Well, it is now World Password Day 2020, and not surprisingly passwords are still not dead. Since we will continue to live with passwords for the foreseeable future, here are some unorthodox tips on how to further protect your digital accounts from Account Takeover fraud.
The best way to protect your digital accounts is to never reuse the same password(as password reuse leads to Credential Stuffing attacks which leads to Account Takeover fraud). This recommendation can be taken a step further by never reusing the same Username.
In order to do this, you will need to register your own custom domain name. For example you may want to register something like “pizza-jungle-salad.xyz”. This will cost between $5-50/year depending on the domain and the Domain Registrar.
Now when you want to sign up for a new website you can use a custom and single-use username such as firstname.lastname@example.org. Make sure you save this unique username and password in your trusty Password Manager. For added convenience, you could also forward emails sent to *@pizza-jungle-salad.xyz to your real email inbox.
An additional bonus to this approach is you will be able to easily determine which website or organization has suffered a breach and has leaked your custom email address, or if that organization has sold your custom email address to
Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.
As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.
In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.
(Smoothie Shop mobile app login)
CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app
In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.
In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.
CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app
Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.
Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.
*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.
(screenshot from Dark Web Credit Card market)
CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account
This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.
(In-store payment via Smoothie Shop mobile app and stored credit card)
What can Retailers and Consumers do to protect themselves?
Prevention Methods for Retailers
1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.
2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.
3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.
4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.
Prevention Methods for Consumers
1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.
2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.
3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.
4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.
5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.
One final reminder! Shape’s App Security & Fraud Summit — Virtual Event — is tomorrow, February 12, 2020 / 9:00 am PT. Join us as top cybersecurity and fraud leaders dive deep into the latest attacks, tools, and trends you need to know to protect your web and mobile applications in 2020. Tune in, you won’t be sorry!
The App Security & Fraud Summit’s mission is to share ideas, insights, and connections that have the power to transform the industry. The lineup of speakers represents key voices that will help attendees better understand and prepare for new threats and trends. The last place you want to learn about a new cyberattack is in the news. Because by then, it’s too late.
Join hundreds of your peers for this important event and hear from some of the industry’s most dynamic minds, including:
Tara Seals, Senior Editor, Threatpost
Critical Infrastructure Attacks: Between Apocalypse and Reality
Dan Woods, VP Shape Intelligence Center
Manual Fraud to Genesis: Beyond Automation Attacks on Applications
Mike Plante, CMO, Shape Security
Shape Security Predictions 2020 Report: Emerging Threats to Application Security
Online applications run the world today. Apps power how we interact, how we learn and grow, where our data lives, and how value gets exchanged between brands, customers and partners. In many respects, apps have become the fabric of our economies, our governments, and our daily lives. So it shouldn’t be surprising that from a cybercriminal’s perspective, apps represent the single most lucrative set of targets in the world, with estimated online fraud losses projected to exceed $48 billion per year by 2023.
F5 and Shape are joining forces to transform how we protect the world’s applications. We have a unique view on this topic: we believe the platforms that serve, deliver and enable applications are in the best position to defend those applications, especially as the attacker arms race continues to escalate. As parent company to both NGINX and Shape, F5 is positioned to become the most important application enabler in the world, and the best suited to augment and enhance application security for organizations all over the world.
What does our vision for the transformation of application security look like? In brief:
The delivery of security outcomes, not merely more tools
Effective, accurate defenses powered by a proven, robust AI engine
Support for customers’ real-world heterogeneous applications, including hybrid cloud, any cloud, or even multi-cloud environments
F5 and NGINX power over half of the world’s applications across all types of environments. Shape’s AI-powered platform mitigates more than a billion application attacks per day. When you combine these forces, you have the full range of application delivery and security capabilities under one banner, with best-in-class technology across the entire code-to-customer value chain. We believe that makes F5+NGINX+Shape the ultimate company for application delivery, enablement, and security — and absolutely essential to every organization.
