Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

One of Fast Company’s Most Creative People in Business

I was both thrilled and humbled to see that Fast Company named me one of the Most Creative People in Business. Throughout my career I have had the benefit of working with some of the most amazing minds, whether that was in teaching me to think like a criminal, raising venture capital, or creating a product that protects billions of people online. And to see that I am being recognized with luminaries like Ben Horowitz and the founder of Hip Hop Public Health is incredible.

This is just one of the indications that what Silver Tail is doing is amazing. We have taken protecting people on the Internet to a new level. Looking at attacks on websites through behavior analytics is a pivot on the traditional mechanism for protecting online property and having that recognized is awesome. Getting awards like this is definitely an honor, but knowing that billions of people are protected every day because of the product the Silver Tail team has created is priceless.

May 15, 2012 Posted by | Fraud | , , , | Leave a comment

Finovate Spring Demonstrates a Growing Richness in Online Interactions

At Finovate Spring this week in San Francisco, there has been considerable buzz around all sorts of technologies available for financial organizations worldwide. It’s a fascinating group, from online financial advice companies to multi-party payment providers to online money movers. One thing many of them have in common: service offerings on the Web.

This raises the question: with all of these financial services and offerings online – how do organizations protect the users of their websites and defend against attacks? This is a question for all industries and all organizations that are adopting strong mobile and web-based strategies. Exploitation of websites, mobile platforms and smart phone apps are threats that are increasing in scope, regardless of what industry you are in.

The increasing richness of online interactions means that companies need to go beyond data security and properly operationalize security tools and processes. While many people may debate what tools are needed…and where…we believe that understanding context and user behavior is a key aspect to effectively responding to online threats.

Web Session Intelligence provides security to the entire end-to-end browsing session, regardless of whether a user authenticates or not. Tools that focus solely on authentication are increasingly being rendered ineffective due to the proliferation of malware on end point devices. The delivery of Web Session Intelligence is what sets Silver Tail Systems apart – so much so that Penny Crosman at American Banker named us Most Useful Product at Finovate!

The product demonstrations at Finovate are a testament to how much of our technological future is online, and this show is one of the many that Silver Tail Systems will be attending in the near future. Up next: FS-ISAC and BITS Annual Summit, and the 2012 CNP Expo. Hope to see you there!

May 10, 2012 Posted by | Detection, information security, Prevention | , , | Leave a comment

Aunt Sally Returns to Finovate Tomorrow!

For those of you who have wondered what has happened to our favorite fraud victim, fictional Aunt Sally, I am happy to say that she will be making an appearance tomorrow at the Finovate Spring 2012 conference. If you’ve missed hearing about how the criminals have targeted Aunt Sally, tomorrow is your chance to hear about the newest threat that is live in the wild: malware that performs parameter injection.

It’s guaranteed to be fascinating to see the latest way the criminals are targeting banking users. If you’re going to be at Finovate, it would be great to get together, so please come find me!

May 7, 2012 Posted by | risk management | , , | Leave a comment

Is There a CISPA Compromise?

Given the discussion about CISPA, I thought I’d share my perspective. I agree that global organizations need to expand their mechanisms for fighting cyber crime. We know the criminals cooperate and only through cooperation among the targets can we get to a place where we are on an even playing ground with the criminals.

Of course, the flip side of this is the private and personal information that will also be shared between organizations and with the government. This is an interesting assumption and it brings up a point I have been pondering for a while: what is the line between privacy and security? I understand why people would not want to be tracked for privacy/marketing reasons. But I foresee a time when a consumer says to a bank or e-commerce company ‘You knew XYZ about me! Why didn’t you know the transaction I supposedly did was not real?’ If we get to that point it will show that some consumers are ok with information being used for security, but not for things that they feel violate their privacy.

I believe there are changes that can be made to the bill to make it both effective in fighting cyber criminals while still maintaining the appropriate privacy protections. A list of all possible data types that can be shared should be made. The list would contain things like IP addresses, email addresses, email address pairs ( sends email to, email subjects, email content, financial transaction information (how much was transferred, where it was transferred, who transferred it, the IP address of the transfer, the time of the transfer, etc.), commercial transaction information, additional technical information (user agents, browser information, etc.). This list is not infinite. Once this list has been assembled, two rankings should be created. The first is the order in which these data elements help in a cyber-security investigation (for example, the destination of a financial transaction is likely much more valuable in a cyber investigation than the contents of an email). The second is the order in which someone’s privacy is violated by the exposure of the data (for example, I’m much more willing to allow someone to see my IP address than to see the contents of my email). Then these lists can be compared to determine which data should and should not be included as the information that can be shared via the mechanism of this bill.

If we can determine a data set that would 1) help with cyber security and 2) maintain privacy, implementing the mechanisms to share this data should not be difficult. I hope our legislatures can find a way to work together to make this happen.

May 3, 2012 Posted by | Detection, Fraud | , , | Leave a comment

The 99% Goes Cyber

A group calling themselves L0NGWave99 has threatened a denial of service attack against the externally facing NYSE website. This attack is in support of the “great and rooted 99% movement,” and will include attacks against other exchanges’ externally facing websites as well.

Two thoughts on this. First, is it that big of a deal to DDoS the externally facing NYSE site? While having that site unavailable (in the worst case) would be bad publicity, it doesn’t actually disrupt any markets. Second, the fact that the 99% movement has gone cyber is quite interesting to me. I’m not very political at all, but I’ve been watching with interest the 99% movement. While I understand the frustration these people have, I am struggling to understand their path to solving the problems.

