Sponsor Robert Siciliano as he runs the Boston Marathon for Miles for Miracles, Children's Hospital Boston
ROBERT SICILIANO is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.

FREE EBOOK

Check here if you're human

Sponsors

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

0
Pin It

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

About the Author
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.

Similar Posts

  • Researcher says HTTPS can track You
    Perhaps you’ve read that “HTTPS” at the start of a website address means that the site is secure, encrypted. However, a feature of the HTTPS can track you, says an article at theregister.co.uk. HTTP is not secure. Carnegie Mellon University in a Register article states “HSTS”, which is “Strict Transport Security”  redirects users to HTTPS. The
  • Online Credit Applications Ripe For Fraud
    We currently rely on easily counterfeited identification, and we transmit credit card applications using the phone, fax, Internet, or snail mail, all of which are relatively anonymous methods. Fraudulent credit card applications are the most lucrative form of credit card fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they
  • Will Biometrics replace Passwords?
    The days of using a computer to access your bank account, using a password, may be coming to an end, to be replaced entirely (as some experts believe) with a fingerprint or face scan using a smartphone. The smartphone employment of such biometrics will drastically reduce hacking incidents, but will be problematic for those who do
  • Fraudulent Credit Applications Starts with the Device
    When Jim Smith opens a credit card account, he doesn’t have to pay the bill. That’s because Jim Smith is committing new account fraud by using Fred Jones’s name and Social Security number. All Jim Smith needs is some basic information about Fred Jones, much of which is available in the phonebook, in his trash, in
  • Banks Sues Client Over Wire Fraud
    Banks usually have relatively secure systems to maintain and protect online banking activities. They’ve spent billions to ensure that criminal hackers don’t liquidate all of our accounts. But criminals spend all their time seeking vulnerabilities and often find some way to make a fraudulent withdrawal. Over the past decade as we have all (mostly) banked and

Comments are closed.

Xtreme School

Featured in

Anderson Cooper John Stossel Robert Siciliano Featured in
Browse by Month

Browse by Category