Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
-
Upload
nick-galbreath -
Category
Technology
-
view
2.904 -
download
1
description
Transcript of Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
![Page 1: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/1.jpg)
Fraud Engineering
Implementing a cross-functional risk strategy
Nick Galbreath [email protected] @ngalbreath
2012-03-29 MRC 2012 Las Vegas
![Page 2: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/2.jpg)
Introduction and Context
![Page 3: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/3.jpg)
3
Who is nickg?
Web Application background Software Development background Linux/Unix background Most everything was either social media and/or
ecommerce since 1994 I started at Etsy two years ago. There was no one
dedicated on fraud and security in engineering. A lot of this was learned the hard way My perspective on fraud is probably a bit different.
Season to taste.
![Page 4: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/4.jpg)
4
Who is Etsy?
“Online marketplace for creative small businesses” No inventory, marketplace. Instead we have both sides
– Buyer risk– Seller risk
When fraud happens, it’s not silent. It’s public. We lose trust (and money). We are very sensitive to fraud and risk == a lot of R&D
![Page 5: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/5.jpg)
5
What and Where is Risk?
Many types of risk… but today we’ll talk about
Fraud Security Internal Threats Business Continuity Physical Security Intellectual property
![Page 6: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/6.jpg)
6
Thinking about Risk and Fraud
“System working correctly, but with stolen or false credentials causing financial loss”
Constant, always happening. More business focused Continuous output (“fraud is 1%”)
Think: stolen credit cards, bogus seller that doesn’t ship goods.
![Page 7: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/7.jpg)
7
Thinking about Risk and Application Security
“System working incorrectly when given invalid or unexpected input, causing financial loss, data loss/theft, system downtime, vandalism, or attack on another system.”
Unexploited problems exists, now. Can be costly dealing with compliance, disclosure, legal. More technical-focused Binary Output (“we are breached, or not”)
Think: SQLi, XSS, buffer overflow attacks, data breach, etc Of course, security flaws can be used to commit fraud
![Page 8: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/8.jpg)
8
Account Takeover Blurs the Line
Account takeover crosses the boundaries from site security to personal member security.
Problems can be public Fraud and Security two sides of same coin.
![Page 9: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/9.jpg)
Fraud EngineeringLet’s Leverage the Organization
![Page 10: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/10.jpg)
10
Instead of this….
![Page 11: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/11.jpg)
11
… you want this:
![Page 12: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/12.jpg)
Let’s go!
![Page 13: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/13.jpg)
Technical Operations
![Page 14: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/14.jpg)
14
Log It
Leverage existing centralized logging (if not get it) You can index it – lots of 3rd party solutions Make new security/fraud/sensitive data log or namespace Log this:
– Password resets– Email changes– Credit card changes– Login failures
Also great for internal risk monitoring.. Who is doing what
![Page 15: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/15.jpg)
15
Graph It
Critical for visibility and promotion or your pain points TechOps is likely using Ganglia and/or Graphite Enhance the application using gmetric and/or StatsD
Example: Login Success and Failures.
![Page 16: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/16.jpg)
16
Monitor It
Now that you are logging and graphing, can you monitor and alert on outliers?
Likely Nagios or another system in place
Don’t worry, Etsy is ok. This was from a dead machine.
![Page 17: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/17.jpg)
17
PSA #1: Start the dialog for 100% SSL
SSL isn’t just for login and checkout Entire categories of risk are eliminated with 100% Little to no additional load on infrastructure. Evaluate your current setup at Qualsys SSL Labs
https://www.ssllabs.com/ Get an “A” with Apache/OpenSSL using*SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
(*) Assuming your patches are up-to-date
![Page 18: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/18.jpg)
Quality Assurance.
![Page 19: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/19.jpg)
19
Using the QA infrastructure
Zooming out, QA / Fraud / Security begin to look the same
A serious bug might be indistinguishable from fraud QA typically tests positive flows Fraud Engineering leverages QA to test negative flows.
http://jenkins-ci.org/
![Page 20: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/20.jpg)
20
Test Your Invariants
Things that should be always true (or false).
Super easy to test
– “This page should always be SSL”– “This page should always require login”– “http://..../server-status” doesn’t display to public”– “http://…/wp-admin” requires a password”– “This page should never displays the full credit card”– “Google never visits this page”
You’ll be amazed or frightened by the results
![Page 21: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/21.jpg)
21
Unit test frameworks are excellent to (re)use
oops
![Page 22: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/22.jpg)
22
Use the central log to find…
Syntax errors from the database!
Certainly a bug, but perhaps SQLi attempts
Uncaught DatabaseException: 42601 7 ERROR:syntax error at position 2 near "&" inSELECT COUNT(*) FROM convosWHERE uid = ? AND names LIKE ‘?’with [895724897,"Ll'or1=1"]at DBConnection.php
based on a true storyall queries and values changed to protect the guilty
![Page 23: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/23.jpg)
23
… or find this?
Ungraceful exits Really should never happen Latent bug? Need to upgrade? Or probing attack?