There may have been some other cyber attacks associated with the 99% movement. For example, the attack against the BART system in response to removing wireless access on the train line. But that was in August. At the time I thought we’d see a lot more from Anonymous and other 99%ers. Maybe there were things I missed when I was on maternity leave?

May 2, 2012 Posted by | information security, risk management | , | Leave a comment

Silver Tail at iGaming Summit in San Francisco

The Global iGaming Summit and Expo starts tomorrow at the Westin in San Francisco. I’ll be participating in a panel on preventing fraud in gaming and online environments. It should be a great panel and I’m looking forward to talking to people in the gaming space about the types of attacks they are seeing. I’ve been doing some research ahead of the panel and while money laundering is definitely a big concern for the gaming companies, I’ve been surprised to hear that often only the traditional fraud models are in place. As I learn more about the industry, I’ll keep you apprised.

April 23, 2012 Posted by | Fraud, Gaming | , | Leave a comment

Cybersecurity in the Public Sector

Gartner analyst Steve Hawald noted in recent research that “With daily cyberattacks and new hacker groups being created constantly, cyberspace is a huge challenge for the DoD as well other government organizations and private companies around the world. Cyberattacks are becoming more sophisticated, more random and more targeted.”

He also noted that “To meet the mission need for more-agile collaboration while still maintaining high levels of security, older cyberdefenses need to be upgraded or replaced to be more effective and efficient. The ability to continuously monitor and regularly evolve security controls is critical.”

Federal organizations, like in every other sector, are embracing the web as never before to share information, collaborate and conduct business. We are even seeing the government leap into the adoption technologies like Cloud with the FedRAMP program, where others in the private sector have been much slower to jump on board. This shows that the public sector is working to keep up with new technologies and even set the bar in some instances.

With this growth in technology adoption, particularly as it relates to web-based activity, comes an added opportunity for global cyber espionage, cybercrime, and targeted attacks that could inflict harm on government systems, and in turn, the country.

We see a true need for government organizations to take an additional step in their defense of web-based activity. Traditional security and fraud prevention is no longer enough, and as Gartner’s Steve Hawald mentioned – continuous monitoring and evolution of security controls is critical.

Silver Tail Systems is taking steps to help federal and government agencies better protect their Internet resources with real-time monitoring of web session behavior by: opening an office in the Washington D.C. area; partnering with Carahsoft – a trusted government IT solutions provider. These are exciting strides in our continued expansion, and our team is already working tirelessly in the new space. Make sure to take a look at our website for more details!

April 18, 2012 Posted by | information security, Prevention, risk management | , , , | Leave a comment

Business Logic Abuse Makes Headlines: Nordstrom Defrauded of $1.4M

Four years ago I started talking about business logic abuse. In fact, Jeremiah Grossman introduced the term to me and in the first couple of years I had to do a lot of explaining about what it meant and how it could have significant impact on organizations.

Last week there was an article by Mike Lennon of Security Week that talked about how criminals used business logic abuse on the Nordstrom website to steal approximately $1.4M in commissions and rebates. First of all, I’d like to applaud the growing recognition that Business Logic abuse is part of the evolving nature of online fraud and cybercrime. To give you some insight, the attack was a little tricky: two brothers had figured out that by using a coupon site called FatWallet, they could get cash back for purchases. They also figured out how to submit an order to Nordstrom that was blocked. In the end, no credit card was charged, no merchandise was shipped, but Nordstrom credited FatWallet for the transaction and FatWallet passed along the cash back for the fake purchases.

In the article, Mike refers to the attack as “fraudulent payments.” I find that interesting since Nordstrom’s fraud department would likely not be the department to deal with this. For most e-tailers, the fraud department only deals with credit card charge backs and this case is clearly not that. It is likely the security group that would address this, showing that the line between fraud prevention and security continues to blur.

This is an ingenious attack and it’s critical for online entities to realize that these types of attacks are becoming more and more frequent and more and more challenging to detect.

April 17, 2012 Posted by | business logic abuse, Detection | , | Leave a comment

HomeAway’s Business Model Makes it a Target for E-Criminals

I joined eBay in 2003 at the height of phishing. At the time phishers were stealing passwords of eBay users (often eBay powersellers), listing items, and trying to get unsuspecting buyers to send money to them via Western Union.

Unfortunately, this scam is still alive and well. This article talks about how phishers continue to perpetrate exactly this type of scam on the HomeAway website. It makes sense that HomeAway would be a target, as their model is similar to eBay’s model in that the purchaser sends money to the seller/renter ahead of taking possession of the goods. Criminals love those types of models.

Knowing how challenging it was to battle these criminals at eBay, I hope HomeAway has lots of resources to put towards this. It’s a very lucrative activity for the criminal and, therefore, not one the criminals give up on easily.

April 11, 2012 Posted by | Phishing | , | Leave a comment

The Business of Phishing

When I talk to other fraud prevention experts, we often comment on how the criminals have created an ecosystem that allows them to operate very efficiently. The joke I often use is that criminals probably have better power point presentations about how their business is doing than we do!

A recent report by RSA sheds some light on how criminals perform their analysis. In the report, RSA talks about how phishers installed a web analytics tool to measure how their victims were accessing their website. This gave the phishers statistics on browsers, geolocation, etc.

For those of us who have been fighting these criminals for years, this is not a surprise. The criminals will find any method they can to make their business more efficient. And keep in mind, it is just that: a business. It is a rare occurrence to get a glimpse of how they are managing their business, so the report by RSA is especially interesting as it exposes one of their tactics.

April 9, 2012 Posted by | Phishing | , , | Leave a comment