{"id":189,"date":"2010-11-29T22:29:03","date_gmt":"2010-11-30T04:29:03","guid":{"rendered":"http:\/\/fraudbump.wordpress.com\/?p=37"},"modified":"2010-11-29T22:29:03","modified_gmt":"2010-11-30T04:29:03","slug":"superiority-of-the-known-good-over-known-bad-2","status":"publish","type":"post","link":"https:\/\/amirbekian.com\/blog\/2010\/11\/superiority-of-the-known-good-over-known-bad-2\/","title":{"rendered":"Superiority of the &#8220;known good&#8221; over &#8220;known bad&#8221;"},"content":{"rendered":"<p>Okay, some definitions first:<\/p>\n<ul>\n<li>\u201c<strong>Known bad<\/strong>\u201d strategy implies covert collection of attributes used by the fraudsters \u2013 first of all devices, but also email addresses, phones etc. \u2013 in order to be able to detect repeat usage of them. It\u2019s essentially blacklisting technique, implying that if you are not blacklisted, you are good to go.<\/li>\n<li>\u201c<strong>Known good<\/strong>\u201d is pretty much the opposite \u2013 it\u2019s an overt policy of collecting the attributes \u2013 first of all devices, but also email addresses, phones etc. \u2013 to have necessary assurance of the legitimacy of their usage by the good guys. It\u2019s effectively white listing, implying that if you are not whitelisted, you are a potential suspect. Naturally, to make an attribute whitelisted (or to mark it as \u2018trusted\u2019), the users will have to go through a certain verification process. For example, to whitelist a machine \u2013 the user will have to enter a code sent via email or SMS (essentially, following a 2FA approach).<\/li>\n<\/ul>\n<p>Now, traditional strategy adopted by the cyber security guys has always been the first one \u2013 just like in \u201coffline\u201d life where we all enjoy presumption of innocence (unless we slide into totalitarian form of government) and where the \u201cblacklists\u201d are for few suspected criminals. It definitely is more intuitive and, to a certain degree, effective way of raising the bar in the online security. However, it becomes increasingly inefficient as fraudsters get more sophisticated in hiding their identity. Indeed, only lazy or grossly uneducated fraudsters do not delete their cookies (historically, number one way of identifying a device) today. Adobe\u2019s FSO \u2013 which succeeded the cookie \u2013 is next to fall. Soon the larger fraudster community will discover the beauty of sandboxing. In essence, it\u2019s a matter of appropriate tools being developed and available on the \u201cblack market\u201d \u2013 average fraudster doesn\u2019t even have to know all the gory details to use them. Thus, as I mentioned in my <a title=\"Device fingerprinting?\u00a0Please\u2026\" href=\"http:\/\/fraudbump.wordpress.com\/2010\/10\/19\/device-fingerprinting-please\/\">previous post<\/a>, device fingerprinting is pretty much doomed.<\/p>\n<p>By contrast, the \u201cknown good\u201d strategy is increasingly getting traction in the online businesses. Initially unpopular since they introduce another hoop for the legitimate users to jump through (businesses hate that), it just by definition works much better. Fraudsters now need to get an access to the victim&#8217;s email account, cellphone, or hack the computer to get around it (it should also be mentioned that on a conceptual level the superiority of whitelisting over blacklisting is apparent in many other cases &#8211; such as in keeping user input under control).<\/p>\n<p>The switch to &#8220;known good&#8221; is not a painless exercise and, yes, it introduces an additional hurdle to the business, but it may prove to be the cheapest way of putting a dent on losses by making account takeovers much more difficult to hide. Both in terms of nuisance to the users and the cost it fares much better that some extra measures I see on many websites &#8211; such as selecting an image, asking additional questions etc. &#8211; thus my take is that the popularity of &#8220;known good&#8221; approach will continue to rise.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Okay, some definitions first: \u201cKnown bad\u201d strategy implies covert collection of attributes used by the fraudsters \u2013 first of all devices, but also email addresses, phones etc. \u2013 in order to be able to detect repeat usage of them. It\u2019s essentially blacklisting technique, implying that if you are not blacklisted, you are good to go. &hellip; <a href=\"https:\/\/amirbekian.com\/blog\/2010\/11\/superiority-of-the-known-good-over-known-bad-2\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Superiority of the &#8220;known good&#8221; over &#8220;known bad&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[6,15,16,26],"class_list":["post-189","post","type-post","status-publish","format-standard","hentry","category-general-observations-commentary","category-prognosis","tag-blacklisting","tag-known-bad","tag-known-good","tag-whitelisting"],"_links":{"self":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts\/189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/comments?post=189"}],"version-history":[{"count":0,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/posts\/189\/revisions"}],"wp:attachment":[{"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/media?parent=189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/categories?post=189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/amirbekian.com\/blog\/wp-json\/wp\/v2\/tags?post=189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}