Superiority of the “known good” over “known bad”

Okay, some definitions first:

  • Known bad” strategy implies covert collection of attributes used by the fraudsters – first of all devices, but also email addresses, phones etc. – in order to be able to detect repeat usage of them. It’s essentially blacklisting technique, implying that if you are not blacklisted, you are good to go.
  • Known good” is pretty much the opposite – it’s an overt policy of collecting the attributes – first of all devices, but also email addresses, phones etc. – to have necessary assurance of the legitimacy of their usage by the good guys. It’s effectively white listing, implying that if you are not whitelisted, you are a potential suspect. Naturally, to make an attribute whitelisted (or to mark it as ‘trusted’), the users will have to go through a certain verification process. For example, to whitelist a machine – the user will have to enter a code sent via email or SMS (essentially, following a 2FA approach).

Now, traditional strategy adopted by the cyber security guys has always been the first one – just like in “offline” life where we all enjoy presumption of innocence (unless we slide into totalitarian form of government) and where the “blacklists” are for few suspected criminals. It definitely is more intuitive and, to a certain degree, effective way of raising the bar in the online security. However, it becomes increasingly inefficient as fraudsters get more sophisticated in hiding their identity. Indeed, only lazy or grossly uneducated fraudsters do not delete their cookies (historically, number one way of identifying a device) today. Adobe’s FSO – which succeeded the cookie – is next to fall. Soon the larger fraudster community will discover the beauty of sandboxing. In essence, it’s a matter of appropriate tools being developed and available on the “black market” – average fraudster doesn’t even have to know all the gory details to use them. Thus, as I mentioned in my previous post, device fingerprinting is pretty much doomed.

By contrast, the “known good” strategy is increasingly getting traction in the online businesses. Initially unpopular since they introduce another hoop for the legitimate users to jump through (businesses hate that), it just by definition works much better. Fraudsters now need to get an access to the victim’s email account, cellphone, or hack the computer to get around it (it should also be mentioned that on a conceptual level the superiority of whitelisting over blacklisting is apparent in many other cases – such as in keeping user input under control).

The switch to “known good” is not a painless exercise and, yes, it introduces an additional hurdle to the business, but it may prove to be the cheapest way of putting a dent on losses by making account takeovers much more difficult to hide. Both in terms of nuisance to the users and the cost it fares much better that some extra measures I see on many websites – such as selecting an image, asking additional questions etc. – thus my take is that the popularity of “known good” approach will continue to rise.

Device fingerprinting to fight fraudsters? Please…

“Machine/device fingerprinting” technologies allow collecting and recording unique traces of individual devices. This technique has been primarily used for tracking bad guys and making it difficult for them to repeatedly use the same device for nefarious purposes. Typically a client-side script is used to collect information (“fingerprint”) of the device which is subsequently stored on the server side. Today several vendors exist on the market offering various patented ways of collecting the device data (including the internal clock, screen parameters, OS data etc.). Recently announced and hyped “evercookie” is an example of an open source code offering even more innovative ways of doing the same. Alas, while sophistication of these techniques is impressive, it doesn’t take equal sophistication for the fraudsters to neutralize (or neuter – if you will) these measures to completely circumvent device identification. Using a virtual machine (or a simple sandboxie), not to mention completely avoiding the usage of browsers in mounting cyber attacks, is a sufficient antidote to the pains companies go to “fingerprint” fraudsters’ devices. Indeed, it’s a matter of time for the fraudster community to fully adapt to the “fingerprinting” technologies…

Having said that, device “fingerprinting” is far from being dead – it is definitely finding second – perhaps more significant – life in growing trends for “average” user tracking – e.g. serving advertisement industry. Here an average netizen – being far less sophisticated than an average fraudster – is pretty much powerless against them (unless tracking is made illegal by law). Device fingerprinting will not lose its value, it’s just IMHO the days of it as a way of fighting fraud are numbered.

Is conficker a (nuclear) time bomb?

Conficker malware generates a lot of buzz these days. No wonder – it represents a new generation of highly-sophisticated general-purpose software platform rapidly spreading over unsuspecting user machines. Conficker is in more than one way state-of-the-art malware:

  • Highly efficient
  • Applies the latest encryption technologies
  • Hides itself in the most sophisticated ways
  • Virtually unstoppable way of updating itself

Not surprisingly, it targets Windows machines (the main platform used across the World). Currently up to 10 mln machines are infected with Conficker. Another remarkable feature of the worm is that up until recently it hasn’t really caused any significant damage – yet. We know it just hangs in there waiting for instructions to come from the “mother ship”. When and how it’ll strike – is anybody’s guess. At the same time – judging from the hitherto behavior of the guys behind conficker – they will use the platform for many “mini-explosions” (ideally unnoticed) rather than a big “blast”. It’s anything but one-time usage platform.

