[WEB SECURITY] Fraud detection system
Christoph Gruber
list at guru.at
Mon Jun 18 16:43:10 EDT 2012
Am 18.06.2012 um 22:01 schrieb Greg Knaddison:
> On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber <list at guru.at> wrote:
>>
>> Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend.
>>
>
> That seems like a claim that needs more proof or more explanation.
>
> I would say you can look for attempts at fraud at the web application
> layer.
Yes you can, but you will never be sure.
> If a user is presented a form that includes a dropdown with
> some options and they send back a POST that includes options they
> don't have access to this is a detectable fraudulent action. When
> faced with that behavior some applications will simply deny the action
> while others will log it and block access - the appropriate behavior
> depends on the context.
Fraud is much more than fumbling around with parameters in forms.
Fraud can be done by using only valid operations.
Just my few cents
--
Grisu
More information about the websecurity
mailing list