The public cloud is an important part of our strategy. Some of the world’s leading banks, airlines, retailers, and others already rely on F5+NGINX+Shape to deliver and defend applications running in public cloud environments. The public cloud is one of the pillars of modern application development, providing capabilities like compute resources, content delivery, data storage, and other essential services that previously required point solutions from disparate vendors. F5’s code-to-customer solution set, including NGINX and Shape, complements public clouds and supports hybrid cloud and multi-cloud application scenarios. As a result, developers can rely on F5 as a powerful layer of abstraction regardless of where their applications reside – today or tomorrow.
What does this transformation of application security mean for security, fraud and business leaders? We believe it means dramatically improved business outcomes, including:
Slashed losses due to fraud and abuse
Better application performance and uptime
Measurable cost savings for hosting and bandwidth costs
It also means freeing up capacity among critical security staff to focus on strategic security challenges, while we take care of defending your applications.
In order to evade detection and mitigation, threat actors are continually innovating and evolving their automation-based attacks to look more and more like real organic human traffic, passing Turing tests like CAPTCHA with ease using AI-based tools. We believe this trend will evolve into criminals weaponizing AI innovations to enhance their attacks on applications.
That’s why we plan to leverage the Shape AI platform across the entire F5 code-to-customer unified architecture, delivering increased visibility, insights, orchestration, and automation.
We’re already hard at work on these products. Your first opportunity to learn more is our upcoming webinar entitled Transforming Application Security: F5 and Shape Join Forces to Crush Fraud and Defend Your Apps. Reserve your seat today.
The mission for the combined company is the same as it has always been for Shape: to defend every app from attack, fraud and abuse, and to delight our customers.
We’re truly excited to be joining the F5 family and looking forward to the journey ahead.
Shape’s Vice President of Intelligence Center, Dan Woods, will present at the upcoming Retail Cyber Intelligence Summit on September 24-25, 2019, at the Four Seasons Hotel in Denver, Colorado.
2018 saw a significant increase in user credential spills from retailers. And as the retail industry continues to increase its digitization, it creates more incentives for attackers, as well as increases retailers’ potential attack surfaces. In fact, more than 50 percent of all e-commerce fraud losses were from cyber-attacks such as ATO, gift card cracking, and scalping. In addition, up to 99% of traffic on retail and e-commerce login forms was due to account takeover attempts!
Dan’s session, titled “The Anatomy of Web and Mobile Application’s Costliest Attacks,” will discuss actual attacks launched against retail and hospitality organizations and explain attackers’ motivations and monetization schemes. Dan will also share the latest threat intelligence on effective attack tools and techniques that cybercriminals are using to circumvent traditional countermeasures with devastating effectiveness.
“We’re looking forward to continuing our partnership with Shape Security and are pleased to have them as a presenting sponsor at our upcoming Retail Cyber Intelligence Summit in Denver,” said Suzie Squier, president of RH-ISAC.
The Retail Cyber Intelligence Summit is tailored for strategic leaders and cybersecurity practitioners from both physical and online retailers, gaming properties, grocers, hotels, restaurants, consumer product manufacturers and cybersecurity industry partners. The full conference agenda and information on how to register is available here.
There is a war brewing in cyberspace. The general public is blissfully unaware, and very likely will remain so. The media, when it talks about cybersecurity, tends to focus on the breach of the week, even though there cannot possibly be any lessons left to learn in that parade of spectacle and shame.
The war we speak of is against malicious automation (bots), and it’s being fought largely outside the gaze of journalism. On one side are the organizations putting their stores, intellectual property, processes, and businesses online in their journey toward digital transformation: the “good guys.” On the other side are malicious actors armed with nearly undetectable automation, intent on theft, political influence, fake news, and fake transactions: the “bad guys.”
The comedy of this “automation war” is how lopsided it is, technologically. The bad guys have accumulated an impressive arsenal of tools from Sentry MBA, PhantomJS, and simple proxies, to browser extensions (Antidetect), human click farms, behavior collection farms, global proxy networks and, finally, to headless chrome steered with a real orchestration framework like Puppeteer.
