Online Security - Using client side information as defence mechanism

Online Security is paramount of any organization offering transactional feature using the online channel. With the attacks shifting towards the weakest link in the B2C chain i.e. end customer, enterprises stance of having their security boundaries within the enterprise firewall doesn't seem a correct approach. If they stick this approach they are leaving the customers at prey of fraudsters. It is not only going to hamper customer trust but also business volumes.The Attackers these days haveMotivation: Organizations must understand the motivation(s) behind any attack and should try to find the possible motivation attackers have against them.Innovation: Recent attack investigation clearly shows attackers are more innovative than ever.Time: The next most important factor is time. Attackers have ample time.The fraud market is highly organized crime, just like any other organized business they have├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        Proper business plan├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        ROI├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        Recruitment/campaigns/money back guarantee. ├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        Mature market of exploit, stolen credentials, botnet rental etcIf we look from the attack sophistication it sometimes astonishes best of security geeks. For e.g. Webinjects, when they were made commercially available few years back it nullified all the security conditioning we have put in the customer mind├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        Look for the padlock├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        If the browser bar turns green you are dealing with us.├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        This 2-factor token device will protect you from all online threatsThe attack involved altering the customer webpage and de-fraud by taking him to rouge customer journey's, asking him to make test payments by merely changing the text and html on customer served pages. One thing, which helped the fraudsters, was weak & prescriptive security education we put in the customer mind for number of years instead to educating customer to identify abnormal behavior.Certainly there is a need to protect the customer's transaction from the point of origin i.e. customer's machine. It means enterprise security boundary stretches itself towards the customer machine.Client side malware detection and client device detection are the key technologies being used these days to detect customer compromise detection. There are significant advancements towards behavior biometric by identifying how the customer interacts with the end point. But all these technologies use our old favorite JavaScript and covertly notifying the backend regarding customer device health. But it opens an interesting debateÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼ÔòØ├ö├Â┬ú├ö├▓├ªAre we trusting the client side or started over relying on these aspects in the fraud managementÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├Â├ë. A purist security engineer can simply say donÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣t trust the client but├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        It is need of the hour,├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        Fraudster have forced enterprises to adopt the risk balanced approach instead of the purist view├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        This provide the enterprise agile way to counter the innovative fraudster├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬║        It is building the customer profile which would be extremely useful to find abnormality if suddenly fraudsters stop/alter the client detection behavior

Rate this article: 
No votes yet

There is 1 Comment