Silver Tail named to Bank Technology News “Future Now” list

We are thrilled to report that Silver Tail has been named to the Bank Technology News Future Now list.  Other companies on this list include IBM, JP Morgan Chase, and SAS.

Karen Epper Hoffman does a great job describing Silver Tail’s technology.

For Silver Tail Systems, the trick to sussing potential fraudsters is to track how the crowd acts and see what doesn’t fit. This concept of applying what the company’s founder and vp of product marketing Laura Mather calls “crowd sourcing” to fraud identification and mitigation is what sets Silver Tail apart.

In addition, it is clear that Silver Tail is hot technology for the financial services industry.

Jim Bruene, the founder and CEO of Online Financial Innovations in Seattle, says Silver Tail Systems has impressed the banking industry with their novel approach to the fraud issue. Presenting at his firm’s Finovate conference this spring, Silver Tail made a big splash with the audience and was voted best presenter in the show. [Silver Tail was also previously cited as one of the 10 Tech Companies to Watch by Bank Technology News.]

We have an amazing team at Silver Tail and we’re thrilled to see that the financial services industry sees the fraud prevention vision we are achieving.

August 28, 2009 Posted by Laura Mather | Fraud, business logic abuse | bank technology news, Online Fraud | No Comments Yet

Why phishers target low value accounts

PCWorld talks about a recent phishing scam on Twitter.  The question in the article is:

In this instance, it appears the site primarily used compromised accounts to spread the phishing links further. What, if any, broader goal was behind the effort is not yet clear.

I’ve posted about this before, but it seems prudent to talk about it again.  Phishers will try to get credentials for websites that use email addresses as usernames for one main reason: people often use the same password on all accounts. 

If a user is less worried about giving away his Twitter password – since what type of value could that have? – then, that’s the best thing the phisher can target.  The user is is less likely to be worried about giving away that password and therefore the conversion rate for the phisher is likely to be higher. 

If I was a phisher, the other thing I’d think about is that the people who use Twitter are more likely to be tech savvy and, therefore, have lots of online accounts.  Therefore, the passwords that I do steal would be more likely to be useful on other sites.

Seems like a good idea to be careful about random tweets!

July 5, 2009 Posted by Laura Mather | Online Fraud, Phishing, Social Networks | Online Fraud, Phishing, Social Networks | No Comments Yet

New Webinar: Detecting Man-in-the-Browser

Join us for a Webinar on July 14.

The proliferation of authentication models, device fingerprinting, IP geo-location mapping, and other security technologies has raised the stakes in using stolen online accounts.  Bad actors need to find a way to access users’ accounts without being detected by the systems currently in place.  The rise in malware infections has created a unique opportunity for these bad actors: The ability to access the account through the victim’s own web browser, IP address, and session.  These “Man-in-the-Browser” attacks are extremely difficult to detect and prevent, and are increasing with the spread of malware.

Laura Mather, Founder & VP, Product Marketing at Silver Tail Systems, will define Man-in-the-Browser attacks, explain how they are perpetrated, show a demonstration of an attack, and show the ways these types of attacks can be detected.

Join us for the first session in our Silver Tail Webinar Series, “Detecting Man-in-the-Browser Attacks”.

Title:         Detecting Man-in-the-Browser Attacks: Silver Tail Webinar Series, Part 1
Date:        Tuesday, July 14, 2009
Time:        10:00 AM – 11:00 AM PDT
Register:   https://www2.gotomeeting.com/register/470908250

After registering you will receive a confirmation email containing information about joining the Webinar.

Register Now

June 30, 2009 Posted by Sherrick Murdoff | Detection, Investigation | Detection, Man-in-the-Browser, Online Fraud, Webinar | No Comments Yet

Risk Management and Information Security: Merging into one?

Three times in the past two weeks I’ve been privy to a conversation about the difference between risk management and information security.  Most organizations have separate functions for risk management and information security.  In my past lives I’ve worked in a risk management-like function, but been closely aligned with what was going on in information security.

Even at the RSA conference there was a very clear divide between the two.  I attended one session on online fraud and the speaker made the point that he would be giving the only talk at the conference about fraud.

