[WEB SECURITY] Fraud detection system
list at guru.at
Mon Jun 18 16:43:10 EDT 2012
Am 18.06.2012 um 22:01 schrieb Greg Knaddison:
> On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber <list at guru.at> wrote:
>> Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend.
> That seems like a claim that needs more proof or more explanation.
> I would say you can look for attempts at fraud at the web application
Yes you can, but you will never be sure.
> If a user is presented a form that includes a dropdown with
> some options and they send back a POST that includes options they
> don't have access to this is a detectable fraudulent action. When
> faced with that behavior some applications will simply deny the action
> while others will log it and block access - the appropriate behavior
> depends on the context.
Fraud is much more than fumbling around with parameters in forms.
Fraud can be done by using only valid operations.
Just my few cents
More information about the websecurity