- Email: [email protected]
Online security – a new strategic approach
FEATURE
Online security – a new strategic approach Ori Eisen, 41st Parameter Fraudsters are increasingly working through powerful, organised fraud rings, using more and more advanced techniques. ‘In-session phishing’ has emerged as one of the chief threats to protecting sensitive data and secured online assets. In-session phishing enables a fraudster to build a base of user credentials. It does this quite easily by attacking vulnerabilities in the Javascript engine found in most of the leading browsers, including Internet Explorer, Firefox and even Google’s Chrome. The fraudsters inject a host website with malware that acts as a parasite and watches for visitors with open online banking sessions, or connections to similar kinds of protected asset sites, such as brokerage or retirementplanning services. Using the Javascript vulnerability, the parasite can identify which bank the victim is connected to by searching for specific sites pre-programmed in the malware itself. The website hosting the parasite is capable of storing an unlimited number of site profiles against which to test the victim’s session. The malware asks: “Is my victim logged onto X bank website?” and the browser replies either “yes” or “no”. Once any site is confirmed to be ‘insession’, a pop-up claiming to be from the website – let’s say from the bank – issues a warning. Most warnings appear as time-out messages stating: “For security purposes your banking session has been terminated. To continue your session please re-enter your username and password here” – which is a link supplied by the fraudster. Once a victim complies, clicks the link and enters his/her credentials, the damage has been done – the attack was successful.
Reading the ‘DNA’ of the device In most cases it is devastating for a victim whose credentials have been stolen. 14
Network Security
In a matter of minutes, fraud rings quickly begin selling off this information or pillaging the victim’s account. Since many financial institutions rely on simple cookies or tags to discern one device entering user credentials from another, and then count on fairly common, and sometimes easily answered, out-of-wallet questions (mother’s maiden name, etc) to validate a new device attempting access, it’s a case of ‘game over’ as far as the victim is concerned. However, there is now a new breed of robust device ID technology – such as PCPrint from 41st Parameter – which creates the equivalent of a device fingerprint for every machine attempting to log on to a website. This is an extremely powerful fraud detector. When coupled with historical negative lists of known bad devices, any organisation – such as a financial institution or big online retail company – can render credential breaches using insession, or any other type of phishing attacks accessing user IDs and passwords, useless to the fraudster. Doing so not only eliminates the fraud losses but also avoids the risk of serious damage to the brand of the institutions, which is often the collateral damage of these kinds of attack.
The ‘multi-layered’ solution If a company cannot maintain the integrity of the data that it has demanded from its customers through online channels, then it is failing to meet a requisite level of corpo-
Ori Eisen
rate responsibility. A multi-layered approach to data security is by far the most effective strategy to combat fraud – not just relying on staff, locked doors or the use of advanced technology. Fraudsters commonly take the easiest route to the information they need, and by adding more layers to the system at regular intervals, organisations can combat fraud in a similar way to changing the rules of the existing network – making life far more difficult for anyone trying to infiltrate the system.
Best practices: authentication and beyond Those working to build a multi-layered security system and nullify information in the wrong hands need to keep a handful of important factors in mind: s� �4RUE�ONLINE�AUTHENTICATION�IS�JUST� not feasible – as the Internet is not designed for it. s� �4HE�ULTIMATE�FIGHT�IS�AGAINST�HUMANS � not machines. s� �5SERS�SHOULD�PLAY�A�ROLE�IN�YOUR�SECUrity strategy, yet should not solely be relied upon – users are insecure by design. Given these conditions, the following strategies for enterprise security should be considered: 1. Real-time security at the front end. This provides ironclad doors at the front end based on strong authentication. 2. Time-delayed security at the back end. This provides ironclad doors
July 2010
FEATURE at the back end that do not allow a transaction to execute until exhaustive analysis is performed. 3. A combination of real-time and time-delayed security. Decisions are based on what is possible and most appropriate at each stage of the transaction’s lifecycle. They involve human intelligence, in addition to sensitive data masking.
How to suppress the fraudster Best practice employs username and password authentication, and adds a check against a negative list based on intrinsic values (such as device ID, account ID or high-risk countries). The error message in the case of a fraudulent ‘hit’ should be as vanillaflavoured as possible, so as not to tell the potential crook why they are being denied. For example, “our website is currently experiencing heavy traffic, please try again later.” It is then recommended that the business contacts the account holder to validate this activity for customer service reasons, as well as proactive fraud detection.