Meanwhile, the good guys have only ancient traps like a CAPTCHA or a web application firewall (WAF), both of which are trivially easy for bad guys to bypass. Organizations aren’t thrilled about annoying their customers with friction (like making them click on blurry pictures of buses for 20 minutes) and endlessly rewriting WAF rules when attackers retool every week. It’s an unfair fight, and who has time for that, honestly.
The Silent War of Automation
The primary tactic of an automation attacker is to imitate a legitimate transaction. It doesn’t matter if the transaction has a very low probability of gain for the attackers, because they can multiply their gains by scaling the transactions into the millions at nearly no cost. Because they are blending in so perfectly, many victim organizations have no idea that it’s happening until they see an effect like fully booked inventory, credit card chargebacks, or a competitor who seems to know the price of every single munition with all possible discounts.
The media won’t write a story about how a competitor reverse-engineered an insurer’s policy premiums through the creation of a million slightly different fake profiles, or how an actor deluged a work-for-hire site with a million fake low-wage contractor profiles that represented their tiny firm in the Philippines, because it’s too complicated and there’s no one to shame. There’s no spectacle there.
So, the silent war goes on, with the bad guys getting better and better at imitation, and organizations in nearly every vertical experiencing bizarre side effects (“All our free passport interview slots have been booked and are being sold!”).
What Won’t Save The Day
Everyone’s been hoping that the silver bullet for the good guys was going to be AI. Surely the incredible volume of modern transactions can be used to train machine learning engines to differentiate real traffic from fake, right? The answer is no, it can’t. At best, today’s ML engines can spot not individual anomalies but patterns of suspicious activity.
When a campaign is identified as being underway, human operators must step in and determine the intent of the campaign, because understanding is crucial in determining next steps. The mitigation can’t just be simple blocking, because that’s a signal which helps the attacker retool.
Sometimes, the info-war tactics of misinformation and redirection are the solution for the day. Or evidence collection. You need tacticians. You need real people using automation to fight real people using automation.
The war in cyberspace will be a main topic of discussion next week in Atlanta at the CyberHub Summit. Classy people there will be talking about meta issues like defending the region’s online financial services and de-risking the supply chain. A few of us from Shape Security will be there, and over some pints of the venue’s product, we can show you how we’re fighting the war against malicious automation.
If you can’t make it to the CyberHub Summit, please don’t hesitate to contact us at any of the channels listed under our logo, but otherwise we hope to see you in Atlanta next week!
A healthcare insurer was forced to use a CAPTCHA. 70% of their aged patients could no longer refill their prescriptions. It was a complete disaster.
“This is not who we are,” muttered the CIO of one of the largest health insurance companies in the world as he looked over the report.
The digital team had been forced to put up a CAPTCHA on the site’s login page, and this had driven a full 70 percent of the company’s older patients off of the website. Pharmacy orders were also down a shocking 70 percent, and the call center was swamped at 130 percent of call volume with site users unable to pass the difficult visual puzzles. It was a complete disaster.
The seeds of this catastrophe were planted quite innocently.
The global healthcare insurer had introduced an innovative Health Rewards program that was hailed as a bold gamification of wellness. The program rewarded patients with points for achieving preventive medical milestones, such as scheduling wellness checkups, screening for bone density, and getting flu shots. Patients even got points for volunteering or participating in nutrition classes, activities that were good for their social and mental health and community bonding. It was beautiful; this is how markets are supposed to work —personal rewards for conscientious behavior.
The reward points themselves had no cash value, but could be redeemed in the insurer’s online mall for gift cards from retailers like Amazon and Walmart—and those gift cards definitely did have cash value. These rewards proved a juicy target for gift-card crackers.
Credential Stuffing and Gift Card Cracking
Almost immediately, automation attackers began credential-stuffing the login page of the insurance company’s rewards program. Credential stuffing is the act of testing millions of previously breached username and password combinations against a website with the knowledge that some of the credentials will work there. Success rates for an individual credential-stuffing login are low; they vary between 0.1 percent and 2 percent depending on the client population.
