SlideShare a Scribd company logo

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012

Download as PPTX, PDF
Nick Galbreath, profile picture
Nick Galbreath

This document discusses fraud engineering at Etsy. It begins by introducing the author, Nick Galbreath, and his background in security. It then provides context about Etsy as an online marketplace. It outlines different types of risk like fraud, security threats, and business continuity. It emphasizes thinking about risk from both a fraud and security perspective. The document then provides examples of how different parts of the organization like technical operations, quality assurance, product, business operations, engineering, and customer service can work together on fraud prevention and leverages their existing tools and resources. It also provides a case study example of investigating mysterious data center logins. The overall message is about taking a holistic organizational approach to fraud engineering.

TechnologyBusiness
1 of 47
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Fraud Engineering nickg@etsy.com
Introduction and Context
Who is nickg?  Web Application background  Software Development background  Linux/Unix background  Most everything was either social media and/or ecommerce since 1994  I started at Etsy two years ago. There was no one dedicated on fraud and security in engineering.  A lot of this was learned the hard way  My perspective on fraud is probably a bit different. Season to taste.
Who is Etsy?  “Online marketplace for creative small businesses”  No inventory, marketplace. Instead we have both sides – Buyer risk – Seller risk  When fraud happens, it‟s not silent. It‟s public.  We lose trust (and money).  We are very sensitive to fraud and risk == a lot of R&D
What and Where is Risk? Many types of risk… but today we‟ll talk about  Fraud  Security  Internal Threats  Business Continuity  Physical Security  Intellectual property
Thinking about Risk and Fraud  “System working correctly, but with stolen or false credentials causing financial loss”  Constant, always happening.  More business focused  Continuous output (“fraud is 1%”)  Think: stolen credit cards, bogus seller that doesn’t ship goods.
Thinking about Risk and Application Security  “System working incorrectly when given invalid or unexpected input, causing financial loss, data loss/theft, system downtime, vandalism, or attack on another system.”  Unexploited problems exists, now.  Can be costly dealing with compliance, disclosure, legal.  More technical-focused  Binary Output (“we are breached, or not”)  Think: SQLi, XSS, buffer overflow attacks, data breach, etc  Of course, security flaws can be used to commit fraud
Account Takeover Blurs the Line  Account takeover crosses the boundaries from site security to personal member security.  Problems can be public  Fraud and Security two sides of same coin.
Fraud Engineering Let’s Leverage the Organization
Instead of this….
… you want this:
Let’s go!
Technical Operations
Log It  Leverage existing centralized logging (if not get it)  You can index it – lots of 3rd party solutions  Make new security/fraud/sensitive data log or namespace  Log this: – Password resets – Email changes – Credit card changes – Login failures Also great for internal risk monitoring.. Who is doing what
Graph It  Critical for visibility and promotion or your pain points  TechOps is likely using Ganglia and/or Graphite  Enhance the application using gmetric and/or StatsD Example: Login Success and Failures.
Monitor It  Now that you are logging and graphing, can you monitor and alert on outliers?  Likely Nagios or another system in place Don’t worry, Etsy is ok. This was from a dead machine.
PSA #1: Start the dialog for 100% SSL  SSL isn‟t just for login and checkout  Entire categories of risk are eliminated with 100%  Little to no additional load on infrastructure.  Evaluate your current setup at Qualsys SSL Labs https://www.ssllabs.com/  Get an “A” with Apache/OpenSSL using* SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM (*) Assuming your patches are up-to-date
Quality Assurance .
Using the QA infrastructure  Zooming out, QA / Fraud / Security begin to look the same  A serious bug might be indistinguishable from fraud  QA typically tests positive flows  Fraud Engineering leverages QA to test negative flows. http://jenkins-ci.org/
Test Your Invariants Things that should be always true (or false). Super easy to test – “This page should always be SSL” – “This page should always require login” – “http://..../server-status” doesn‟t display to public” – “http://…/wp-admin” requires a password” – “This page should never displays the full credit card” – “Google never visits this page” You‟ll be amazed or frightened by the results
Unit test frameworks are excellent to (re)use oops
Use the central log to find… Syntax errors from the database! Certainly a bug, but perhaps SQLi attempts Uncaught DatabaseException: 42601 7 ERROR: syntax error at position 2 near "&" in SELECT COUNT(*) FROM convos WHERE uid = ? AND names LIKE „?‟ with [895724897,"Ll'or1=1"] at DBConnection.php based on a true story all queries and values changed to protect the guilty
… or find this?  Ungraceful exits  Really should never happen  Latent bug? Need to upgrade? Or probing attack?
