Weaknesses in Application Security Fuels Pandemic Fraud

Posted on by Roderick Chambers, CISSP, CISM

Over the past 18 months, record numbers of online shoppers grew digital markets faster than expected to mitigate COVID risks. Consumers pivoted to mobile applications primarily of iOS and Android operating systems to play video games, watch movies and television programs, and spend time on social media networks. Remote work orders increased the demand for user-friendly functionality in applications that make user experiences more accessible for sharing ideas, documents and communications. Web application developers and merchants raced to fulfill consumer demand by reinventing business models and application security. In the process, the software development life cycle revealed mistakes in consumer data security.

Cybercriminals followed all these trends closely and responded with an increased volume of attacks against public-facing web applications owned by insurance carriers and financial firms. These attacks included credential stuffing attacks against insurance carriers, bot attacks against financial services firms, and ransomware attacks that stole tens of thousands of dollars per breached account. After investigating more than 20 public-facing web applications in the insurance industry, which have impacted more than 500,000 consumers, stakeholders will need to recommit to application security best practices. As a part of those best practices, there needs to be a focus to implement a holistic web application security process that protects against automated attacks and client-side threats.

Why Is Fraud Prevention So Difficult?

In April 2020, the Internal Revenue Service (IRS) reported that multiple states had experienced a surge in fraudulent unemployment claims. Cybercriminals have always communicated effectively utilizing the Dark Web, Internet Relay Chat (IRC) channels and online chat rooms. Cybercriminals in the open Internet post fraud tutorials and how-to fraud guides. Cybercriminal groups can rent botnets for account takeovers and coordinate human “mules” to reship illegal product purchases. Cybercriminals conduct all of their activity using reputable customer-facing websites as the medium to collect data and conduct illegal activities. As soon as application engineers implement a solution or tighten controls, cybercriminals seem to find a way to circumvent these changes. Fraud prevention is an “arms race” between cybercriminals and organizations, and the adversaries are winning the race.

Recommit to the Software Development Life Cycle (SDLC)

Business stakeholders and application developers need to recommit to a Secure Software Development Life Cycle (SDLC). The SDLC is a defined process for creating high-quality software and systems starting from the idea or design phase. Security needs to be baked into each step of the process, but two critical areas stand out: the design and testing phases. In the design phase, organizational stakeholders need to define the business drivers for every application feature, especially the components that collect, transmit and store consumer data. Stakeholders need to ask their teams why they collect consumer data and how they are protecting the data.

In the testing phase, many web and mobile applications have shifted coding and logic to the client-side or to the user’s browsers and mobile devices to improve performance and enrich the user’s digital experience. However, this method relies on JavaScript code and will introduce unknown risks into the application, making it difficult to ensure data security, privacy and compliance. JavaScript is easily exploitable, which was evident in a large-scale cyber fraud campaign where cybercriminals used in-browser web developer tools and commercially available debugging software to exploit JavaScript code. The exploitation of the code led to more than 500,000 consumers’ non-public information harvested by threat actors. A multi-faceted approach for preventing JavaScript security issues should include:

  • Improved awareness of best practices among developers
  • Proper auditing of application code to detect potential vulnerabilities
  • Use of code analysis and verification tools to detect vulnerabilities earlier in the cycle
  • Implementation of tools to scan applications dynamically and to identify JavaScript security issues in third-party packages and libraries

Applications and Third-Party Data Providers

A key issue in the cyber fraud campaign was application program interfaces (API) with third-party data providers. Organizations must understand and accept that they are responsible for data collection and third-party providers that access the devices, applications and network environments. Whenever consumers use a smartphone application to check email accounts, ask for directions, share photos or make reservations, they are using APIs. Cybercriminals exploit common vulnerabilities exposed by APIs, specifically unencrypted transport of data and capturing unmasked data stored in web developer code overlooked by security gaps in the SDLC process.

The most secure way to assess API security is with a complete bi-directional audit trail between the third-party APIs and the digital assets served by the APIs. Cybercriminals are more likely to find vulnerabilities in older and more familiar codes. Therefore, application security validation assessments should include a full review of the application code from the user interface and back-end application development.

Roderick Chambers, CISSP, CISM

Information Security and Intelligence Advisor, New York State Department of Financial Services

DevSecOps & Application Security

DevSecOps application security fraud

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs