To client-side or not to client-side? That is the question. As enterprises combat fraud, they have to consider whether they should concern themselves with the state of their end-customers' devices. Should the security state of an end-customer’s device affect their experience with an online application? Should the application allow or deny access to specific resources and transactions based on the security of that device?
Client-side attacks have been around for a number of years. Magecart, which made big news in 2018 and 2019 with several high-profile breaches, is perhaps the most notable in recent years. How to handle client-side security is a question each enterprise needs to answer for itself.
However, consensus in the industry seems to be growing that enterprises should be paying attention to client-side attacks on top of securing their applications on the server side. While I believe that accounting for client-side security is a good thing, there are a few caveats to be aware of:
- Focus on risk: It's important to treat information about a compromised client-side environment as just that - information. While that information may be helpful in understanding the overall risk to that particular end-customer’s account, it is not reliable as an indicator of risk. Why is that so? With so much compromised PII and stolen account information out there, there are many ways for a fraudster to accomplish account takeover (ATO). In other words, a compromised end-customer device doesn’t necessarily mean that ATO will occur, and it doesn’t necessarily mean a fraud loss will be incurred by the enterprise. That determination requires a number of different data points, with one of them being the state of the end-customer device.
- Focus on transactions: When looking to mitigate risk and reduce fraud losses, focus on transactions. It is far too easy to get distracted by other data points that seem interesting but don’t tell us whether a specific transaction is legitimate, suspicious, or fraudulent. Helpful information on the end-customer device can add to our ability to determine whether a transaction is fraudulent, but it's not sufficient to make that determination without other important data points.
- Focus on sensitive data: When an enterprise opens the door to client-side security, there is often an overwhelming amount of data to look at. All of that data, if not properly analyzed, may lead to an abundance of alerting and a slew of false positives. Remember what is truly important - sensitive data that may find its way into the attacker's hands and the potential to add, modify, and/or remove transaction data.
- Remember user experience: In the effort to combat fraud, it may be tempting to institute strict, draconian measures, but it's important to remember that those measures may not always result in reduced fraud. They may, however, negatively impact the user experience to the point where they cost the organization in lost revenue. It is important to institute proper controls to protect online applications from fraud, but it is also important to remember that a user experience riddled with friction will cost the enterprise in other ways.
- There's more than just Magecart: Although Magecart attacks are perhaps the most common type of client-side attack, they are not the only type. As enterprises begin to look at the client side, they need to plan for the evolution of client-side attacks. This involves understanding how they'll mitigate new risks that arise as the threat landscape changes.
The debate around whether enterprises should take into account the environment on their end-customer devices is not new, but there's a shift in recent years suggesting that defenders should incorporate data from the client side into risk-based decision-making. By educating themselves and developing a client-side strategy, enterprises can better plan for and make decisions around client-side defense.