Over the past 18 months, record numbers of online shoppers grew digital markets faster than expected to mitigate COVID risks. Consumers pivoted to mobile applications primarily of iOS and Android operating systems to play video games, watch movies and television programs, and spend time on social media networks. Remote work orders increased the demand for user-friendly functionality in applications that make user experiences more accessible for sharing ideas, documents and communications. Web application developers and merchants raced to fulfill consumer demand by reinventing business models and application security. In the process, the software development life cycle revealed mistakes in consumer data security.
Cybercriminals followed all these trends closely and responded with an increased volume of attacks against public-facing web applications owned by insurance carriers and financial firms. These attacks included credential stuffing attacks against insurance carriers, bot attacks against financial services firms, and ransomware attacks that stole tens of thousands of dollars per breached account. After investigating more than 20 public-facing web applications in the insurance industry, which have impacted more than 500,000 consumers, stakeholders will need to recommit to application security best practices. As a part of those best practices, there needs to be a focus to implement a holistic web application security process that protects against automated attacks and client-side threats.
Why Is Fraud Prevention So Difficult?
In April 2020, the Internal Revenue Service (IRS) reported that multiple states had experienced a surge in fraudulent unemployment claims. Cybercriminals have always communicated effectively utilizing the Dark Web, Internet Relay Chat (IRC) channels and online chat rooms. Cybercriminals in the open Internet post fraud tutorials and how-to fraud guides. Cybercriminal groups can rent botnets for account takeovers and coordinate human “mules” to reship illegal product purchases. Cybercriminals conduct all of their activity using reputable customer-facing websites as the medium to collect data and conduct illegal activities. As soon as application engineers implement a solution or tighten controls, cybercriminals seem to find a way to circumvent these changes. Fraud prevention is an “arms race” between cybercriminals and organizations, and the adversaries are winning the race.
Recommit to the Software Development Life Cycle (SDLC)
Business stakeholders and application developers need to recommit to a Secure Software Development Life Cycle (SDLC). The SDLC is a defined process for creating high-quality software and systems starting from the idea or design phase. Security needs to be baked into each step of the process, but two critical areas stand out: the design and testing phases. In the design phase, organizational stakeholders need to define the business drivers for every application feature, especially the components that collect, transmit and store consumer data. Stakeholders need to ask their teams why they collect consumer data and how they are protecting the data.
- Improved awareness of best practices among developers
- Proper auditing of application code to detect potential vulnerabilities
- Use of code analysis and verification tools to detect vulnerabilities earlier in the cycle
Applications and Third-Party Data Providers
A key issue in the cyber fraud campaign was application program interfaces (API) with third-party data providers. Organizations must understand and accept that they are responsible for data collection and third-party providers that access the devices, applications and network environments. Whenever consumers use a smartphone application to check email accounts, ask for directions, share photos or make reservations, they are using APIs. Cybercriminals exploit common vulnerabilities exposed by APIs, specifically unencrypted transport of data and capturing unmasked data stored in web developer code overlooked by security gaps in the SDLC process.
The most secure way to assess API security is with a complete bi-directional audit trail between the third-party APIs and the digital assets served by the APIs. Cybercriminals are more likely to find vulnerabilities in older and more familiar codes. Therefore, application security validation assessments should include a full review of the application code from the user interface and back-end application development.