Before jumping into ways to detect potential fraud in Web applications and services, we need to set a few ground rules. Number one, and most important, you must have adequate logging. For full coverage on appropriate logging, read “How to Do Application Logging Right.”1 At a minimum, consider the five types of logging events covered
• authentication, authorization, and access events;
• changes to the system, application, or data;
• availability issues;
• resource issues;
Let’s say you saw the two entries shown in Figure 2 in your logs. These entries show that someone accessed login.jsp twice (let’s assume the same user and that you have those details in the logs) in two hours. At 10 a.m., an IP address in California accessed it; at noon, someone in Romania accessed it. The quick math says that no one could travel from California to Romania in two hours, even in an SR-71.
Looking beyond the User-Agent header, what has changed?
• The order of headers differs.
• The order of cookies differs.
• The headers differ. Only the
first request has Origin and Cache-Control; only the second request has Keep-Alive.
• Regarding Accept-Encoding, only the first request lists each.
• regarding Accept-Language, the first request has en-US and q=0.8, whereas the second request has en-us and q=0.5.
Fraud Detection in Sessions :- Its like session hacking / session fixation.