![Page 24: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/24.jpg)
24
Even if you can’t fix it,establish the base line andlook for deviations from it
![Page 25: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/25.jpg)
Product and BizOps
![Page 26: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/26.jpg)
26
Product should be helping with
The delicate balance between
easy enough so you don’t loose customers vs.
hard enough so attackers go elsewhere vs. the
barriers appropriate to risk.
![Page 27: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/27.jpg)
27
Can you make security a desired feature?
Can you offer your best customers better security solutions so they don’t have account takeover?
Has anyone even asked them? Not necessarily resulting in more engineering work.
– Site messaging improvements– Outreach– Customer education
How can you make account takeover recovery easier? How can you message the user when they their email got
erased or if they ?
![Page 28: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/28.jpg)
28
BizOps
Have you talked to the email marketing and/or online-ad targeting groups?
The work they do is oddly similar to fraud analytics.– Breakdown by sales by country over time– Customer visit frequency by sales– Average purchase price– Basket Analysis
Helping them make their data more real time/visible helps the business and adds additional eyes on fraud
![Page 29: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/29.jpg)
Engineering
![Page 30: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/30.jpg)
30
Fraud Engineering
There is certainly pure fraud engineering:– Integration with risk management solutions– Rule and model building– Analysis and reporting– Behavior tracking
And there is certainly security engineering– Authentication and Authorization– CSRF / SQLi protections– Secure coding initiatives https://buildsecurityin.us-cert.gov/
But there is a lot more you can leverage from the organization.
![Page 31: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/31.jpg)
31
Work on preventing false positives
Eliminating false positives helps your risk management system work better.
Disable form submit buttons after being pressed (prevents double clicks)
Add rate limits to just about everything on the site
Does not necessarily stop determined attackers, but…
if someone is breaking or bumping up against your rate limits, you know they are up to something.
![Page 32: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/32.jpg)
32
PSA #2: No passwords in plain text!
I beg of you. Also don’t store them as plain MD5 or SHA1 Use a “salted hash” system. Start the process today!
![Page 33: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/33.jpg)
33
Here’s a secret
Your engineers are bored. 90% of a computer science degree isn’t used on a day to
day basis This is why open source projects exists: to work on cool
stuff they can’t do at work. They have side-projects already There is a huge cognitive surplus is sitting around.
![Page 34: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/34.jpg)
34
Here’s another
This laptop is the equivalent of at least 8 Amazon EC2 “small” instances and has a terabyte of storage.
“Hard problems” such as machine learning, natural language processing, big data are rapidly being commoditized.
There is a huge computational surplus laying around the office.
![Page 35: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/35.jpg)
35
Now that you know the secret, use it
Fraud problems are engineer-bait -- it’s full of fun hard problems
Leverage your employees! Advertise your problems. If that fails, find interns! I’m sure your local schools will
be happy to help.
![Page 36: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/36.jpg)
Customer Service
![Page 37: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/37.jpg)
37
Customer Service
They know more than you on how the site is working and performing.
All fraud ends up being a customer service problem Improving customer service == improving fraud
management. Talk to them and build the best #(&^$*# tools that you
can for them. Gains of 4x-5x can occur by eliminating crap out of their
workflow.
![Page 38: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/38.jpg)
Case StudyMysterious Data Center Logins – Work In Progress
![Page 39: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/39.jpg)
39
Case Study
Customer Service was looking into some “problematic customers.” Login history didn’t really make much sense. Got bounced to fraud engineering.
![Page 40: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/40.jpg)
40
Case Study
Looking into the IP addresses, and doing whois showed many were coming from “rent-a-slice” datacenters.
Linode, Amazon, and Rackspace are used as an example. They are great companies and are recommend. No implication of wrong doing should be implied!
![Page 41: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/41.jpg)
41
Case Study
This lead to a side-project mapping the range of IP addresses that belong to rent-a-slice centers.
![Page 42: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/42.jpg)
42
Case Study
Now we graph it
![Page 43: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/43.jpg)
43
Case Study
Product is ok with throwing up CAPTCHAs on these accounts in certain cases since it’s unlikely to interfere with the vast majority of users.
http://www.google.com/recaptcha
![Page 44: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/44.jpg)
44
Case Study
Customer Service tool updated so reps can see if IP is a datacenter or not, and have direct access to whois
Note: no implication that the hosting provider is or has done anything wrong. They might be victims of fraud themselves.
![Page 45: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/45.jpg)
45
Case Study
Oddly many users are legit (privacy nuts? escaping great firewall of china?)
Working on CS/Product strategy to reach out to the legit customers on why.
Rolling out analysis to checkout/purchase. Would love your feedback and help, so….
![Page 46: Fraud Engineering, from Merchant Risk Council Annual Meeting 2012](https://reader034.fdocuments.us/reader034/viewer/2022051616/554a18d1b4c9055c598b5238/html5/thumbnails/46.jpg)
46
Case Study: Our List is Yours
Over 25,000,000 total IP addresses Over 1700 IP blocks Over 350 providers
https://github.com/client9/ipcat