Attackers counter the low probability of any individual login succeeding by scaling their attempts into the millions via automation—scripted programs called “bots.” Modern bots look very much like human users to a target computer—telling them apart is one of the most difficult problems in modern computer science. A 1 percent success rate in a credential-stuffing attack is a reasonable statistical estimate; one million leaked credentials will yield 10,000 successful logins against a third party, leading to account takeovers by the attacker. Today there are over 5 billion leaked credentials on the market.
The attackers breached thousands of accounts at the healthcare insurer’s rewards program. They consolidated reward points and converted them into gift cards, from which they exfiltrated the real cash value. The insurer’s CIO and IT security team were actually not that worried about the losses incurred through gift-card fraud.
“We were much more anxious about the PII exposure than the fraud.”
Global Health Insurer CIO
The attackers appeared to be ignoring the Personally Identifiable Information (PII) associated with the cracked accounts in favor of getting the rewards points, but the exposure was alarming.
The security team turned to their Content Delivery Network (CDN) vendor for help. The CDN’s “bot management” solution put a CAPTCHA into the user login process in an attempt to stop the automation.
And that’s when the wheels came off.
Human success rates for CAPTCHAs are already distressingly low—as low as 15 percent completion rates for some populations. Because computers have gotten so good at solving CAPTCHAs, the tests have gotten more and more difficult.
For elderly users, who are visually impaired more often than not, CAPTCHA success rates are even lower. In fact, one would be hard-pressed to devise a worse user experience than CAPTCHA for an aging population.
Immediately after the CDN put their CAPTCHA in place, login success rates plummeted. Seven out of ten elderly users could no longer log in to their accounts, access the rewards program, or renew their prescriptions online.
Online pharmacy orders plunged by 70 percent.
Frustrated patients had to phone the health insurer’s call center to renew prescriptions.
Meanwhile the attackers easily bypassed the “bot management” solution through one of the many underground services that offer 1,000 solved CAPTCHAs for $1. Now they were the only ones earning rewards.
“This is not what we do.”
Global Insurer CIO
The CAPTCHA was far more damaging than the fraud it was supposed to stop. The cure was worse than the disease.
Can you make an introduction?
The CIO reached out to a C-level colleague of his at a top-3 North American bank. He explained the situation and said, “Hey, you guys are a bank, and you don’t use CAPTCHAs. How do you get away with that?”
His peer said, “We use Shape Security,” and he made an introduction.
Shape worked with the healthcare insurer’s CIO and his team to get our technology deployed. We went into monitoring mode first, to study attack traffic patterns. Because Shape came in behind their CDN solution, the monitoring period became an informal bake-off between the CDN’s bot management service and Shape’s.
Understanding Users and Risk
Web and Mobile Visitor
Legitimate users with good behavior
Strong passwords No password re-use
Legitimate users with bad behavior
Weak passwords Password re-use Prey to phishing
Illegitimate users with ill intent
Account Takeover Phishing IP Theft
Even behind the CDN’s CAPTCHA, Shape was detecting large amounts of credential stuffing and gift-card cracking—sometimes up to two million attempts per day. While the attackers had been smart enough to “hide” their traffic spikes within the diurnal patterns associated with human logins, they were not otherwise trying to disguise their traffic. Sometimes they connected through proxies, sometimes through a partner healthcare insurer, and even once through a financial aggregator.
Shape fought the attackers as they retooled, attempting to get around the Shape defenses. Within weeks, most of the attackers gave up, resulting in a 90% decrease in overall traffic.
The CIO was sufficiently impressed by Shape to completely displace the CDN for bot management at the healthcare insurer’s web property, and the CAPTCHAs were removed from two dozen entry points.
Shape then began working with the team to monitor the mobile property, because that is where attackers always retarget to after we block them on the web. After another month of monitoring the mobile traffic, Shape was able to show that the healthcare insurer’s mobile property could be further improved to remember legitimate users, and we cut their legitimate “forgot password” transactions in half. Shape also provided the insurer with a customized list of recommendations for information access and password protections policies.
Steady State Unlocked
Today the healthcare insurer’s website has zero CAPTCHAs in front of their pharmacy, the account profile, and their rewards program. The Shape mobile SDK is integrated with nearly all the mobile platforms that the insurer reports.
