Fraud Engineering         nickg@etsy.com
Introduction and Context
Who is nickg? Web Application background Software Development background Linux/Unix background Most everything was eit...
Who is Etsy? “Online marketplace for creative small businesses” No inventory, marketplace. Instead we have both sides  –...
What and Where is Risk?Many types of risk… but today we‟ll talk about   Fraud   Security   Internal Threats   Business...
Thinking about Risk and Fraud “System working correctly, but with stolen or false  credentials causing financial loss” C...
Thinking about Risk and Application Security “System working incorrectly when given invalid or unexpected  input, causing...
Account Takeover Blurs the Line Account takeover crosses the boundaries from  site security to personal member security....
Fraud EngineeringLet’s Leverage the Organization
Instead of this….
… you want this:
Let’s go!
Technical Operations
Log It Leverage existing centralized logging (if not get it) You can index it – lots of 3rd party solutions Make new se...
Graph It Critical for visibility and promotion or your pain points TechOps is likely using Ganglia and/or Graphite Enha...
Monitor It Now that you are logging and graphing, can you monitor  and alert on outliers? Likely Nagios or another syste...
PSA #1: Start the dialog for 100% SSL SSL isn‟t just for login and checkout Entire categories of risk are eliminated wit...
Quality Assurance        .
Using the QA infrastructure Zooming out, QA / Fraud / Security begin to look the  same A serious bug might be indistingu...
Test Your InvariantsThings that should be always true (or false).Super easy to test  –   “This page should always be SSL” ...
Unit test frameworks are excellent to (re)use          oops
Use the central log to find…Syntax errors from the database!  Certainly a bug, but perhaps SQLi attemptsUncaught DatabaseE...
… or find this? Ungraceful exits Really should never happen Latent bug? Need to upgrade? Or probing attack?
Even if you can’t fix it,establish the base line andlook for deviations from it
Product and BizOps
Product should be helping withThe delicate balance betweeneasy enough so you don‟t loose customersvs. hard enough so attac...
Can you make security a desired feature? Can you offer your best customers better security  solutions so they don‟t have ...
BizOps Have you talked to the email marketing and/or online-ad  targeting groups? The work they do is oddly similar to f...
Engineering
Fraud Engineering There is certainly pure fraud engineering:  – Integration with risk management solutions  – Rule and mo...
Work on preventing false positivesEliminating false positives helps your risk managementsystem work better. Disable form ...
PSA #2: No passwords in plain text!   I beg of you.   Also don‟t store them as plain MD5 or SHA1   Use a “salted hash” ...
Here’s a secret Your engineers are bored. 90% of a computer science degree isn‟t used on a day to  day basis This is wh...
Here’s another This laptop is the equivalent of at least 8 Amazon EC2  “small” instances and has a terabyte of storage. ...
Now that you know the secret, use it Fraud problems are engineer-bait -- it‟s full of fun hard  problems Leverage your e...
Customer Service
Customer Service They know more than you on how the site is working and  performing. All fraud ends up being a customer ...
Case StudyMysterious Data Center Logins – Work In Progress
Case StudyCustomer Service was looking into some “problematiccustomers.” Login history didn‟t really make much sense.Got b...
Case StudyLooking into the IP addresses, and doing whois showedmany were coming from “rent-a-slice” datacenters.Linode, Am...
Case StudyThis lead to a side-project mapping the range of IPaddresses that belong to rent-a-slice centers.
Case StudyNow we graph it
Case StudyProduct is ok with throwing up CAPTCHAs on theseaccounts in certain cases since it‟s unlikely to interfere witht...
Case StudyCustomer Service tool updated so reps can see if IP is adatacenter or not, and have direct access to whois Note:...
Case Study Oddly many users are legit (privacy nuts? escaping great  firewall of china?) Working on CS/Product strategy ...
Case Study: Our List is Yours Over 25,000,000 total IP addresses Over 1700 IP blocks Over 350 providers https://github....
Nick Galbreath nickg@etsy.com @ngalbreath                                2012-02-22
Upcoming SlideShare
Loading in...5
×

