishing, scams | 3 Comments

Part 4: Dot-Con – Online fraud from the victim’s perspective

In previous posts I described Paul and Scott, two innocent people on different continents who were both victimized by online (and somewhat offline) scams. As a reminder, Paul fell for an inheritance advance-fee scam and Scott was victimized as an eBay power seller by a drop-ship scam.

Once they realized something was wrong, here’s what they did to try to rectify the situation.

Since Paul was in a different country from where the scam was purported to have taken place, he was at a loss as to how to proceed. He figured his local law enforcement wouldn’t be interested in a case that was for a fairly small amount and was outside of their jurisdiction. He wanted to contact the police in London, but was not sure how to do that. So, he saw my email address in association with electronic crime and reached out to me for help. After I spoke to him he did go to his local law enforcement office. They said they’d get back to him.

When I heard about Paul’s case, I contacted some of my friends. One explained that law enforcement in England has to prioritize their cases and anything below $100k in loss doesn’t make the cut. Another gave me the email address of some law enforcement people in Paul’s country. Paul emailed them and never heard back. Someone suggested he report the fraud to www.ic3.gov where it could get aggregated with other scams. He did that. I also asked a friend at the FTC to send something to the analogous organization in Paul’s country. He did, but we didn’t hear back. Finally, we went to the local police. They say they are working on it, but the case doesn’t seem promising.

By the time I talked to Scott he had contacted “every law enforcement agency he could think of”. He had talked to his local law enforcement, the FBI, and the Canadian authorities (since the money was picked up in Canada). He told me he had walked through his story numerous times with each of them. He had saved all of the documentation and was able to show it to them to help them track down the criminals.

In addition, Scott had done some sleuthing of his own. He had called Western Union to find out whether the money had been picked up and, if it had, where. They told him it had been picked up in Canada. He had called the newspaper to see if they knew any more about the advertiser only to be told that the newspaper realized it was a fraudulent ad and that they weren’t going to get paid.

March 25, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, ic3, Investigation, law enforcement, Online Fraud, scam | 4 Comments

Part 3: Dot-Con – Online fraud from the victim’s perspective

In case you are just tuning in, I am posting a series of blogs about people who were victimized through electronic crime.  My purpose with these posts is to let people know the victims’ side of the story and to point out how the system failed them.

Our previous post talked about “Paul” who fell for an inheritance cash advance scam (see this page for more information on advance fee scams and this page for information on some others who have fallen for this).  The second case I was made aware of involves “Scott”. 

Scott is an eBay power seller and lives in a large city in the US.  Scott saw a half page ad in the main newspaper for his city that said eBay sellers could earn extra income by selling goods for a drop shipper.   The ad implied that sellers would become employees of this company and included an 800 number to sign up.  Scott called the 800 number and spoke to someone about becoming a seller. 

After talking to the company several times, Scott did research on the internet.  He says that there wasn’t anything about the company online – nothing good, but nothing bad either.  There was no reason not to believe the company was legit with a limited online presence.

The company sent him the information he needed to list the items on eBay.  They encouraged him to accept PayPal as the payment mechanism for the items.  Once he had received payment he was to send the money (minus his commission) to the company via Western Union.  Scott said this was the only red flag he had during the entire process.  Everything else seemed professional and well-orchestrated.  And since he knew that many sellers and buyers – especially in Europe – use Western Union as their primary payment mechanism, he figured it might be ok.

Scott says it took a couple of weeks to start thinking there might be something wrong.  Buyers started reporting that their goods had not arrived.  Scott figured the shipments we a bit slow to arrive, so he waited.  And waited.  Eventually he realized he had been scammed and no goods were going to be shipped.

The lesson for me here is that the bad guys have taken this to a new level.  Newspaper ads in respected papers and 800 numbers, where you talk to a live person, both help to validate the scheme.  It’s not just the technologically-naïve that fall for this anymore.  The bad guys are winning.

In the next post I’ll talk about what these two victims went through to try to solve the problem.

March 23, 2009 Posted by Laura Mather | Fraud, Online Fraud, Payment, Social engineering, Trust | drop ship scam, Fraud, Online Fraud | 6 Comments

Part 2: Dot-Con – Online fraud from the victim’s perspective

As a reminder, this is the second part in a series about how internet scams no longer only victimize the naïve.  You’ll see in the two stories I’ll tell that intelligent, educated people fall for these scams because the scams have gotten more sophisticated and more difficult to report.

The first case involves “Paul”, a 29-year old medical doctor who lives in Europe. He received an email from a Barrister in London that said a relative of Paul’s had passed away and the Barrister was told to contact Paul about an inheritance left to him (~$7M).  Paul was told that he needed to pay the VAT tax on the inheritance money and then the money would be released to him.

The Barrister was very convincing.  He used words like “friendship” and “cooperation” to make Paul feel comfortable about the transaction.  The Barrister sent documents to Paul that looked legitimate.  You can see here the Affidavit that was sent, the death certificate, and the Stop Order that explains the taxes owed on the inheritance.  Since Paul does not live in England, it was difficult for him to confirm the legitimacy of this process or these documents.  The bad guys are spinning tales that are extremely convincing.

This is where the story takes a bad turn.  Paul took out a loan to pay for the taxes on his “inheritance” and sent the money via Western Union to the “Barrister”.  In the end he sent the scammer over 7000GBP.   Paul will be paying back the loan on this scam for the next five years.