Even if you can’t fix it, establish the base line and look for deviations from it
Product and BizOps
Product should be helping with The delicate balance between easy enough so you don‟t loose customers vs. hard enough so attackers go elsewhere vs. the barriers appropriate to risk.
Can you make security a desired feature?  Can you offer your best customers better security solutions so they don‟t have account takeover?  Has anyone even asked them?  Not necessarily resulting in more engineering work. – Site messaging improvements – Outreach – Customer education  How can you make account takeover recovery easier?  How can you message the user when they their email got erased or if they ?
BizOps  Have you talked to the email marketing and/or online-ad targeting groups?  The work they do is oddly similar to fraud analytics. – Breakdown by sales by country over time – Customer visit frequency by sales – Average purchase price – Basket Analysis  Helping them make their data more real time/visible helps the business and adds additional eyes on fraud
Engineering
Fraud Engineering  There is certainly pure fraud engineering: – Integration with risk management solutions – Rule and model building – Analysis and reporting – Behavior tracking  And there is certainly security engineering – Authentication and Authorization – CSRF / SQLi protections – Secure coding initiatives https://buildsecurityin.us-cert.gov/ But there is a lot more you can leverage from the organization.
Work on preventing false positives Eliminating false positives helps your risk management system work better.  Disable form submit buttons after being pressed (prevents double clicks)  Add rate limits to just about everything on the site Does not necessarily stop determined attackers, but… if someone is breaking or bumping up against your rate limits, you know they are up to something.
PSA #2: No passwords in plain text!  I beg of you.  Also don‟t store them as plain MD5 or SHA1  Use a “salted hash” system.  Start the process today!
Here’s a secret  Your engineers are bored.  90% of a computer science degree isn‟t used on a day to day basis  This is why open source projects exists: to work on cool stuff they can‟t do at work.  They have side-projects already  There is a huge cognitive surplus is sitting around.
Here’s another  This laptop is the equivalent of at least 8 Amazon EC2 “small” instances and has a terabyte of storage.  “Hard problems” such as machine learning, natural language processing, big data are rapidly being commoditized.  There is a huge computational surplus laying around the office.
Now that you know the secret, use it  Fraud problems are engineer-bait -- it‟s full of fun hard problems  Leverage your employees! Advertise your problems.  If that fails, find interns! I‟m sure your local schools will be happy to help.
Customer Service
Customer Service  They know more than you on how the site is working and performing.  All fraud ends up being a customer service problem  Improving customer service == improving fraud management.  Talk to them and build the best #(&^$*# tools that you can for them.  Gains of 4x-5x can occur by eliminating crap out of their workflow.
Case Study Mysterious Data Center Logins – Work In Progress
Case Study Customer Service was looking into some “problematic customers.” Login history didn‟t really make much sense. Got bounced to fraud engineering.
Case Study Looking into the IP addresses, and doing whois showed many were coming from “rent-a-slice” datacenters. Linode, Amazon, and Rackspace are used as an example. They are great companies and are recommend. No implication of wrong doing should be implied!
Case Study This lead to a side-project mapping the range of IP addresses that belong to rent-a-slice centers.
Case Study Now we graph it
Case Study Product is ok with throwing up CAPTCHAs on these accounts in certain cases since it‟s unlikely to interfere with the vast majority of users. http://www.google.com/recaptcha
Case Study Customer Service tool updated so reps can see if IP is a datacenter or not, and have direct access to whois Note: no implication that the hosting provider is or has done anything wrong. They might be victims of fraud themselves.
Case Study  Oddly many users are legit (privacy nuts? escaping great firewall of china?)  Working on CS/Product strategy to reach out to the legit customers on why.  Rolling out analysis to checkout/purchase.  Would love your feedback and help, so….
Case Study: Our List is Yours  Over 25,000,000 total IP addresses  Over 1700 IP blocks  Over 350 providers https://github.com/client9/ipcat
Nick Galbreath nickg@etsy.com @ngalbreath 2012-02-22

More Related Content

PDF
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
PDF
Fixing security by fixing software development
Nick Galbreath
 
PDF
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
PDF
AppSec is Eating Security
Alex Stamos
 
ODP
Building an Open Source AppSec Pipeline
Matt Tesauro
 
PDF
dotSecurity2017
Zane Lackey
 
PDF
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
PPTX
Security and DevOps Overview
Adrian Sanabria
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Fixing security by fixing software development
Nick Galbreath
 