Attackers and aggregators continue to probe the insurer’s web and mobile properties. Shape sees them, and foils the attackers. The health insurer is notified of the aggregators, who are encouraged to use authorized API gateways.
The online pharmacy is accessible to all customers again. Call volumes have dropped to levels not seen since before the CAPTCHA crisis. Attackers and aggregators continue to probe the insurer’s web and mobile properties. Shape sees them, and foils the attackers. The health insurer is notified of the aggregators, who are encouraged to use authorized API gateways.
And, perhaps most importantly, the healthcare insurer is again free to focus on innovating new programs and rewarding customers for taking preventive steps for their medical and social wellness.
You figured out that you have a bot problem. Maybe you have a high account takeover (ATO) rate, or someone’s cracking all your gift cards, or scraping your site. You tried to handle it yourself with IP blacklists, geo-fencing, and dreaded CAPTCHAs, but it became an endless battle as the attacker retooled and retooled and you’re sick of it.
So now you’ve decided that you’re going to call in professionals to stop the problem, and get some of your time back. You’ve narrowed it down to a couple or three, and you’re going to get them in and ask them some questions. But what questions? Here are some good ones that can give you an idea if the vendor’s solution is a fit for your environment.
1. How does the vendor handle attacker retooling?
This is your most important question. When a countermeasure is put in place, persistent attackers will retool to get around it. Victims of credential stuffing say that fighting bot automation by themselves is like playing whack-a-mole. You are paying a service to play this game for you, so ask how they handle it, because attackers always retool.
2. Does the vendor dramatically increase user friction?
CAPTCHAs and 2FA dramatically increase user friction. Human failure rates for the former range from 15% to 50% (depending on the CAPTCHA), and lead to high cart-abandonment and decreased user satisfaction. Honestly, think carefully about vendors who rely on these countermeasures. Your goal should be to keep CAPTCHA off your site, not pay someone to annoy your users.
3. How does the service deal with false positives and false negatives?
A false positive for an anti-automation vendor is when they mark a real human as a bot. A false negative is when they mark a bot as human and let it through (this is by far the most common case, but sometimes the less important one). Bot mitigation will have some of both; be suspicious of any vendor who claims otherwise. But a vendor should be very responsive to the problem of false positives; that is, you should be able to contact them, complain, and have the false positive determination addressed.
4. When an attacker bypasses detection, how does the service adapt?
There will be advanced attackers who manage to bypass detection, becoming a false negative. When it happens, you may not know about it until you see the side effect (fraud, account takeovers, etc.). Then you’ll need to contact your vendor and work with them on how to remediate. How do they handle this process?
5. How does the vendor handle manual fraud (actual human farms)?
If your vendor is particularly adept at keeping out automation (bots), a very, very determined attacker will hire a manual fraud team to input credentials by hand in real browsers. Many services do not detect this (since technically, human farms are not bots) Can their service detect malicious intent from even real humans? Shape can.
6. If one customer gets bypassed, how does the vendor protect that bypass from affecting all other customers?
Ideally, the vendor should have custom detection and mitigation policies for every customer. That way, if an attacker retools enough to get around the countermeasures at one site, they can’t automatically use that config to get into your site. Each customer should be insulated from a retool against a different customer.
7. If an attacker bypasses countermeasures, does the service still have visibility on attacks?
It is very common for a service to be blind after an attacker bypasses defenses. If the vendor mitigates on the data they use to detect, then when an attacker bypasses mitigation, you lose the ability to detect. For example, if they block on the IP, when the attacker bypasses the block (distributes globally) the vendor may lose visibility and doesn’t know how bad you are getting hammered.
An example of a system that is working correctly is when 10,000 logins come through and they all look okay initially because they have behavioral analytics within the proper range for humans. But later it is determined that all 10,000 had identical behaviors, which means the logins were automated. A good vendor will be able to detect this for you, even after the fact.