In the next installment I’ll tell another story about someone who was scammed.  And in follow-up posts I’ll talk about what these people did to try to get help.

March 19, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scam, Fraud, nigerian scam, Online Fraud, Social engineering | 5 Comments

Dot-Con: Online fraud from the victim’s perspective – Part 1

[This is the first part in a series of blogs about how electronic crime impacts every day people.]

I worry that there is a general assumption that the victims of electronic crime are naïve, technologically-unsavvy people who were fooled by rudimentary techniques that would be “easy” for the rest of us to detect.  Even Bruce Schneier talks about how people in security tend to blame the victim.

If it was ever easy to detect these types of scams, it is very different now.  I have come across two cases in the last few weeks that highlight the sophistication level of the criminals, how difficult it is to determine whether the attacks are malicious, and how challenging it can be to get help when you have fallen victim to these scams.  In both cases, the victims were educated, intelligent people who were defrauded by elaborate schemes.

My goal with this series is to give people the victim’s perspective with respect to electronic crime.  In hearing about these two cases, I am concerned that the criminals have found yet another loophole they can exploit: keep the crimes in the medium dollar range ($5,000-$10,000) and make sure your victims are geographically diverse.  By doing these two things the criminals have made it almost impossible for law enforcement to do anything about these crimes.

Before I get started I want to point out that I’m absolutely not blaming law enforcement.  I understand why the Secret Service, FBI and their local and international counterparts need proof that the crime resulted in a high amount of loss before they can prioritize it for investigation.  My concern is that the criminals have figured this out and are using it to perpetrate these crimes without getting caught.  If the full extent of these crimes was understood, investigating these crimes might be a much higher priority.

Throughout this series, I’ll explain the scams and the victims as well as what they went through to report their cases and what I went through trying to help as a professional e-crime fighter with the best connections and resources available.

I am fortunate to have had the opportunity to talk to these people about their experiences.  In many cases, victims of these crimes are hesitant to talk to people about what happened to them because of the stigma that smart people couldn’t possibly fall for these scams.  It is imperative for security people to understand the experience from the victims’ point of view and I am, therefore, lucky to have had the opportunity to hear these stories from the people who lived them.

Like TV crime shows, I have changed or anonymized the pertinent details to protect the innocent.  In both cases, the victims feel violated and ashamed.  This only serves as an added bonus for the criminals since a very large percentage of victims never report these incidents.  In both cases, the victims lost large sums of money, and were completely powerless in getting any of their money returned.  In both cases, the victims felt the only possibility for justice would be if they went after the criminals themselves.

The two cases I will detail in this series should be familiar to all who read this blog.  The first is a traditional Nigerian inheritance scam that makes appearances of being run out of the UK, while the second is an online work-from-home drop-ship scam.  My goal in presenting these cases is to redefine how we in the online security space interact with these victims and think about these crimes.

Here is the series:

Part 2: Dot-Con – Online fraud from the victim’s perspective

Part 3: Dot-Con – Online fraud from the victim’s perspective

Part 4: Dot-Con – Online fraud from the victim’s perspective

Part 5: Dot-Con – Online fraud from the victim’s perspective

Part 6: Dot-Con follow up

March 17, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scams, Fraud, nigerian scam, Online Fraud, Social engineering | 6 Comments

Blogging from the Merchant Risk Council (MRC)

We are at the Merchant Risk Council (MRC) this week in Las Vegas.

Great welcome reception last night – attendance was sold out this year, which is a statement about the quality and importance of this conference. Pick your survey out there, online fraud is on the rise and people are concerned. Kudos to MRC for putting on such a strong showing in such economic times.

This morning Tom Ridge gave the keynote – a great mix of politics, e-commerce and generational commentary. He’s recently learned how to text his kids, by which they were shocked (good laugh for the crowd).

Tom outlined his concern that recent data breaches, phishing attacks, and even the fraud prevention attempts that web sites employ for all users (how many times do I have to tell you, “its me!”) provokes a feeling that the internet is not safe. This is bad for everyone. And when his view is, “the Internet is the most important piece of critical infrastructure we have in America,” we need every bit of trust in the Internet that we can get.

The quote I like best, “Better to manage risk before it manages you.” Think about it.

Another highlight was the presentation from David Moriarty at Apple – amazing data he has captured from Apple on their transaction fraud monitoring, diagnostics and anomaly detection. I liked the analogy to the Tom & Jerry cartoon – Tom continues to chase Jerry, through every scenario possible, with Jerry always finding another way to get the cheese. Chasing fraudsters is often a game of cat and mouse and no one plays it better than Tom & Jerry!

Business logic flaws got a mention from Trustwave, in their talk about hacking at the application level. I believe we will see more about business logic flaws and business logic abuse in future presentations at MRC.

Ori Eisen from 41st Parameter gave a mention to “know thy enemy” in order to fight back against fraud. Good advice. Thinking like a bad guy is a notion we exercise a lot at Silver Tail.

I witnessed considerable attention on fraud for the transaction (online purchase) – a very important process because that is where the money is. However, what if you could detect fraudulent behavior before the transaction is started? What if you could detect a fraudster based on their behavior on the website before they ever click to buy? Its a question that has generated a lot of interest in what Silver Tail is doing. Would like to hear your comments.

March 11, 2009 Posted by Sherrick Murdoff | business logic abuse, Business Logic Flaw, General, Online Fraud, Trust | business logic abuse, Business Logic Flaw, Fraud, merchant risk council, Online Fraud, tom ridge | Leave a Comment