Making operations visible - devopsdays tokyo 2013
Nick Galbreath
 
AppSec is Eating Security
Alex Stamos
 
Building an Open Source AppSec Pipeline
Matt Tesauro
 
dotSecurity2017
Zane Lackey
 
Chaos Engineering - The Art of Breaking Things in Production
Keet Sugathadasa
 
Security and DevOps Overview
Adrian Sanabria
 

What's hot (16)

PDF
AppSec Pipelines and Event based Security
Matt Tesauro
 
PPTX
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
PDF
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
PDF
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
PPTX
Shifting left – embedding security into the devops pipeline by Mike d. Kail
DevSecCon
 
PPTX
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon
 
PDF
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
PPTX
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
ODP
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
PDF
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
PPTX
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
PDF
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
PPTX
The Journey to DevSecOps
SeniorStoryteller
 
PDF
Chaos Engineering
Yury Roa
 
PPTX
Humans by the hundred
Yelp Engineering
 
PPTX
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
AppSec Pipelines and Event based Security
Matt Tesauro
 
(java2days) The Anatomy of Java Vulnerabilities
Steve Poole
 
Security at Scale - Lessons from Six Months at Yahoo
Alex Stamos
 
Building a Secure DevOps Pipeline - for your AppSec Program
Matt Tesauro
 
Shifting left – embedding security into the devops pipeline by Mike d. Kail
DevSecCon
 
DevSecCon Singapore 2018 - Insecurity in information technology by Tanya Janca
DevSecCon
 
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
The Journey to DevSecOps
SeniorStoryteller
 
Chaos Engineering
Yury Roa
 
Humans by the hundred
Yelp Engineering
 
Cloud, DevOps and the New Security Practitioner
Adrian Sanabria
 
Ad

Similar to Fraud Engineering, from Merchant Risk Council Annual Meeting 2012 (20)

PPT
Data Driven Security, from Gartner Security Summit 2012
Nick Galbreath
 
PDF
php blunders
decatv
 
PDF
OWASP TOP 10 by Team xbios
Vi Vek
 
PPTX
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group
 
PPTX
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas Web Security Group
 
PDF
Web Security
KHOANGUYNNGANH
 
PPTX
So Your Company Hired A Pentester
NorthBayWeb
 
PDF
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
KEY
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
PDF
Secure Web Apps Training at Corporate College
WorkSmart Integrated Marketing
 
PDF
Security Firm Program - Corporate College
WorkSmart Integrated Marketing
 
PPT
Web Application Security
Colin English
 
PPTX
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
PPTX
State of the information security nation
SensePost
 
PPT
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
PPTX
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
PDF
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
PPTX
Security is not a feature
Elizabeth Smith
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Data Driven Security, from Gartner Security Summit 2012
Nick Galbreath
 
php blunders
decatv
 
OWASP TOP 10 by Team xbios
Vi Vek
 
Dallas Web Security Group - February Meeting - Addressing Top Security Threats
Dallas Web Security Group
 
Dallas websecuritygroup addressing-top-security-threats-v2
Dallas Web Security Group
 
Web Security
KHOANGUYNNGANH
 
So Your Company Hired A Pentester
NorthBayWeb
 
The Life of Breached Data & The Dark Side of Security
Jarrod Overson
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
Nick Galbreath
 
Secure Web Apps Training at Corporate College
WorkSmart Integrated Marketing
 
Security Firm Program - Corporate College
WorkSmart Integrated Marketing
 
Web Application Security
Colin English
 
Presentation on Top 10 Vulnerabilities in Web Application
Md Mahfuzur Rahman
 
State of the information security nation
SensePost
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Alan Kan
 
Secure coding - Balgan - Tiago Henriques
Tiago Henriques
 
GitHub: Secure Software Development for Financial Services
Debbie A. Everson
 
Security is not a feature
Elizabeth Smith
 
How to Test for The OWASP Top Ten
Security Innovation
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Ad

More from Nick Galbreath (12)

PDF
DevOpsDays Austin 2013 Reading List
Nick Galbreath
 
PDF
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Nick Galbreath
 
PDF
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
Nick Galbreath
 
PDF
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
KEY
libinjection and sqli obfuscation, presented at OWASP NYC
Nick Galbreath
 
KEY
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
Nick Galbreath
 
KEY
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Nick Galbreath
 
KEY
Time tested php with libtimemachine
Nick Galbreath
 
KEY
libinjection: a C library for SQLi detection, from Black Hat USA 2012
Nick Galbreath
 
KEY
New techniques in sql obfuscation, from DEFCON 20
Nick Galbreath
 
KEY
Slide show font sampler, black on white
Nick Galbreath
 
KEY
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Nick Galbreath
 
DevOpsDays Austin 2013 Reading List
Nick Galbreath
 
Care and Feeding of Large Scale Graphite Installations - DevOpsDays Austin 2013
Nick Galbreath
 
