Data & transactional security is a key component in any application being exposed on the internet.
The usage statistics of consumers show a complete reversal of equation on the electronic versus physical means to complete a transaction in today's times, which has lead to changes in the way security compromise could happen with just a small 'unnoticeable' glitch in the application equation.
Let's illustrate this with an example which probably might resonate to some modern transportation network companies app in New York lately. The incident happened when a group of consumers boarded the transportation cab and asked the driver to change the destination address mid-way, in turn pushing the electronic device - in this case phone to be accessible to them, once they got hold of the phone - they changed the debit & payment in the app to redirect to their account in turn receiving complete earning for the cab driver into their account.
Now's dissect this to understand what happened here.
Incident -- primarily classified as robbery or theft - earlier might have happened via attackers taking the physical money - if this was 20 years back.
Ownership - well, primarily the cab driver as he didn't setup a password for that app access - if this happened earlier - 20 years back - again cab driver as he didn't store the money securely(but risk would have been lower as that day's money would be affected).
Impact - both the cab driver, app usage and the transportation company - 20 years back - this might have been either the transportation company or insurance in turn affecting the transportation company.
So what changed above? Ease of access - both for the cab driver & the person stealing the money.
How can this be prevented in near future?
- Key software changes to the app which don't allow the modifications to bank account to be done without any additional authentication.
- Any such event might need more monitoring & logging.
(theory of blame game above - if it was a hosted payment gateway - you could always put that gateway on the blame end but in the end - company image suffers).
How can this be prevented in future?
- Deploy security intelligence & agents on phone - learning mechanisms of usage on the device & activating additional input captures to increase the transaction compromise levels.
for e.g. - activating camera, or scan if on iPhone devices to capture user image, key press, finger print capture, increasing authentication from 2 level to 3 levels.
The deep learning mechanisms sits on the phone and consistantly learns from user behaviours and then sets the contexts to a defined set of parameters on the usage pattern.
Whenever it detects the pattern parameters exceeding the boundaries, it starts preparing for a defence of a compromise. A calculated risk level associated with the assessed limits boundary threshold would indicate the shaping of the defence compromise level which needs to be applied to the transaction.
The theory is always to build a wall a 'bit' higher than you have for others but the only difference is the wall changes the height dynamically when needed leaving the person trying to cross it guessing most of the times!
Reference to the incident link(for anyone interested) - http://gothamist.com/2019/05/23/robbers_grab_lyft_drivers_phones_an.php
No comments:
Post a Comment