An estimated 40 percent of consumer systems are infected with malware and if your organization carries out any type of web commerce, online banking, or other type of financial transaction you must assume that your customer has malware. You can’t afford not to conduct the business so the big question is: How can you have a successful and secure transaction with your customer and not the fraudster controlling their system?
There are numerous products and technologies on the marketplace using varying methodologies that attempt to detect if your customer’s system is infected. Many help build a “risk score” to determine if it is advisable to transact with that customer. But do you really have a choice as that relationship is the linchpin of your business?
There are numerous products and technologies on the marketplace using varying methodologies that attempt to detect if your customer’s system is infected. Many help build a “risk score” to determine if it is advisable to conduct business with that customer. But do you really have a choice as you rely on that relationship with the customer to have a business?
The problem is most of these products generally try to identify infected systems through a web interface and in many cases it is difficult to prove a system is infected with low level forensic software so you never really know if the system is infected. Even the products that install a client are no better than reactive anti-virus systems at detecting and stopping system compromise.
But imagine that we had a perfect tool that could detect which customer is infected and which one isn’t. What would you do with that information? Would you stop doing business with up to 40 percent of your customers? Would you try to help them clean themselves up? Once proven clean would you help them keep clean? That sounds noble but I would argue that it is an impossible goal in terms of personnel, technology and cost to keep your customers’ systems clean.
With major companies with experienced security teams being breached within their doors on systems that have managed patching, AV and are behind content filters and enterprise class firewalls how can most organizations expect to protect systems without those benefits? Consider trying to protect a system with unlimited Internet access, admin rights, and a user that will click on any well-crafted phishing attack.
So with a system that we can’t secure and with which we want to do business we need to change the paradigm shifting our focus from detecting compromised systems or safeguarding that system to protecting just your transaction with them.
There are three major methods to help us with this goal and all three are necessary to fully protect a transaction. Individually they build upon themselves and separately they fall to one attack method or the other.
The first method is to securely identify your customer, we all know passwords don’t fit the bill anymore so multi-factor authentication (MFA) of one type or the other must be used. There are many ways to accomplish this and depending on your business model one may work better than the other. There are free solutions like Google Authenticator and low cost SMS solutions, both of which are vulnerable to
blended attacks but if your business can accept some risk they may be excellent solutions. More secure solutions like hardware tokens or smart cards can help protect more sensitive transactions.
There are other biometric solutions for web applications that analyze and detect user behavior. These may be cheap and easy to roll out with minimal customer impact. Whatever the solution it is imperative to know that the right person is sitting behind the keyboard not an attacker that is remotely controlling the system or has gotten access to the device.
Multi-factor authentication (MFA) is vulnerable to other forms of attack like man in the middle (MiTM) or man in the Browser (MitB) attacks. Remember that the system is fully compromised including the certificate authority store meaning any method we use to prove we are the real trusted web site is no longer valid. To solve this issue with MFA we need to add in another layer to secure the web application session.
This second method falls into a category called secure browser technology. Some of these provide a full secure working environment like a Citrix session, IronKey or Wontok. Others secure just the browser session like Quarri or F5’s newest acquisition Versafe. The requirement for this category of protection is that it both validates the site is the real site but also secures the transaction so that it cannot be modified in flight.
The third method gives great visibility into transactions and fraud trends and helps across any platform. This methodology is broadly referred to as fraud analytics and it can take many forms and can come from many systems you never intended to provide that support and intelligence. Traditional financial fraud analytics are excellent tools for finding fraud and looking for existing fraud patterns but may not give the visibility into transactions and trends that can give much broader benefits.
Creating your own systems using other non-financial analytics tools or even log management tools like Splunk to mine your data and find interesting patterns will give great visibility but building fraud patterns and analytics may be very manual and time intensive. So securely transacting with infected systems is feasible. You just need to assume that your customer’s system has been compromised and change your focus to ensuring that you are not transacting with a fraudster but your real user. To do this you need to take a layered security approach using MFA, secure
browsing and leverage fraud analytic tools that you likely already have in place. By taking this approach you can ensure the transactions not only are with your intended customer but that the transaction integrity has been ensured.