Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Fraud detection system

LF
Lebeau Frederic
Sat, Jun 16, 2012 6:55 PM

Hello,

I'm wondering if there are some stuffs to do at application level to
increvable efficuency of fraud detection system?

Thanks

Hello, I'm wondering if there are some stuffs to do at application level to increvable efficuency of fraud detection system? Thanks
CG
Christoph Gruber
Mon, Jun 18, 2012 4:53 PM

On 16.06.2012 at 20:55 Lebeau Frederic wrote:

Hello,

I'm wondering if there are some stuffs to do at application level to increvable efficuency of fraud detection system?

Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend.

Things the can be detected on the web-layer: SQL-injection, XSS and other vulnerabilities on the eb-layer.

just my few cents

--
Grisu

On 16.06.2012 at 20:55 Lebeau Frederic wrote: > Hello, > > I'm wondering if there are some stuffs to do at application level to increvable efficuency of fraud detection system? Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend. Things the can be detected on the web-layer: SQL-injection, XSS and other vulnerabilities on the eb-layer. just my few cents -- Grisu
PJ
Paul Johnston
Mon, Jun 18, 2012 7:52 PM

Hi,

Some commercial risk engines can harvest additional variables at the
application layer. A common one is machine fingerprinting, so if the
transaction comes from a machine the user hasn't used before, that
increases the risk score. I think some use behavioral analysis - such as
page sequences, time spent on page, etc. Vendors tend to be secretive
about these things as the rules are easily defeated if the fraudsters
know what they are.

Paul

On 16/06/2012 19:55, Lebeau Frederic wrote:

Hello,

I'm wondering if there are some stuffs to do at application level to
increvable efficuency of fraud detection system?

Thanks

--
Pentest - When a tick in the box is not enough

Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

Hi, Some commercial risk engines can harvest additional variables at the application layer. A common one is machine fingerprinting, so if the transaction comes from a machine the user hasn't used before, that increases the risk score. I think some use behavioral analysis - such as page sequences, time spent on page, etc. Vendors tend to be secretive about these things as the rules are easily defeated if the fraudsters know what they are. Paul On 16/06/2012 19:55, Lebeau Frederic wrote: > Hello, > > I'm wondering if there are some stuffs to do at application level to > increvable efficuency of fraud detection system? > > Thanks > -- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
GK
Greg Knaddison
Mon, Jun 18, 2012 8:01 PM

On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber list@guru.at wrote:

Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend.

That seems like a claim that needs more proof or more explanation.

I would say you can look for attempts at fraud at the web application
layer. If a user is presented a form that includes a dropdown with
some options and they send back a POST that includes options they
don't have access to this is a detectable fraudulent action. When
faced with that behavior some applications will simply deny the action
while others will log it and block access - the appropriate behavior
depends on the context.

Regards,
Greg

--
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber <list@guru.at> wrote: > > Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend. > That seems like a claim that needs more proof or more explanation. I would say you can look for attempts at fraud at the web application layer. If a user is presented a form that includes a dropdown with some options and they send back a POST that includes options they don't have access to this is a detectable fraudulent action. When faced with that behavior some applications will simply deny the action while others will log it and block access - the appropriate behavior depends on the context. Regards, Greg -- Director Security Services | +1-720-310-5623 Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com
CG
Christoph Gruber
Mon, Jun 18, 2012 8:43 PM

Am 18.06.2012 um 22:01 schrieb Greg Knaddison:

On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber list@guru.at wrote:

Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend.

That seems like a claim that needs more proof or more explanation.

I would say you can look for attempts at fraud at the web application
layer.

Yes you can, but you will never be sure.

If a user is presented a form that includes a dropdown with
some options and they send back a POST that includes options they
don't have access to this is a detectable fraudulent action. When
faced with that behavior some applications will simply deny the action
while others will log it and block access - the appropriate behavior
depends on the context.

Fraud is much more than fumbling around with parameters in forms.
Fraud can be done by using only valid operations.

Just my few cents

--
Grisu

Am 18.06.2012 um 22:01 schrieb Greg Knaddison: > On Mon, Jun 18, 2012 at 10:53 AM, Christoph Gruber <list@guru.at> wrote: >> >> Fraud is activity which cannot be detected at this layer. You should look for fraud detection software for your transaction system at the backend. >> > > That seems like a claim that needs more proof or more explanation. > > I would say you can look for attempts at fraud at the web application > layer. Yes you can, but you will never be sure. > If a user is presented a form that includes a dropdown with > some options and they send back a POST that includes options they > don't have access to this is a detectable fraudulent action. When > faced with that behavior some applications will simply deny the action > while others will log it and block access - the appropriate behavior > depends on the context. Fraud is much more than fumbling around with parameters in forms. Fraud can be done by using only valid operations. Just my few cents -- Grisu
AH
Achim Hoffmann
Mon, Jun 18, 2012 11:06 PM

Am 18.06.2012 21:52, schrieb Paul Johnston:

Hi,

Some commercial risk engines can harvest additional variables at the
application layer. A common one is machine fingerprinting, so if the
transaction comes from a machine the user hasn't used before, that
increases the risk score. I think some use behavioral analysis - such as
page sequences, time spent on page, etc. Vendors tend to be secretive
about these things as the rules are easily defeated if the fraudsters
know what they are.

Paul

On 16/06/2012 19:55, Lebeau Frederic wrote:

Hello,

I'm wondering if there are some stuffs to do at application level to
increvable efficuency of fraud detection system?

Thanks

Some WAFs have such detections, it's often called "scoring".
The actions to be done when a score limit is reach can be just
blocking the request or even blocking based on IP, some can
send messages to network firewalls to do more blocking, etc. etc.

Achim

Am 18.06.2012 21:52, schrieb Paul Johnston: > Hi, > > Some commercial risk engines can harvest additional variables at the > application layer. A common one is machine fingerprinting, so if the > transaction comes from a machine the user hasn't used before, that > increases the risk score. I think some use behavioral analysis - such as > page sequences, time spent on page, etc. Vendors tend to be secretive > about these things as the rules are easily defeated if the fraudsters > know what they are. > > Paul > > > On 16/06/2012 19:55, Lebeau Frederic wrote: >> Hello, >> >> I'm wondering if there are some stuffs to do at application level to >> increvable efficuency of fraud detection system? >> >> Thanks Some WAFs have such detections, it's often called "scoring". The actions to be done when a score limit is reach can be just blocking the request or even blocking based on IP, some can send messages to network firewalls to do more blocking, etc. etc. Achim
Empathy v1.0   2024 ©Harmonylists.com