8. Is there a client-side or browser agent?
If yes, how large is the integration and how expensive is the execution? Does the user or administrator have to install custom endpoint software, or is it automatic? If there is no endpoint presence how does the vendor detect rooted devices on mobile and how does it detect attacks using latest web browsers on residential IPs?
For example, one of our competitors takes pride in having no endpoint presence – not even a browser-agent. A common customer of ours used both their solution and ours simultaneously and found that the competitor missed 95% more automation (ask for details and we can provide them).
9. Does the vendor rely on IP-Blacklisting or IP-Reputation?
Our own research shows that automation attackers re-use an IP address an average of only 2.2 times. Often they are only used once per day or per week! This makes IP-Blacklisting useless. There are over a hundred client signals besides the IP address; a good service will make better use of dozens of those rather than relying on crude IP blacklisting.
10. How quickly can the vendor make a change?
When the attacker retools to get around current countermeasures, how quickly will the vendor retool? Is it hours, or is it days? Does the vendor charge extra if there is a sophisticated persistent attacker?
There are other questions that are table stakes for any SaaS vendor. Things like deployment models (is there a cloud option) and cost model (clean traffic or charge by hour). And, of course, you should compare the service level agreement (SLA) of each vendor. But you were probably going to ask those questions anyway (right?).
Yes, this article is slightly biased, as Shape Security is the premiere automation mitigation service. But consider the hundreds of customers we’ve talked to who chose us; these are the questions they asked, and we hope that they help you, even if you end up choosing a different bot-mitigation vendor.
The war against “fake” begins today, with the launch of Shape Connect.
Shape spent the last eight years building a machine-learning engine that has a single focus: to distinguish humans from robots on the Internet. The engine is constantly learning as it processes over a billion transactions every day from 25 percent of the consumer brands in the Fortune 500. It’s actually a billion-and-a-half on payday and National Donut Day (June 7, thank you, Dunkin’ Donuts).
We’ve made this incredible engine available to everyone and we call it Shape Connect. Connect is self-serve, takes minutes to set up, and is free for two fortnights (yes, GenZ, that’s the correct spelling).
Why is Connect so revolutionary? Distinguishing automation (bots) from humans is the most difficult, and most pressing, challenge on the Internet. Stopping fake traffic should be job #1 for any website that has value—yet, Facebook, Twitter, and Google all struggle with fake traffic. Shape Security can, and we’re practically giving the service away.
Solving Modern Problems
Okay, okay, so we built a computer that can identify other computers. How does this help you? Many businesses are being defrauded by bots and don’t even know it. They might know they have a problem of some kind but not understand that automation is the real threat vector.
Credential Stuffing Causes HUGE Business Losses
Credential Stuffing: Shape didn’t invent it, but we DID name it. It’s where malicious actors acquire login credentials belonging to blithely unaware Internet users, employ bots to pour billions of username/password combinations into millions of websites, then drain users’ accounts of money, credit-card numbers, email addresses, and other valuable stuff.
Website breaches resulting in gargantuan credential spills are common occurrences these days despite mighty efforts to boost privacy and security measures. A sophisticated criminal industry has sprung up that uses automation to access online accounts across the board, including social media, retail, banking, travel, and healthcare.
Believe it or not, credential stuffing-related activity can make up more than half of a website’s traffic. It’s estimated that this kind of nefarious pursuit results in business losses of over $5 billion annually in North America alone.
Gift Card Cracking
Another super-annoying problem is the cracking of online gift-card programs. Most gift-card programs allow recipients to check the card balance online. Attackers create bot armies to check the balance of every possible gift-card number! When they find a gift-card number that has a positive balance, they use it to purchase re-sellable goods before the recipient can use the card. Isn’t that horrible? It costs retailers millions of dollars per year.
Business Logic Mischief
But it gets worse. Almost any site that has significant intellectual property in its business logic is either being attacked or is at risk. Consider the stalwart health-insurance company. Insurance websites allow you to get premium estimates based on your profile. Their rates are based on diligent research and proprietary actuarial tables accumulated over decades of experience. One of our customers found that a competitor was creating millions of fake profiles, each with a slight tweak to its age, income, and pre-existing condition to map out the insurer’s quote-rate tables. What took decades to create was being stolen by a competitor using bots. That’s not fair, is it?
