Archive for the ‘Web Application Security’ Category

At ThreatMetrix we are fortunate enough to work with the smartest and the brightest in online fraud detection for the largest and most successful online companies.

In recent conversations with three separate businesses across online retail, credit card processing and social networking it emerged as a definite trend that the Nigerians have been learning from the Russians.

Paraphrasing one of the conversations:

It used to be that Nigerians would just connect directly from their computer in Nigeria. They were pretty easy to pick off just based on the Geolocation of their IP Address alone. The Russians on the other hand will attempt to use some from of cloaking such as a proxy or compromised computer. Now, we are seeing a definite trend for Nigerian fraudsters getting smarter about covering their tracks. By doing some back-end analysis we can tell that the same patterns consistent with the Nigerians are there, but our front end systems are not as effective in screening them out anymore

This is the trickle down effect in action. In the security relm this effect was the birth of ‘script kiddies’ or just ‘skiddies’, for those in the know, that would reuse previously developed hacker programs for fun and fame. In fraud, this same trend sees the online world at an interesting juncture where even third world counties and teenagers have access to technology capable of circumventing the protections of first class fraud detection teams.

As a data point take a look at this youtube instructional video, over a year old now, of a young teenage hacker walking you through how to do an SQL injection in response to being teased as a ‘skiddie’.

The embed video below shows teenage hacker CMZ walking through his attack on Twitter using a brute force password attack. CMZ exploited the fact that Twitter did not put time-outs on login attempts by running a series of dictionary attacks against the admins account to correctly determine the password as ‘Happiness’. The admin’s details were posted on digitalgangster, which were then used to send spam through Barack Obama and Britney Spears accounts.

This kind of brute force attack using a guessed user name and password generator by a teenager should send chills down any company that thinks that a user name and password is sufficient to keep their crown jewels safe.

Device Intelligence and Device Identification can’t fix bad admin security practice but many social networks are now turning to the device as a form of transparent two-factor authentication to determine whether an account is being accessed from an unauthorized computer, or to detect when the same computer is accessing multiple unrelated accounts.