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012

2,974

Published on

MRC

Published in: Technology, Business

Fraud Engineering, from Merchant Risk Council Annual Meeting 2012

  1. 1. Fraud Engineering nickg@etsy.com
  2. 2. Introduction and Context
  3. 3. Who is nickg? Web Application background Software Development background Linux/Unix background Most everything was either social media and/or ecommerce since 1994 I started at Etsy two years ago. There was no one dedicated on fraud and security in engineering. A lot of this was learned the hard way My perspective on fraud is probably a bit different. Season to taste.
  4. 4. Who is Etsy? “Online marketplace for creative small businesses” No inventory, marketplace. Instead we have both sides – Buyer risk – Seller risk When fraud happens, it‟s not silent. It‟s public. We lose trust (and money). We are very sensitive to fraud and risk == a lot of R&D
  5. 5. What and Where is Risk?Many types of risk… but today we‟ll talk about Fraud Security Internal Threats Business Continuity Physical Security Intellectual property
  6. 6. Thinking about Risk and Fraud “System working correctly, but with stolen or false credentials causing financial loss” Constant, always happening. More business focused Continuous output (“fraud is 1%”) Think: stolen credit cards, bogus seller that doesn’t ship goods.
  7. 7. Thinking about Risk and Application Security “System working incorrectly when given invalid or unexpected input, causing financial loss, data loss/theft, system downtime, vandalism, or attack on another system.” Unexploited problems exists, now. Can be costly dealing with compliance, disclosure, legal. More technical-focused Binary Output (“we are breached, or not”) Think: SQLi, XSS, buffer overflow attacks, data breach, etc Of course, security flaws can be used to commit fraud
  8. 8. Account Takeover Blurs the Line Account takeover crosses the boundaries from site security to personal member security. Problems can be public Fraud and Security two sides of same coin.
  9. 9. Fraud EngineeringLet’s Leverage the Organization
  10. 10. Instead of this….
  11. 11. … you want this:
  12. 12. Let’s go!
  13. 13. Technical Operations
  14. 14. Log It Leverage existing centralized logging (if not get it) You can index it – lots of 3rd party solutions Make new security/fraud/sensitive data log or namespace Log this: – Password resets – Email changes – Credit card changes – Login failures Also great for internal risk monitoring.. Who is doing what
  15. 15. Graph It Critical for visibility and promotion or your pain points TechOps is likely using Ganglia and/or Graphite Enhance the application using gmetric and/or StatsD Example: Login Success and Failures.
  16. 16. Monitor It Now that you are logging and graphing, can you monitor and alert on outliers? Likely Nagios or another system in place Don’t worry, Etsy is ok. This was from a dead machine.
  17. 17. PSA #1: Start the dialog for 100% SSL SSL isn‟t just for login and checkout Entire categories of risk are eliminated with 100% Little to no additional load on infrastructure. Evaluate your current setup at Qualsys SSL Labs https://www.ssllabs.com/ Get an “A” with Apache/OpenSSL using*SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuiteHIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM (*) Assuming your patches are up-to-date
  18. 18. Quality Assurance .
  19. 19. Using the QA infrastructure Zooming out, QA / Fraud / Security begin to look the same A serious bug might be indistinguishable from fraud QA typically tests positive flows Fraud Engineering leverages QA to test negative flows. http://jenkins-ci.org/
  20. 20. Test Your InvariantsThings that should be always true (or false).Super easy to test – “This page should always be SSL” – “This page should always require login” – “http://..../server-status” doesn‟t display to public” – “http://…/wp-admin” requires a password” – “This page should never displays the full credit card” – “Google never visits this page”You‟ll be amazed or frightened by the results
  21. 21. Unit test frameworks are excellent to (re)use oops
  22. 22. Use the central log to find…Syntax errors from the database! Certainly a bug, but perhaps SQLi attemptsUncaught DatabaseException: 42601 7 ERROR:syntax error at position 2 near "&" inSELECT COUNT(*) FROM convosWHERE uid = ? AND names LIKE „?‟with [895724897,"Ll'or1=1"]at DBConnection.php based on a true story all queries and values changed to protect the guilty
  23. 23. … or find this? Ungraceful exits Really should never happen Latent bug? Need to upgrade? Or probing attack?
  24. 24. Even if you can’t fix it,establish the base line andlook for deviations from it
  25. 25. Product and BizOps
