During the Chaos Communication Congress 2013 (30C3) we were confronted with the subject of electronic robberies. The first attacks on ATM have already taken place. A comparatively burgeoning security issue is the ISO/IEC 14443 standard, which is also known as the paypass method provided by mastercard. You may want to purchase one of these programmable card readers and walk through a mall - then you are able to credit 10 bucks from each person you meet. Remember how many people are there?
Criminals are enjoying increasingly technological progress and the lack of sensitivity of its users. These effects become clear particularly in the areas of (IT) fraud and the social engineerings. Since criminals are always looking for the weak point in systems, we go after it as well. In most cases, these vulnerabilities are now more based due to gaps in business processes.
A story from Adrian Kingsley-Hughes explains that a former contributor for Gizmodo, Mat Honan, was the original victim of the attack. Hackers were able to access Honan’s iCloud account, and remotely wipe his iPhone, iPad, and MacBook. The original theory was that the hackers used a brute force attack to crack Honan’s iCloud password, but further investigation revealed that social engineering was used to convince Apple the attackers were Honan, and Apple gave them the keys to walk right in.
Funny. Now we are looking for no more gaps in firewalls and web servers but in business processes. A similar behavior is evident when we look at the problem of fraud in the advertising industry. By sending skillful requests to a known advertising platform one is able to receive informations about the internal audit process. This knowledge can be used in order to reconstruct the original audit process. This information can be used equivalently to the knowledge of safety barriers in conventional systems for the purpose of circumvent them.
There is no way to reconstruct an entire internal audit process, it will be surely always missing information, huh?
Unfortunately, there is always a way to handle missing informations. Analogously to the method used in our Fraud Detection API there are also methods allowing us to solve the same is in this case. For example the Advanced Behavioral Appropriateness Metric or this one .
Therefore, we can summarize that an one-sided view on security analysis is no longer sufficient in the current situation. Rather it also requires to involve the non-technical vulnerabilities in complex systems.
How does this non-technical vulnerability look like?
Let me illustrate this with a much simplified Business Process Model example by falling back on a modelling technique called BPMN. BPMN is not directly intended to identify such vulnerabilities but we can misuse the use case.
Lets imagine, we were able to collect the necessary information about the internal audit process of an affiliate platform. Activities with the little wheel in the top left corner represent task which will be done by a technical system. Activities with a person in the top left corner will be executed from a human being.
As a potential attacker or fraudster, we are now able to analyse the path of least resistance. So we notice, when our report has a lower value than 5% we can bypass the review from a accounting manager. Additionally, when the sum is less than 1000$ we are also able to bypass the approval request from a supervisor.
Do you think the example is too abstract?
Alright, lets take another one. Imagine you forgot your password and therefor you request a new one from our iCompany. So you contact the help desk in order to change your password.
You provide your username. Additionally you are asked to identify yourself. With the knowledge how to help desk will verify the identity of the user, a potential hacker may gather the necessary information by checking social networks or public telephone books in order to successfully verify a wrong user identity.
This knowledge is dangerous when dealing with non-sensitized users. But it also allows companies to assess their current business processes to security gaps. Next month, we will launch a profound project in this area and - of course - publish the results like always. Be excited!