I have to admit that I’ve always found the difference between the two functions to be a bit subtle.  I see how the information security folks fight against things like denial of service attacks, SQL injection, cross site scripting, network exploits, etc.  And I see how risk management teams balance customer experience with the need to keep money from going out the door.  But it seems like it might be time for these two types of teams to start working more closely together.

Isn’t it the case that the information security folks are trying to prevent the initial access while the risk management teams are preventing the final event?  If so, it seems like it would be immensely valuable for the two groups to work together more closely.  By understanding the combination of the attack vector as well as the motivation it seems like even stronger security/risk management practices could be put into place.

I know of at least one company who has recently combined their info sec and risk management functions.  I’ll be curious to see how that works.  I’d encourage the two communities to start working more closely together.  I argue that we are, after all, fighting the same fight.

June 22, 2009 Posted by Laura Mather | Fraud, Online Fraud, information security, risk management | information security, Online Fraud, risk management | 4 Comments

Scamming iTunes and Amazon for $300k through Business Logic Abuse

This article talks about how arrests were made of bad guys who stole $300k from iTunes and Amazon through business logic abuse.  The simplicity of this scam is impressive.

…the group created several songs, had the songs uploaded to iTunes and Amazon, then used thousands of stolen credit cards to repeatedly purchase the songs from these services.

One might think it is difficult to steal money from a place that only sells digital goods that can only be used by the purchaser, but here’s an example of a relatively straightforward case of using exactly the functionality of the sites – selling and buying digital goods – to launder money out of stolen credit cards.

Fascinating!

June 17, 2009 Posted by Laura Mather | Online Fraud, business logic abuse | business logic abuse, Online Fraud | No Comments Yet

Silver Tail Selected #2 on Top Tech Companies to Watch – Bank Technology News!

Silver Tail was selected as #2 in the “Top 10 Companies to Watch” by American Banker / Bank Technology News!! The Editor-in-Chief & author, Rebecca Sausner, did a fantastic job of describing what Silver Tail does in an easy to understand and accurate article. Rebecca further mentioned, “Silver Tail plans to federate its findings about attacks, allowing each of its customers to benefit from the experience of others.” From the feedback we get from customers, it sounds like the industry should band together to combat the the criminals in the same way the criminals band together to combat the industry.

It’s fantastic to see more awareness generated for the detection and disruption of online fraud, especially around business logic abuse. Also, we appreciate the support from Bill Bradway at Bradway Research. We agree that the pain our founders, Laura Mather and Mike Eynon, experienced at eBay and PayPal fighting online fraud gives them some street cred! No better way to build the right solution than to have that direct experience.

The Top 10 article is here. What great companies to be associated with in the Top 10 (Fidelity, Mastercard, Oracle…)!

The Silver Tail article is here.

BTW: This follows our recent Best of Show win at FinovateStartup09 in San Francisco, voted on by financial services firms. The financial services firms appear to be taking notice!

May 29, 2009 Posted by Sherrick Murdoff | General, business logic abuse | business logic abuse, Federation, financial services, Online Fraud, Top 10 | No Comments Yet

Precision hacking – a new term for business logic abuse?

We’ve been having a lot of discussions lately about one term that describes when people use the legitimate function of websites to perpetrate bad behavior.  Sometimes the bad behavior can be fraud and sometimes it is just a nuisance. 

An example of the nuisance type of bad behavior is the Time “Most Influential People” poll being hacked.  Paul Lamere called this exploit “precision hacking”.  But I’m worried that using the word “hack” is too technical for the business folks to take seriously.  It also puts these types of flaws squarely in the security space when often these are more risk management issues.

Jeremiah Grossman has called this business logic abuse - the abuse of the legitimate business logic of a website.  I like the term since it makes sense logically, but I worry that you have to think about it for a while before you understand what it is implying.  This can also be called business logic flaws.

What would be really great is to come up with a term like “Phishing” – something that has no real meaning, but that everyone will come to associate with these types of attacks.

