Guest talk on Web Fraud to Network Security, Elect Eng Sydney University.
Web1.0 generated revenues from advertising. In Web2.0 new monetization models were sought. Good stuff but eventually all these eCommerce sites wake up to discover that the fraudsters have moved in.
Limited only by their imagination and the monetization model, fraudsters will do things like: login hijacks, false signups, purchases with stolen credit cards, money laundering, nigerian/419 scams etc etc.
This talk talks about a few of these problems, how it gets done and what solution/responses exist.
1. The Rise and Rise of Web Fraud What happens when web businesses shift away from advertising revenues USYD Electrical Engineering, Network Security Guest Lecture David Jones – Founder/CTO ThreatMetrix @djinoz
2.
3.
4. Anonymity used to be cute… Credit: New Yorker Magazine July 1993 http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you're_a_dog
11. “ Fraud as a Service” (bad guy implementation of “Software as a Service”) Means the Problem is Growing Fast No need to be an expert to be a fraudster Los Angeles New York Kalispell Frank Bill Susan Millions Today BotNets rented to other fraudsters + 100,000 New Each Day
12. On April 30 2010 TMX systems mapped 106,000 active* compromised hosts in Australian IP address space** ~2% * Last 7 days. This is just a subset – there is a good chance ACMA or Auscert would be detecting larger amounts ** Around 10million globally
14. Control – Payments Case Study With ThreatMetrix [Fraud Stopped 1 st time] Without ThreatMetrix [Fraud stopped on 5 th try] ThreatMetrix Confidential Stop fraud first time by detecting and piercing proxies to discover true location of device Stops Fraud First Time
15. Control – New Accounts Case Study Transaction Time Threatmetrix Device ID Account Email Browser Lang. Masked IP Add. Masked IP City 8/25/2008 17:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.10 New York 8/25/2008 18:17 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.77.47.109 New York 8/27/2008 12:57 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.30 Brussels 8/28/2008 12:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.77.43.80 New York 8/28/2008 19:09 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 204.16.192.197 Los Angeles 9/3/2008 13:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 64.32.7.84 Kalispell 9/5/2008 12:24 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.10 New York 9/12/2008 13:08 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.35 Brussels 9/12/2008 13:20 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 205.209.175.5 Los Angeles 9/12/2008 16:48 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.79.172.100 New York 9/16/2008 14:33 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 204.16.195.71 New York 9/17/2008 14:19 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/18/2008 11:59 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/18/2008 12:56 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.226 New York 9/18/2008 15:02 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.10 New York 9/19/2008 12:38 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.230 New York 9/19/2008 13:25 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 78.129.235.34 Brussels 9/19/2008 18:40 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.98.30.90 Kalispell 9/22/2008 16:51 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 208.101.53.227 New York 9/22/2008 17:35 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/22/2008 19:13 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 75.126.8.13 New York 9/24/2008 17:29 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 66.2228.113.2 New York 9/25/2008 12:45 cf3fad94727611dd800000167e5d5632 [email_address] zh-cn 64.32.7.97 Kalispell One Month Same Device 23 User Names In China Pretending to be in…
16. Control – Account Login Case Study Restrict permissions of accounts based on detection of compromised computer (botnet) Risk Hidden Threat Detection
18. No silver bullet - Different Customers have Different Goals Average order value, margins, virtual or physical goods, real-time needs, chargeback rates Orders ~9% 2.6% 1.3% Accept Auto Screen 5.1% Reject (Fraud) Review
I modified this slide from a Verisign presentation – it shows how only a few ‘fronts ’of the identity theft/fraud ecosystem
ThreatMetrix Device Identification is used for three principal applications. These are i) New Account Sign-up which is broadly applicable to the financial services industry, social networking, alternative payments, credit card applications and so forth, ii) Account takeover which is broadly applicable to the same set of industries, and iii) Card not present “CNP” purchases which is applicable to the retail community. ThreatMetrix is a rules based application so the same product can be easily deployed across multiple industry types with a minimum of effort.