

Ask HN: The fraudulent login detection system for the SaaS providers. - JarekS

Every SaaS provider has one major problem – security concerns of its userbase.<p>People are worried about their data, transmission and that anyone can “guess” their password and log in to their accounts.<p>What I’m describing here is a product idea – we will write it for our selves but I think it can be sold separately as a byproduct of our main web app.<p>How would it work?
1.	Simple JS insert on the login page will be tracking who is login from where, what kind of browser, operating system etc. details (JS will not send or track user password! We should have some kind of "ok" from the web app" that user login was successful)<p>2.	We will track patterns of app usage (is it working day? What time is it?)<p>3.	If our system will find potential fraud (correct login and pass but strange usage pattern) – we will send an email with the special code to the owner of the account. User will get a popup message “Please let us know it’s really you. Check your email account!” and a text input field to provide the code.<p>4.	System can provide badge or something so users feel safer login to web apps protected with this fraud detection system.<p>What do you guys think? Do I see any beta testers already?
======
patio11
I think that I don't trust _me_ with my user's passwords and I am darn sure
not going to trust _you_ with my user's passwords, and I am not exactly a
high-security niche.

Also, bouncing many users in the midst of using the app is worse than a
security breach in some cases.

~~~
JarekS
No no no - the system will not have user passwords! We will get only "ok" from
the web app that the password was correct.

------
teyc
That's useful, and even more impressive if it doesn't appear to be automated.

My employer sell a traditional software product, and there is an arrangement
for the support desk to get notification of all errors. We called back once
when we saw some rather unusual looking urls, and turns out that the customer
hired a consultant to do some basic penetration testing.

Needless to say, the client was happy with our rapid response.

Another real life example is when I made a 1-dollar verification so that my
kid could have an AOL account. I got a call from VISA within 5 minutes, and I
was pretty happy.

------
proexploit
I've got pages of writing /sketches expanding upon your idea. I almost went
with it but there's a lot of regulation involved and people are unlikely to
want to hire out for their security. My only concept was selling it as a
larger package and not a monthly fee to hopefully transfer some of the
responsibility of keeping the info safe to purchasing company.

I was thinking something along the lines of usage patterns that would actually
predict some fraudulent activity before it happens.

------
mootothemax
I like the principle of the idea, but the practise is another matter. You want
me to trust a piece of external Javascript on my login page? A piece of
javascript that is used _exclusively_ for authentication? If your service took
off, I don't see how you won't end up with at least one major security breach
:(

------
Konerak
Just some decent user-viewable logfiles of their logins
(hour/date/browser/cookies) would be enough for them to be able to check when
someone logged in.

I never understood that online emailsites didn't provide those...