Here are some suggestions for possible terms to represent when someone uses the legitimate pages of a website to perpetrate bad behavior.  Let me know if you have opinions or if you have other suggestions.

• business logic abuse
• business logic flaws
• business logic exploits
• precision hacking
• swizzling
• e-cheating
• cheeting
• others?

May 5, 2009 Posted by Laura Mather | Business Logic Flaw, Fraud, Gaming, Online Fraud, Phishing, business logic abuse | business logic abuse, Online Fraud | 6 Comments

Silver Tail Wins Best of Show Award at Finovate!

I may be guilty of blogging too fast earlier, as not only was Silver Tail selected to present on stage at the FinovateStartup09 conference in San Francisco today, but by the end of the day, Silver Tail had won the Best of Show Award! The award was voted on by the 300+ attendees at the conference, made of up mostly of financial services firms. The selection was made based on the audience interest in the solution, the compelling need in the financial services market and the presentation given at the conference. Silver Tail was selected as the winner over 57 companies participating in the conference.

Leading anti-fraud expert and company co-founder, Laura Mather, presented the Silver Tail Forensics product on stage at the conference. She highlighted a Man-in-the-Browser example, showcasing Silver Tail’s unique capability as the only commercial technology for online sites to detect this emerging threat and protect against business logic abuse.

This recognition by financial services firms underscores the need for advanced detection and disruption of online fraud on financial web sites. Online fraud attacks are only growing and getting more sophisticated, driving the need for real-time behavior analysis to detect and disrupt fraud attacks.

Company Co-Founder and VP Product Marketing, Laura Mather and Sherrick Murdoff, CEO, were present to accept the award.

We want to thank John Fishback of 154 Consulting for all of his help on getting us prepped for this conference!  His expertise was invaluable!  We also want to thank Erik  from Finovate and also the audience for voting us best of show!

April 28, 2009 Posted by Sherrick Murdoff | Online Fraud, business logic abuse | award, Best of Show, business logic abuse, Finovate, FinovateStartup09, Online Fraud, Winner | 7 Comments

Silver Tail Selected By Audience at Finovate!

Silver Tail Systems was selected by the audience (300+) at FinovateStartup09 today to present our demo. The final session today was voted by on the attendees based on their interest in the solution.

Laura Mather is on stage presenting a Man-in-the-Browser example and how Silver Tail can detect this emerging threat and protect financial institutions from business logic abuse.

FinovateStartup09 brings together new innovative technologies with the financial services industry. The conference is up in attendance over last year and a packed room – lots of demand for Silver Tail! You can check out the Twitter buzz from the conference here.

An online video of the demo (6min) will be available soon!

April 28, 2009 Posted by Sherrick Murdoff | Online Fraud, business logic abuse | Finovate, FinovateStartup09, Man-in-the-Browser, MiB, Online Fraud | 1 Comment

Business Logic Abuse – a recognized threat

The eFraudNetwork published a survey last week as part of the RSA conference.  The purpose of the survey was to “…try and understand how online fraud and data breaches are impacting multiple industries and organizations.” 

The survey covered many topics including data breaches, cross-industry information sharing, the Heartland breach, and spending to prevent fraud.

One the topics near and dear to my heart was the question that asked about attack types.  The answers to this question showed that malware and viruses are at the top of people’s minds – which was to be expected.  What I didn’t expect, though, was the percent of people who said that they have seen attacks against the business logic of their website.

Almost 20% of people said they had seen attacks against the business logic of their site.  While this may seem like a small number to some of you, it is bigger than I was expecting.  Attacks against business logic have been going on for years, but it has only been in the last year or so that the industry is recognizing them for what they are and taking notice of them. 

I was thrilled to see that 20% of people understand that it is the business logic of their website that is allowing attacks.  I’ll be very curious to see how this number changes when the eFN does a similar study next year, especially since it was made clear in the study that business logic attacks are one of the most dangerous attacks against a website.

Is anyone else surprised the number is so high?

April 26, 2009 Posted by Laura Mather | Online Fraud, business logic abuse | business logic abuse, efraudnetwork, Online Fraud, rsa conference, survey | 1 Comment