Concern about web security at financial institutions
Russ McRee’s post on The need for financial web application security rung true for me. While the bad actors are finding ways to make money through e-commerce and even social network websites, the finance sector will always be a target since that’s where the money is.
It can be super tough to harden a website against online attacks. Russ does a great job calling out some of the things that are especially troublesome, but this dovetails nicely into the presentation Jeremiah Grossman gave yesterday (link to follow). Jeremiah’s presentation said that cross-site scripting and cross-site request forgery are major problems, but business logic flaws are becoming more and more prevalent.
Unfortunately, websites of all types are going to need to start defending themselves against all of these types of attacks – both the technical kind and the business logic kind.
Business logic flaws on the rise, according to new report by WhiteHat
WhiteHat Systems released its seventh installment of the WhiteHat Website Security Statistics Report today, with a webinar tomorrow by Jeremiah Grossman going through the top ten most prevalent website security issues.
According to WhiteHat, the top ten vulnerabilities remain largely unchanged, with Cross-Site Scripting continuing to top the list. However, “business logic flaws, an often-overlooked issue that enables hackers to take advantage of the functionality of a site, occupied more than half of the top spots.”
This should be great awareness for business logic flaws and the impact they can have on websites. At Silver Tail, we are always looking to raise the mind share on business logic abuse and business logic flaws because these rising threats are causing companies a tremendous amount of pain today. Bad guys now target the legitimate business logic of website to perpetrate their fraud, and its extremely difficult to detect and disrupt.
The webinar should be very interesting – check it out: Tuesday, May 19, 2009 at 11:00 a.m. PT / 2:00 p.m. ET.
First White Paper on Business Logic Abuse
The next big thing in website attacks is business logic abuse. This is the use of legitimate business logic (including sound business logic and business logic flaws) to commit online fraud. It’s getting a lot of recognition, from Wikipedia articles (as highlighted in a recent post) to Black Hat presentations like the one from Jeremiah Grossman at Black Hat 2008.
Silver Tail has released the first white paper defining business logic abuse – including methods for detecting, investigating and stopping malicious behavior (including hijack threats, velocity attacks and gaming schemes) as they occur.
Online fraud is on the rise and no one predicts it will decline. The number of fraudsters is increasing and the attacks are evolving from theft through hacking into more sophisticated attacks targeting the business logic of the website itself.
Given that business logic exploits can be live for weeks or months, it is no wonder bad actors are constantly finding new ways to exploit websites. Combine this with the significant income from online fraud and the lack of fear of law enforcement and one can see why this problem is on the rise. The return on investment (ROI) for bad guys is just too compelling! What websites need is a potent response: namely, the same automation and ability to innovate as the bad guys.
Silver Tail has published the first white paper on business logic abuse. The paper defines business logic abuse and the significant impacts it can have on an organization. Definitely comment here or contact us privately with any feedback you have relating to the paper. It would be great to hear your thoughts!
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