Are You Dating a Robot?
One of the curious facts that emerged from the aftermath of the Ashley Madison breach in 2015 was that a significant number of the female profiles on the affair dating site were fake. They’d been created by bots to yield vehicles by which swindlers around the world could establish online relationships with men whom they would then defraud through a money transfer. While Ashley Madison is no longer with us, there are other, less controversial dating sites that still have the same problem. Shape helped one of them deal with fake-account creation, leading to a much lower probability of robot dating. (Sorry, robots, true love is for humans.)
Hotels and Airlines: Point Theft
Hotels and airlines have their own currencies in the form of loyalty program “points” or “miles.” These have long been a target for fraudsters who can take over thousands of accounts, merge all their points, and convert them into re-sellable goods. In many cases, attackers prefer going after points. Your average consumer will notice immediately if their bank account is drained, but may not quickly (or ever) notice that their points are gone. They might just assume the points had expired. Room rates and flight fares are another form of intellectual property, and aggregators scrape the sites constantly, pulling rate information for competitors, leading to overly low “look-to-book” rates.
Fight The War Against Fake
Those are just a few examples of automation as a threat vector for business. We could tell you about a million cases of sophisticated bots threatening every different type of business, but we hope you get the picture already.
So let’s get back to Shape Connect, what it is, and how it works.
How Shape Connect Works
Our fully cloud-based service stands staunchly between your site and the Internet, deflecting bots and protecting you credential stuffing, DDoS, account takeovers, gift card cracking, and all other malicious activity done at scale.
We’ve put together a couple of videos showing how Shape Connect works to protect your site. For those of you blessed with short attention spans, we have a 90-second, visually stimulating cartoony video (above).
If that piques your interest and you want the whole story, here’s a six-minute video that goes deeper into the workings of Shape Connect.
And if you’re a reader, we’ll break it down for you right here.
Without Shape Connect, there’s nothing between your website and the user’s browser. But what if it’s not a browser or a real user? Both real users and bots follow the same steps to get to your site.
The client (user or bot) queries DNS.
DNS returns the IP address of your website (or load balancer or cluster, or whatever).
The browser or bot sends a request directly to your website.
Your website returns the response.
With Shape Connect, there’s a layer of protection between your site and the user or bot.
DNS returns a dedicated Shape Connect IP to the user or bot.
All client requests are routed through Shape’s Secure CDN for fastest response.
Shape Connect absorbs any DDoS attacks that the client might have sent.
Shape Connect’s artificial intelligence determines if the request came from a real human using a real browser or from an automated bot. It passes only human requests through to your website.
Your website responds only to legitimate requests, sending the data back through Shape Connect and to the human at the other side.
Of course, if you have “trusted bots” that you want to allow, you can manage your own whitelists.
With the Shape Connect Dashboard, you can see all the requests that have come through, and marvel at all the automated malicious requests that Shape blocked!
Your Honor, I Object!
The rest of the industry is catching on to the bot problem, and some are pushing approaches that differ from Shape Connect.
To celebrate the official launch of Shape Connect, we were going to throw ourselves a gigantic poolside party, with mumble rappers from LA and rivers of Henny. But we decided, instead, that it would be more fun to watch all the new customers come in and bask in the delight they experience as they get connected.
Shape Connect is live right now, and if you’re comfortable and confident, you can sign up for a free trial. But we’re also here if you want to chat first about how Shape Connect can secure your business, reduce your latency, keep your servers afloat, and improve your customer experience journey. Talk with you soon!
One of the problems with imitation attacks such as sophisticated credential stuffing is that they are designed to blend in with legitimate traffic. How can you measure something that you can’t detect? Fear-mongering marketing compounds this problem and makes everything sound like a snake-oil solution for a problem people don’t think they have.