For details you are welcome to go through a presentation I recently put together to raise awareness of Conficker with my colleagues:

Summary: Like any other malware which infects the end user machines, it’s very powerful and may render bulk of traditional anti-fraud tools & technologies useless. It’s possibilities are virtually limitless – from dDOS, spamming to key logging and information stealing. But sophistication of Conficker compared to more primitive trojan predecessors takes the challenge to the next level (I am sure we’ll witness more conficker-like trojans on the market – fraudsters have their own “arms races”).

What companies could to to be ready for Conficker? I can’t think of anything else but educating end users, perhaps mandating (or providing incentives for) installation of virus protection software on user machines (the trend has already started). Using 2FA will definitely slow the bad guys down, but by no means it’s the definitive remedy to Conficker’s and alike. How efficient all those measures are will become apparent in the upcoming years.

Online Identity services – an emerging new business model?

Every time I visit one of financial institutions’ websites I happen to be client of, I am daunted by the hops I need to go through (neither of which is really unstoppable from the fraudsters standpoint) to login to my account. It’s obvious that serious businesses are trying to counter account takeovers and each is doing that in its own way – possibly spending lots of money on something which is not its core expertise. Countered by fraudsters for whom it actually is the core expertise, these businesses seem to be doomed to continue investing lots of resources on online identity management with only a modest success.

Needless to say, the online identity is becoming a big issue. Little wonder – whole chunks of our daily life – including very personal fields like romance and friendship – is being absorbed by the Net. In all the mess one thing stands out – acute need of a better identification. A need which itself may warrant a separate industry – call it online identity services. I do not mean anything ominous (“I’ve got lightly used identity of Judd Law! Anybody?”) – just satisfying a legitimate need of identifying people online – like an online bank needing to make sure person logging into their website is the actual account holder. Today it’s moving from traditional password-based identification (see my earlier post) to more sophisticated multi-layered mechanisms (some less efficient than others) – pictures, personal questions, 2FA tools etc. It is becoming more costly to develop and maintain, hence it would make a lot of sense to delegate this headache to a company which actually specializes in online identification. In that case the bank just needs to redirect the login to the company’s page (for non-technical user that could be quite seamless, e.g. by putting the bank’s logo to the site it redirects to or do it in a iframe), let it do all the dirty work, and return the user to the bank’s page with full guarantee (covered by the third party) that the user is authenticated. Just like PayPal handles all the payment and gets back to the merchant with guaranteed payment, the ‘identity merchant’ would come back with ‘successful login’. Now, the ‘services’ may charge per login or per month or per user – details will depend on particular business model. Such services may even offer multiple types of support – the spectrum would include periodic user screening (e.g. verifying the phone), sending 2FA tokens, sending SMS-es, in short focus on linking the physical identity with cyber one.

Now, I am not saying this has never occurred to anybody else – the Open ID concept is similar one. Too bad it didn’t really take off. My take is – people who care about this most (online banks, for example) are inherently distrustful to anything free or open source. And that serious identity management needs serious resources – to screen, to support 2FA tokens etc. Microsoft passport probably was ahead of its time. PayPal could use its clout to add “identity management” to its portfolio, or better yet Facebook could do that (the model of your identity being vetted by your friends is quite powerful), too. However, either of these companies have their hands in many jars, and the last thing a bank wants is to divulge its user base to some 3rd party who can turn out to be a competitor. My take is – in order to succeed, these services should be very specific – commercial, stand-alone, not engaged in any other type of business, but solely focused on online identity and committed by binding agreements to not to use the information for any other purposes. Naturally, there needs to be safeguards that each client’s (bank’s) user data is secure and stays its property even if login is supported by the third-party.

Perhaps there are such companies, I admit I didn’t do much research here, but even if there are – it’s anything but a mature industry. I wonder if it will ever become one.

Is there an alternative to user education?…

…in global fight against fraud? IMHO, there isn’t. Although I am not – by any stretch of imagination – the first one who arrived to this conclusion, nobody came out with a working idea on how realistically we can move the needle in this direction.

I recently had a chance to present a hastily-put-together “Cyber-security 101 – Defensive Browsing for Everyone” presentation* to a not-necessarily-technical audience. A friend of mine joked after the presentation – “most of them will never use Internet again” 🙂 While it wasn’t really my intention I can’t but acknowledge that the sheer number of steps to be taken, “rules of thumb” and details to pay attention to in order to remain safe online can be pretty daunting to an average surfer. Bridging that knowledge gap for the “masses” seems to be – so far – insurmountable challenge for the industry.

Now, as a humble “soldier” in this fight, I have worked out my own tricks to convey the message. For example, I consider cyber crime having a lot in common with the crime in physical world – a phenomena which average person is much more familiar with as it is much more tangible and intuitive. Consequently when evangelizing “defensive browsing” I use this analogy to explain concepts from the physical World “equivalent”. From my past experience – it generally proves to be quite effective.