  26. 26. Product should be helping withThe delicate balance betweeneasy enough so you don‟t loose customersvs. hard enough so attackers go elsewherevs. the barriers appropriate to risk.
  27. 27. Can you make security a desired feature? Can you offer your best customers better security solutions so they don‟t have account takeover? Has anyone even asked them? Not necessarily resulting in more engineering work. – Site messaging improvements – Outreach – Customer education How can you make account takeover recovery easier? How can you message the user when they their email got erased or if they ?
  28. 28. BizOps Have you talked to the email marketing and/or online-ad targeting groups? The work they do is oddly similar to fraud analytics. – Breakdown by sales by country over time – Customer visit frequency by sales – Average purchase price – Basket Analysis Helping them make their data more real time/visible helps the business and adds additional eyes on fraud
  29. 29. Engineering
  30. 30. Fraud Engineering There is certainly pure fraud engineering: – Integration with risk management solutions – Rule and model building – Analysis and reporting – Behavior tracking And there is certainly security engineering – Authentication and Authorization – CSRF / SQLi protections – Secure coding initiatives https://buildsecurityin.us-cert.gov/ But there is a lot more you can leverage from the organization.
  31. 31. Work on preventing false positivesEliminating false positives helps your risk managementsystem work better. Disable form submit buttons after being pressed (prevents double clicks) Add rate limits to just about everything on the siteDoes not necessarily stop determined attackers, but…if someone is breaking or bumping up against your ratelimits, you know they are up to something.
  32. 32. PSA #2: No passwords in plain text! I beg of you. Also don‟t store them as plain MD5 or SHA1 Use a “salted hash” system. Start the process today!
  33. 33. Here’s a secret Your engineers are bored. 90% of a computer science degree isn‟t used on a day to day basis This is why open source projects exists: to work on cool stuff they can‟t do at work. They have side-projects already There is a huge cognitive surplus is sitting around.
  34. 34. Here’s another This laptop is the equivalent of at least 8 Amazon EC2 “small” instances and has a terabyte of storage. “Hard problems” such as machine learning, natural language processing, big data are rapidly being commoditized. There is a huge computational surplus laying around the office.
  35. 35. Now that you know the secret, use it Fraud problems are engineer-bait -- it‟s full of fun hard problems Leverage your employees! Advertise your problems. If that fails, find interns! I‟m sure your local schools will be happy to help.
  36. 36. Customer Service
  37. 37. Customer Service They know more than you on how the site is working and performing. All fraud ends up being a customer service problem Improving customer service == improving fraud management. Talk to them and build the best #(&^$*# tools that you can for them. Gains of 4x-5x can occur by eliminating crap out of their workflow.
  38. 38. Case StudyMysterious Data Center Logins – Work In Progress
  39. 39. Case StudyCustomer Service was looking into some “problematiccustomers.” Login history didn‟t really make much sense.Got bounced to fraud engineering.
  40. 40. Case StudyLooking into the IP addresses, and doing whois showedmany were coming from “rent-a-slice” datacenters.Linode, Amazon, and Rackspace are used as an example. They are great companies and arerecommend. No implication of wrong doing should be implied!
  41. 41. Case StudyThis lead to a side-project mapping the range of IPaddresses that belong to rent-a-slice centers.
  42. 42. Case StudyNow we graph it
  43. 43. Case StudyProduct is ok with throwing up CAPTCHAs on theseaccounts in certain cases since it‟s unlikely to interfere withthe vast majority of users. http://www.google.com/recaptcha
  44. 44. Case StudyCustomer Service tool updated so reps can see if IP is adatacenter or not, and have direct access to whois Note: no implication that the hosting provider is or has done anything wrong. They might be victims of fraud themselves.
  45. 45. Case Study Oddly many users are legit (privacy nuts? escaping great firewall of china?) Working on CS/Product strategy to reach out to the legit customers on why. Rolling out analysis to checkout/purchase. Would love your feedback and help, so….
  46. 46. Case Study: Our List is Yours Over 25,000,000 total IP addresses Over 1700 IP blocks Over 350 providers https://github.com/client9/ipcat
  47. 47. Nick Galbreath nickg@etsy.com @ngalbreath 2012-02-22
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×