The eFraudNetwork published a survey last week as part of the RSA conference.  The purpose of the survey was to “…try and understand how online fraud and data breaches are impacting multiple industries and organizations.” 

The survey covered many topics including data breaches, cross-industry information sharing, the Heartland breach, and spending to prevent fraud.

One the topics near and dear to my heart was the question that asked about attack types.  The answers to this question showed that malware and viruses are at the top of people’s minds – which was to be expected.  What I didn’t expect, though, was the percent of people who said that they have seen attacks against the business logic of their website.

Almost 20% of people said they had seen attacks against the business logic of their site.  While this may seem like a small number to some of you, it is bigger than I was expecting.  Attacks against business logic have been going on for years, but it has only been in the last year or so that the industry is recognizing them for what they are and taking notice of them. 

I was thrilled to see that 20% of people understand that it is the business logic of their website that is allowing attacks.  I’ll be very curious to see how this number changes when the eFN does a similar study next year, especially since it was made clear in the study that business logic attacks are one of the most dangerous attacks against a website.

Is anyone else surprised the number is so high?

I have the privilege of attending the eFraudNetwork day as part of the 2009 RSA security conference.  Prior to the conference, the eFN people had done a survey on the attacks banks and other websites are seeing.  Most of the data wasn’t surprising: identity theft was a big one.

Something that was surprising, though, was that almost 20% of respondents saw attacks against application logic.  When I saw that question in the survey I was worried that people wouldn’t know how to define application logic attacks.  It was very interesting that people are definitely seeing this type of attack.

While 20% seems small, my hypothesis is that most people are getting hit by this type of attack, but 1) many of them don’t know what they are called and 2) many of them don’t understand yet that their websites are being impacted by this type of attack.

I’ll be anxious to see the results of this study going forward to see how this number changes.