For instance:

  • Browser – the door between your house (in this case perhaps an RV) and the street
  • Unpatched PC – the door poorly locked leaving you increasingly vulnerable to all potential thieves in the neighborhood (in case on Internet – the ‘neighborhood’ is the whole World including the criminals who are beyond American justice system)
  • Browsing suspicious sites – strolling in known bad neighborhoods at night
  • Plugging your USB drive to somebody’s else computer (or the other way around) – having an unprotected sex with a stranger
  • Clicking on a link in an email – opening the door as soon as somebody knocks it and without checking who’s on the other side
  • Anti virus – pest control in the house
  • Phishing site – an impostor pretending to be your cleaning person’s ‘cousin’ to get the keys to your house
  • Open Wi-fi (with no additional precautions) – a place where the bad guys can easily hook you with a tracking device, a bug or a video surveillance device

In a way, cyber security can be viewed as an extension of our physical security, so the analogies are really limitless. Making the connection between them is the first step in educating crime-aware and responsible “netizens”.

*[update] I’ve put the presentation here:

Passwords are passé

It’s clear. Authenticating users via passwords is hopelessly outdated – the sooner online businesses (who are serious about keeping their customers safe) understand this the better. Security questions are of no substantial help – they just put some short-lived life support on dying passwords. IP/cookie check on server side (if any exists, of course) helps, but only incrementally, as there are know workarounds actively used by fraudster community. The only – as of today – viable improvement qualitatively raising the bar is 2FA.

Many would say – 2FA might be an overkill for most of our online authentication needs. Well, I could definitely argue with this statement – at least in 90% of cases. For example, our email box contains extremely valuable information about us – allowing identity theft, great for waging a spear attack or simply allowing to learn about your immediate plans to conduct “brick and mortar” theft. Not to mention social network accounts – they are remarkable in keeping comprehensive log about their owners – contacts, friends, photos, status, communication – all in one place! In other words – the wet dream for a whole line of businesses – illegal as well as legal ones. And what – a pathetic password being a single key to this wealth of information? Hell, no!

That said 2FA is far from being bulletproof (e.g. it’s susceptible to particular type of client-site attack). However, there’s little doubt that 2FA is the next major step in securing users identities online, and that will be the direction the industry will move towards (and finally quit trying to find a cheap alternative) in the next several years.

Applying “Google spellchecker” principle in detecting online fraud

One of the ways bad guys manage to penetrate/influence a web site’s functionality – is “poking around” by hitting different pages – often on different geolocations (e.g. instead of XYZ.com – country specific sites XYZ.de, XYZ.ca etc.) – coupled with “playing” with input parameters – thus looking for input validation breaches or other site inconsistencies. If successful, bad guys can do a lot of harm – including manipulation of data (e.g. changing a user’s state by following some quixotic page sequence), stealing information and so on.

Such breaches could be successfully detected in early stages by using a technique I call “google’s spellchecker” approach. Anybody who used google to check the spelling of a word – or the right collocation/phrase – knows the underlying principle. It’s (paraphrasing eBay’s motto) “people are basically educated”. That is – if we have 5 million hits for one spelling and 5 thousand for the “competitor” spelling – then the former is the correct one. (BTW, that is one of the basic principles of linguistics: if enough people say ‘nucelar’ – it automatically becomes a legitimate word).

The way the same principle would work in detecting bad behavior is similar:

  1. assign each page a unique ID (normal practice)
  2. define boundaries of individual user sessions
  3. record the sequence of pages hit during individual sessions – e.g. 23 (login),887 (account setting landing page), 368 (account setting confirmation), 99 (logout); in other words create a “page trail” of each session
  4. record and at the end of each session increment the number of times a particular trail appeared on the radar – e.g. 23,887,368,99 -> 1035 times;

Leave the system to bake for some time. Assuming that most people use the site for legitimate purposes, the numbers eventually will reflect the “normal” usage of the site. Maintaining that information would help in detecting abnormal usage of the site (e.g. jumping to 368 “account setting confirmation” without hitting 887 “account setting landing page”) very soon after the “probe” is done. It is important to detect this early, as – if the hole becomes widely abused, its sequence may approach the “normality” level. We also should have some safeguards/mechanism to avoid false positives – e.g. if a new page is added to the site, we want to know about it (e.g. have page age information) and treat it as an exception.

Naturally, the approach is not bullet proof (hardly any one is). Indeed, if fraudsters are sophisticated enough – they could mask their behavior by mimicking legitimate sequence, or trying to make session tracking more difficult. Nevertheless that would be a serious complication of their lives – or another “bump” on their way – so the goal of slowing them down would be fully achieved.