Delivering maximum security online A holistic security framework consists of three areas of risk focus: authentication at login, transaction monitoring, and account and session surveillance. Each area is tasked with one mission and does not rely on the others. By applying these three together, you achieve a sum that is greater than the value of each area on its own. In effect, you have emulated the very environment we have always trusted, namely one that relies on complex assessment of both initial recognition and subsequent behaviour to determine whether authenticated activity should be intercepted. Today, we understand more than ever that online authentication is not feasible, since the Internet is not designed for true user authentication. Given that the ultimate fight is against humans, not machines, we must prepare for an ongoing arms race in the war against Internet fraud and identity theft. Combining real-time and timedelayed security with intervention
from company investigators allows an organisation to let users take part in the security ecosystem, without hinging the strategy upon them.
About the author Ori Eisen is the founder and chief innovations officer at 41st Parameter. His 10 years in the information technology industry include serving as the worldwide fraud director for American Express, where he championed the project to enhance the American Express authorisation request to include Internet-specific parameters. Prior to that, he was the director of fraud prevention for VeriSign/Network Solutions. He set up 41st Parameter in 2004 to provide solutions for detecting and preventing fraud across multiple channels for high-value brands. Financial institutions, travel services and e-commerce companies use 41st Parameter’s technology to protect them from cybercrime threats, including new account origination fraud, phishing and account compromise, credit bustouts, card-not-present fraud, and fraud ring detection. More information at:.
The cost of saving money: no longer the company reputation Des Ward, Common Assurance Maturity Model The past year has been full of intrigue and turmoil as we have seen the emergence of the cloud as the buzzword within the boardroom. Its lure has been particularly prominent in an economy slowly emerging from the worst recession in living memory. Combined with a new UK coalition Government that is looking to make significant cost savings (£6 billion at the last count), it’s clear that devolving the management of your back office and IT services to a third party has never looked so appetising. The act of outsourcing business functions has been gathering pace over the past decade. This has been precipitated by the global availability of faster connections, resulting in the large-scale outsourcing and/or movement of entire portions of companies’
July 2010
infrastructure to third parties. This includes moving to the cloud, which is now considered both feasible and fiscally prudent. Increased regulation, and its associated financial penalties, surrounding the management of personal and financial informa-
tion also makes outsourcing responsibility to external service providers such as the cloud very attractive. But is it just a case of logging onto a website, unleashing your credit card and uploading your information?
Network Security
15
Online security – a new strategic approach Ori Eisen, 41st Parameter Fraudsters are increasingly working through powerful, organised fraud rings, using more and more advanced techniques. ‘In-session phishing’ has emerged as one of the chief threats to protecting sensitive data and secured online assets. In-session phishing enables a fraudster to build a base of user credentials. It does this quite easily by attacking vulnerabilities in the Javascript engine found in most of the leading browsers, including Internet Explorer, Firefox and even Google’s Chrome. The fraudsters inject a host website with malware that acts as a parasite and watches for visitors with open online banking sessions, or connections to similar kinds of protected asset sites, such as brokerage or retirementplanning services. Using the Javascript vulnerability, the parasite can identify which bank the victim is connected to by searching for specific sites pre-programmed in the malware itself. The website hosting the parasite is capable of storing an unlimited number of site profiles against which to test the victim’s session. The malware asks: “Is my victim logged onto X bank website?” and the browser replies either “yes” or “no”. Once any site is confirmed to be ‘insession’, a pop-up claiming to be from the website – let’s say from the bank – issues a warning. Most warnings appear as time-out messages stating: “For security purposes your banking session has been terminated. To continue your session please re-enter your username and password here” – which is a link supplied by the fraudster. Once a victim complies, clicks the link and enters his/her credentials, the damage has been done – the attack was successful.
Reading the ‘DNA’ of the device In most cases it is devastating for a victim whose credentials have been stolen. 14
Network Security
In a matter of minutes, fraud rings quickly begin selling off this information or pillaging the victim’s account. Since many financial institutions rely on simple cookies or tags to discern one device entering user credentials from another, and then count on fairly common, and sometimes easily answered, out-of-wallet questions (mother’s maiden name, etc) to validate a new device attempting access, it’s a case of ‘game over’ as far as the victim is concerned. However, there is now a new breed of robust device ID technology – such as PCPrint from 41st Parameter – which creates the equivalent of a device fingerprint for every machine attempting to log on to a website. This is an extremely powerful fraud detector. When coupled with historical negative lists of known bad devices, any organisation – such as a financial institution or big online retail company – can render credential breaches using insession, or any other type of phishing attacks accessing user IDs and passwords, useless to the fraudster. Doing so not only eliminates the fraud losses but also avoids the risk of serious damage to the brand of the institutions, which is often the collateral damage of these kinds of attack.
