Software-as-a-service (SaaS) has grown in popularity as a way to minimize complexity and maximize efficiencies.  Why host your own software when that means you will have to maintain it and buy hardware for it?  The growing trend is that companies are willing to host their software for you.  Companies are seeing that the economies around this make a lot of sense.

As I’ve said before, internet fraud seems to be run very much like a legitimate business would be run.  The bad actors try to optimize return on investment (ROI) and conversion rates in the same way legitimate businesses try to optimize them.  For example, just like an e-commerce company will attempt to tweak the text, images, etc. in an email to be sure that it is not caught by spam filters and customers open it, bad actors do exactly the same things with their phishing or 419 scam emails.  Just like a legitimate business, the bad actors want their emails to avoid spam filters and they want their potential “customers” to be intrigued enough to both open and respond to the email.

Phil Muncaster posted an article about how the bad actors are starting to take advantage of the same philosophies behind SaaS.  Phil calls this “Fraud-as-a-service” (FaaS?) and I see this as a continuation of how the bad actors mirror legitimate businesses in perpetrating their fraud.  The bad actors want to make their money as efficiently and economically as possible.  To do this, they have imitated the way legitimate businesses are optimizing their operations.

The examples I’ve seen of FaaS include where one bad actor will host a phish site for another bad actor, for a fee.  The data collected is sent to the “customer” (and likely kept by the service as well).  I’ve also seen cases where one group would collect passwords for a site and determine which are the most valuable.  The less valuable userID/password pairs would be sold to other groups.

All of this is just a way to make the business of fraud more efficient.  I’m sure there are other examples of bad actor efficiency.  If you have some, let me know.

Most websites and e-commerce businesses understand that there is an element to their transactions that involves professional fraud.  I’m not talking about the people who forget that they signed up for an online service and therefore do a chargeback on their credit card for their subscription.  Instead I’m talking about the criminal element that understands how to take advantage of a website for financial gain.

There are several ways to make money on websites.  For example, if the website represents a financial institution, you could steal the password for someone’s account and try to move the money to your own account (or the account of a trusted partner).  If the website sells goods you could steal someone’s password and send yourself “gifts” (which you would likely later sell).  Or you could buy a stolen credit card, open a new account and send things to yourself, knowing that it is unlikely that the site would detect that they will not be paid for the goods until after they have arrived at your door.

By accepting that some part of their business is going to be fraudulent, many of these websites create policies of how to handle the fraud once it is reported and clean up the incidents after they occur.  That’s a simple enough formula.

What if you could change the game, though?  What if you could detect the fraud as it is occurring and either prevent it from happening or take action quickly enough that your incurred losses are significantly reduced?  It seems like that is a no brainer.  Most websites would say “Of course I’d want to change my model such that I could prevent the fraudulent event from happening.”  Moving from this ideal to the reality can be tricky though.

The major complication comes from the fact that it can be difficult to justify the cost of implementing a new system.  In a hypothetical case, say there is already a system in place that costs $20k/month to deal with the fraud and absorb the fraud losses, and a prevention system will cost $200k to install and $4k/mo to use.  Given that the prevention system is so expensive, it can be difficult to justify spending money on the prevention system.  This is mis-leading for 2 reasons. First, as the bad guys are essentially “allowed” to perpetuate fraud (because the website does not try to prevent fraud but only tries to find it after the fact), the fraud will continue to grow and the website will become known as an easy target. Second, it’s important to consider the long term implications to the company.  A prevention system will significantly decrease the fraud losses experienced by the website and, given that customers will have many fewer negative experiences that they associate with the website’s site and brand, it is likely that the website will have improved customer loyalty and trust which often equates to more active customers and, therefore, a higher bottom line.  In the end, all of this can add up to a much higher return than focusing on cleaning up the damage after it has been done.

The water balloon: Thinking about the response

One of the mantras in fighting fraud is that it is critical to anticipate where your fraud response will push the bad guys. Invariably, when you put a protection mechanism in place, the bad guys find some other way to perpetrate their behavior. This is known as the water balloon – when you squeeze a water balloon, the amount of water doesn’t decrease, it just goes somewhere else. Sometimes that means the bad guys will target someone else – which is usually a good thing. But sometimes that means they will find a new way to target you.

By attempting to anticipate where the bad behavior will move, you can make a decision about whether or not the protection mechanism you are considering will be worthwhile. If the bad guys move to another fraud type that makes them a) harder to detect or b) harder to stop, it might be the best decision to not launch your protection mechanism.

Another aspect is the cost of the protection you put in place. Bruce Schneier often talks about the cost of security and how that impacts what countermeasures a company should employ.  In a recent blog he said, “… a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits.” Sound advice, and make sure to consider all costs of fraud including brand erosion, customer loss, bad press, loss of trust, etc. because fraud is more than just the loss of money.

Of course, predicting bad guy behavior is very difficult – hence the need to be able to think like a bad guy – but it is critical to make a best estimate as to the response to make sure that you aren’t causing more harm than good.