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013
Nick Galbreath
 
Rebooting Software Development - OWASP AppSecUSA
Nick Galbreath
 
libinjection and sqli obfuscation, presented at OWASP NYC
Nick Galbreath
 
libinjection: new technique in detecting SQLi attacks, iSEC Partners Open Forum
Nick Galbreath
 
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012
Nick Galbreath
 
Time tested php with libtimemachine
Nick Galbreath
 
libinjection: a C library for SQLi detection, from Black Hat USA 2012
Nick Galbreath
 
New techniques in sql obfuscation, from DEFCON 20
Nick Galbreath
 
Slide show font sampler, black on white
Nick Galbreath
 
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012
Nick Galbreath
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Cloud computing and distributed systems.
kkkkkhan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KodekX | Application Modernization Development
KodekX
 
Encapsulation theory and applications.pdf
gurumoop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012

  • 1. Fraud Engineering nickg@etsy.com
  • 3. Who is nickg?  Web Application background  Software Development background  Linux/Unix background  Most everything was either social media and/or ecommerce since 1994  I started at Etsy two years ago. There was no one dedicated on fraud and security in engineering.  A lot of this was learned the hard way  My perspective on fraud is probably a bit different. Season to taste.
  • 4. Who is Etsy?  “Online marketplace for creative small businesses”  No inventory, marketplace. Instead we have both sides – Buyer risk – Seller risk  When fraud happens, it‟s not silent. It‟s public.  We lose trust (and money).  We are very sensitive to fraud and risk == a lot of R&D
  • 5. What and Where is Risk? Many types of risk… but today we‟ll talk about  Fraud  Security  Internal Threats  Business Continuity  Physical Security  Intellectual property
  • 6. Thinking about Risk and Fraud  “System working correctly, but with stolen or false credentials causing financial loss”  Constant, always happening.  More business focused  Continuous output (“fraud is 1%”)  Think: stolen credit cards, bogus seller that doesn’t ship goods.
  • 7. Thinking about Risk and Application Security  “System working incorrectly when given invalid or unexpected input, causing financial loss, data loss/theft, system downtime, vandalism, or attack on another system.”  Unexploited problems exists, now.  Can be costly dealing with compliance, disclosure, legal.  More technical-focused  Binary Output (“we are breached, or not”)  Think: SQLi, XSS, buffer overflow attacks, data breach, etc  Of course, security flaws can be used to commit fraud
  • 8. Account Takeover Blurs the Line  Account takeover crosses the boundaries from site security to personal member security.  Problems can be public  Fraud and Security two sides of same coin.
  • 11. … you want this:
  • 14. Log It  Leverage existing centralized logging (if not get it)  You can index it – lots of 3rd party solutions  Make new security/fraud/sensitive data log or namespace  Log this: – Password resets – Email changes – Credit card changes – Login failures Also great for internal risk monitoring.. Who is doing what
  • 15. Graph It  Critical for visibility and promotion or your pain points  TechOps is likely using Ganglia and/or Graphite  Enhance the application using gmetric and/or StatsD Example: Login Success and Failures.
  • 16. Monitor It  Now that you are logging and graphing, can you monitor and alert on outliers?  Likely Nagios or another system in place Don’t worry, Etsy is ok. This was from a dead machine.
  • 17. PSA #1: Start the dialog for 100% SSL  SSL isn‟t just for login and checkout  Entire categories of risk are eliminated with 100%  Little to no additional load on infrastructure.  Evaluate your current setup at Qualsys SSL Labs https://www.ssllabs.com/  Get an “A” with Apache/OpenSSL using* SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM (*) Assuming your patches are up-to-date
  • 19. Using the QA infrastructure  Zooming out, QA / Fraud / Security begin to look the same  A serious bug might be indistinguishable from fraud  QA typically tests positive flows  Fraud Engineering leverages QA to test negative flows. http://jenkins-ci.org/
  • 20. Test Your Invariants Things that should be always true (or false). Super easy to test – “This page should always be SSL” – “This page should always require login” – “http://..../server-status” doesn‟t display to public” – “http://…/wp-admin” requires a password” – “This page should never displays the full credit card” – “Google never visits this page” You‟ll be amazed or frightened by the results
  • 21. Unit test frameworks are excellent to (re)use oops
  • 22. Use the central log to find… Syntax errors from the database! Certainly a bug, but perhaps SQLi attempts Uncaught DatabaseException: 42601 7 ERROR: syntax error at position 2 near "&" in SELECT COUNT(*) FROM convos WHERE uid = ? AND names LIKE „?‟ with [895724897,"Ll'or1=1"] at DBConnection.php based on a true story all queries and values changed to protect the guilty