The ‘multi-layered’ solution If a company cannot maintain the integrity of the data that it has demanded from its customers through online channels, then it is failing to meet a requisite level of corpo-
Ori Eisen
rate responsibility. A multi-layered approach to data security is by far the most effective strategy to combat fraud – not just relying on staff, locked doors or the use of advanced technology. Fraudsters commonly take the easiest route to the information they need, and by adding more layers to the system at regular intervals, organisations can combat fraud in a similar way to changing the rules of the existing network – making life far more difficult for anyone trying to infiltrate the system.
Best practices: authentication and beyond Those working to build a multi-layered security system and nullify information in the wrong hands need to keep a handful of important factors in mind: s� �4RUE�ONLINE�AUTHENTICATION�IS�JUST� not feasible – as the Internet is not designed for it. s� �4HE�ULTIMATE�FIGHT�IS�AGAINST�HUMANS � not machines. s� �5SERS�SHOULD�PLAY�A�ROLE�IN�YOUR�SECUrity strategy, yet should not solely be relied upon – users are insecure by design. Given these conditions, the following strategies for enterprise security should be considered: 1. Real-time security at the front end. This provides ironclad doors at the front end based on strong authentication. 2. Time-delayed security at the back end. This provides ironclad doors
July 2010
FEATURE at the back end that do not allow a transaction to execute until exhaustive analysis is performed. 3. A combination of real-time and time-delayed security. Decisions are based on what is possible and most appropriate at each stage of the transaction’s lifecycle. They involve human intelligence, in addition to sensitive data masking.
How to suppress the fraudster Best practice employs username and password authentication, and adds a check against a negative list based on intrinsic values (such as device ID, account ID or high-risk countries). The error message in the case of a fraudulent ‘hit’ should be as vanillaflavoured as possible, so as not to tell the potential crook why they are being denied. For example, “our website is currently experiencing heavy traffic, please try again later.” It is then recommended that the business contacts the account holder to validate this activity for customer service reasons, as well as proactive fraud detection.
Delivering maximum security online A holistic security framework consists of three areas of risk focus: authentication at login, transaction monitoring, and account and session surveillance. Each area is tasked with one mission and does not rely on the others. By applying these three together, you achieve a sum that is greater than the value of each area on its own. In effect, you have emulated the very environment we have always trusted, namely one that relies on complex assessment of both initial recognition and subsequent behaviour to determine whether authenticated activity should be intercepted. Today, we understand more than ever that online authentication is not feasible, since the Internet is not designed for true user authentication. Given that the ultimate fight is against humans, not machines, we must prepare for an ongoing arms race in the war against Internet fraud and identity theft. Combining real-time and timedelayed security with intervention
from company investigators allows an organisation to let users take part in the security ecosystem, without hinging the strategy upon them.
About the author Ori Eisen is the founder and chief innovations officer at 41st Parameter. His 10 years in the information technology industry include serving as the worldwide fraud director for American Express, where he championed the project to enhance the American Express authorisation request to include Internet-specific parameters. Prior to that, he was the director of fraud prevention for VeriSign/Network Solutions. He set up 41st Parameter in 2004 to provide solutions for detecting and preventing fraud across multiple channels for high-value brands. Financial institutions, travel services and e-commerce companies use 41st Parameter’s technology to protect them from cybercrime threats, including new account origination fraud, phishing and account compromise, credit bustouts, card-not-present fraud, and fraud ring detection. More information at:
The cost of saving money: no longer the company reputation Des Ward, Common Assurance Maturity Model The past year has been full of intrigue and turmoil as we have seen the emergence of the cloud as the buzzword within the boardroom. Its lure has been particularly prominent in an economy slowly emerging from the worst recession in living memory. Combined with a new UK coalition Government that is looking to make significant cost savings (£6 billion at the last count), it’s clear that devolving the management of your back office and IT services to a third party has never looked so appetising. The act of outsourcing business functions has been gathering pace over the past decade. This has been precipitated by the global availability of faster connections, resulting in the large-scale outsourcing and/or movement of entire portions of companies’
July 2010
infrastructure to third parties. This includes moving to the cloud, which is now considered both feasible and fiscally prudent. Increased regulation, and its associated financial penalties, surrounding the management of personal and financial informa-
tion also makes outsourcing responsibility to external service providers such as the cloud very attractive. But is it just a case of logging onto a website, unleashing your credit card and uploading your information?
Network Security
15