The problem is that it is difficult to detect because it is difficult to differentiate between a legitimate user and a criminal user. “Business logic abuse is growing in sophistication and precision, with hackers and criminals using the same features as a ‘good’ user to commit their attacks and cover their tracks,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
Two additional problems are highlighted. Firstly, it is difficult to remediate the problem since removing the criminals' methodology would require removing the functionality of the site. And secondly, since the fault lies within the functional logic of the business rather than the security of the computers, it is not always clear who owns the problem - and in some cases the company's security staff are not even involved.
The report describes a number of scenarios. One example is mobile purchasing. Individual e-commerce sites do not have control over the users’ devices, but those devices can be compromised and the accounts used by criminals. To the website concerned, however, it appears to be a legitimate purchase. Another example is staff account hijacking. This could follow web scraping. A script could be used to crawl the website’s pages looking for anything that should, strictly speaking, be confidential – such as price or inventory lists, and staff emails. Armed with email addresses, criminals could seek to engineer staff into giving up account details which could then be used to obtain customer account information.
One consistent feature of the study is the high percentage of respondents who believed that these attacks were either likely or very likely to happen, and the even higher percentage who considered them difficult to detect. In fact, the study highlights three primary issues. Firstly, the majority of companies have neither the staff to tackle the problem, nor any particular person or function with overall responsibility for it. Secondly, nearly 70% of respondents do not believe they have any technology to tackle the issue. “Clearly,” said Ponemon, “IT security practitioners are concerned with the amount and frequency of business logic abuse that their companies face each day, but our research also shows that most do not feel adequately equipped to defend against such attacks.”
Finally, it really is a serious problem: two-thirds of respondents said their organizations have lost between one percent and four percent in revenue as a result of business logic abuse, while approximately 25 percent say their organizations have lost more than five percent. The solution has to be better visibility into the network and traffic. “Many organizations represented in the study,” said Nick Edwards, VP of marketing at Silver Tail Systems, “have experienced multiple incidents of business logic abuse and in order to protect their users and their organization they need real time visibility and intelligence to understand the nature of their web traffic.”