  • 23. … or find this?  Ungraceful exits  Really should never happen  Latent bug? Need to upgrade? Or probing attack?
  • 24. Even if you can’t fix it, establish the base line and look for deviations from it
  • 26. Product should be helping with The delicate balance between easy enough so you don‟t loose customers vs. hard enough so attackers go elsewhere vs. the barriers appropriate to risk.
  • 27. Can you make security a desired feature?  Can you offer your best customers better security solutions so they don‟t have account takeover?  Has anyone even asked them?  Not necessarily resulting in more engineering work. – Site messaging improvements – Outreach – Customer education  How can you make account takeover recovery easier?  How can you message the user when they their email got erased or if they ?
  • 28. BizOps  Have you talked to the email marketing and/or online-ad targeting groups?  The work they do is oddly similar to fraud analytics. – Breakdown by sales by country over time – Customer visit frequency by sales – Average purchase price – Basket Analysis  Helping them make their data more real time/visible helps the business and adds additional eyes on fraud
  • 30. Fraud Engineering  There is certainly pure fraud engineering: – Integration with risk management solutions – Rule and model building – Analysis and reporting – Behavior tracking  And there is certainly security engineering – Authentication and Authorization – CSRF / SQLi protections – Secure coding initiatives https://buildsecurityin.us-cert.gov/ But there is a lot more you can leverage from the organization.
  • 31. Work on preventing false positives Eliminating false positives helps your risk management system work better.  Disable form submit buttons after being pressed (prevents double clicks)  Add rate limits to just about everything on the site Does not necessarily stop determined attackers, but… if someone is breaking or bumping up against your rate limits, you know they are up to something.
  • 32. PSA #2: No passwords in plain text!  I beg of you.  Also don‟t store them as plain MD5 or SHA1  Use a “salted hash” system.  Start the process today!
  • 33. Here’s a secret  Your engineers are bored.  90% of a computer science degree isn‟t used on a day to day basis  This is why open source projects exists: to work on cool stuff they can‟t do at work.  They have side-projects already  There is a huge cognitive surplus is sitting around.
  • 34. Here’s another  This laptop is the equivalent of at least 8 Amazon EC2 “small” instances and has a terabyte of storage.  “Hard problems” such as machine learning, natural language processing, big data are rapidly being commoditized.  There is a huge computational surplus laying around the office.
  • 35. Now that you know the secret, use it  Fraud problems are engineer-bait -- it‟s full of fun hard problems  Leverage your employees! Advertise your problems.  If that fails, find interns! I‟m sure your local schools will be happy to help.
  • 37. Customer Service  They know more than you on how the site is working and performing.  All fraud ends up being a customer service problem  Improving customer service == improving fraud management.  Talk to them and build the best #(&^$*# tools that you can for them.  Gains of 4x-5x can occur by eliminating crap out of their workflow.
  • 38. Case Study Mysterious Data Center Logins – Work In Progress
  • 39. Case Study Customer Service was looking into some “problematic customers.” Login history didn‟t really make much sense. Got bounced to fraud engineering.
  • 40. Case Study Looking into the IP addresses, and doing whois showed many were coming from “rent-a-slice” datacenters. Linode, Amazon, and Rackspace are used as an example. They are great companies and are recommend. No implication of wrong doing should be implied!
  • 41. Case Study This lead to a side-project mapping the range of IP addresses that belong to rent-a-slice centers.
  • 42. Case Study Now we graph it
  • 43. Case Study Product is ok with throwing up CAPTCHAs on these accounts in certain cases since it‟s unlikely to interfere with the vast majority of users. http://www.google.com/recaptcha
  • 44. Case Study Customer Service tool updated so reps can see if IP is a datacenter or not, and have direct access to whois Note: no implication that the hosting provider is or has done anything wrong. They might be victims of fraud themselves.
  • 45. Case Study  Oddly many users are legit (privacy nuts? escaping great firewall of china?)  Working on CS/Product strategy to reach out to the legit customers on why.  Rolling out analysis to checkout/purchase.  Would love your feedback and help, so….
  • 46. Case Study: Our List is Yours  Over 25,000,000 total IP addresses  Over 1700 IP blocks  Over 350 providers https://github.com/client9/ipcat
  • 47. Nick Galbreath nickg@etsy.com @ngalbreath 2012-02-22