Imitation attacks against your services and APIs leverage inherent functionality in your system. In other words, they can be successful even when you have patched, firewalled, and done everything perfectly from an application security standpoint. Blocking basic credential stuffing attacks generated from naive bots is straightforward but, as attackers evolve, they develop more sophisticated tools to launch attacks that blend in with legitimate traffic better. They use machine learning to emulate user behavior like mouse movements and keystrokes. They generate or harvest digital fingerprints to distribute across a botnet to make each node appear more “real.” They proxy requests through residential IP addresses to give the traffic the appearance of originating from known-good home networks. Googles themselves make tools like Puppeteer & headless Chrome to automate and script the world’s most common browser which is exactly what you would use if you were trying to blend in with legitimate users. This is a problem that is getting harder, not easier.
Imitation attacks like advanced credential stuffing do have one thing in common, though – they send millions of requests hoping that a fraction of a percentage end up successful and result in an account takeover, a valid credit card, an account number with a loyalty balance, anything. This success/failure ratio is observable with data you have now. What we’ve found at Shape, is that similar companies have similar success ratios for similar user experience flows.
If you’re debating if you have a credential stuffing problem, then take a long look at your login success ratio.
What is your average login success ratio?
The average login success ratio drops dramatically during periods of credential stuffing attacks. These attacks use combolists with millions of usernames and passwords and of course the majority of these credentials aren’t valid on your site. Shape sees credential stuffing success rates between .2 and 2%, typically – attackers don’t need a very high success rate as long as the attack is cheap to perform. These attacks push the login success rate for your site down well below normal numbers. Some Shape customers have seen login success ratios lower than 5% before enabling countermeasures. Success ratios that low are abnormal and should be immediately investigated. Below are average login success ratios for one month of traffic across three major industries:
Financial institutions: 79%
Travel industry: 73%
Individual companies deviate from this average as much as 10% – the sites where customers log in more frequently tend to have a higher login success ratio. The users at these sites are more likely to remember their passwords and are also more likely to have stored their credentials in their devices or web browsers. Banks and financial institutions only keep users logged in for 15 minutes leading to more successful logins than retailers or social media sites that keep users logged in for longer periods of time. This results in much higher login success rates for banks than for retailers.
Users also have access to few bank accounts and do not change them often, as a result they are more likely to remember their login credentials. Users however regularly shop at multiple retailers and it is easy to create a retail account. This results in lower login success rates for such sites, reflecting a higher rate of users who may be visiting for the first time in months or even years. Infrequent visitors naturally forget their passwords more regularly.
Companies should expect to see 60-85% login success rates. Anything higher or lower is suspect.
No matter the industry, companies should expect to see 60-85% login success rates. Anything higher or lower is suspect. Spikes in traffic can temporarily affect the login success ratio but those should be explainable by commonly understood events like promotions or viral marketing. If there are spikes that have nothing in common then you should look deeper, that traffic is probably a credential stuffing attack that you need to stop as soon as possible.
Some industries like banks and other financial institutions are frequently targets for aggregators, services like Mint and Plaid that act as delegates with user permission to log in and gather data across many companies and present it in one unified interface. Aggregators use legitimate credentials and log in multiple times a day, unnaturally inflating the login success rate. You can look for evidence of aggregators by querying for successful logins across multiple users from the same IP addresses, especially if the IP addresses are from cloud or hosting providers. This is not a foolproof method of detection but you will see traces that will help you get a better understanding of your true login success ratio. If you see login success rates in the high 80s or 90s, that is abnormally high and indicative of low credential stuffing threat but high aggregator traffic. Whether or not to consider aggregators a threat is different for every business.
Where to go from here?
What do you do if you find a login success ratio that is concerning? Like with any threat, you need visibility into the attack before you can think about mitigation. Start with free options before committing to a vendor. Tying yourself up with a vendor too early can spin you in the wrong direction and end up wasting months of time. I’ve written an article on 10 things you can do to stop credential stuffing attacks which goes over some free detection methods as well as some mitigation strategies. This should be enough to get you started understanding your problem and, once you understand the scope of your issue, then you can have better conversations with security vendors. Of course we at Shape Security are available to answer questions any time of day and you can feel free to reach out to me personally on twitter.