Look, Ma, No Passwords: How & Why Blackfish uses Bloom Filters

When NIST issued guidelines in 2017 advising organizations to check new users’ credentials against a password “breach corpus,” one of the first questions was how to ensure the breach corpus itself didn’t get compromised.

Shape’s game-changing product, Blackfish, solved that problem by designing a patented approach to credential storage involving Bloom filters.

What is a Bloom filter?

A “Bloom filter” is a probabilistic data structure which can be queried for set membership, but which cannot be used to reproduce the original data that defines the set. This makes the construct ideal for storing highly sensitive data such as login credentials.

Bloom filters work by performing multiple hashes against the input datum, translating each of these resulting hash values to an index value of a bit-field. Since the same input value results in the same bit positions for each hash, if all matching fields are already set, then the item in question has probably been seen before.

For example, let’s say there are three pieces of data that are added to a Bloom filter:

Red

Blue

Green

Using the Bloom filter’s hashing algorithm, they will become

Red: <1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0>

Blue: <0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0>

Green: <0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0>

Now the Bloom filter set will be

Set: <1,0,0,1,0,0,0,1,1,1,0,1,1,0,0,0>

So then one might want to query whether “black” is in the dataset. Using the hashing algorithm, “black” becomes

Black: <1,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0>.

Because there is no 1 in the 5th bit position in the aggregate Bloom filter set, we know “black” is not part of the set.

How does Blackfish use Bloom filters?

Blackfish uses Bloom filters to safely determine whether queried credentials were previously identified by Blackfish as compromised.

When a credential stuffing attack is observed on a Shape customer’s website or mobile app, Shape AI identifies the credentials used by the attacker and considers them compromised. The username and password pairs are then hashed, salted, re-hashed, and added to the Bloom filter. Once added to the set, the original credentials are destroyed.

Every time a login request is made on a Blackfish customer’s website or mobile app, Blackfish hashes the username and password combination and then checks the credential against the Bloom filter to determine if that particular username and password pair is part of the Bloom filter’s set.

If the credentials are found to be a match in the Bloom filter, Blackfish notifies the customer so that they can take appropriate action; e.g., temporarily suspend the account, force a password reset, etc.

How is a knowledge base built on Bloom filters safer from attack than a database of hashed passwords?

The underlying bitfield of a Bloom filter represents the entire set of all information about all supplied data. This means that portions of the datastore are not useful for providing meaningful amounts of information about any fraction of that data. For example, if an attacker got his hands on half of the Bloom filter set in the example above, he would not be able to leverage it in an attack, even if he had access to the hashing algorithm. All he would be able to do is determine if a certain username and password pair was not in the compromised credential set. That isn’t of much value to an attacker attempting to identify valid credentials!

Contrast this scenario with one in which an attacker gains access to a correctly salted, hashed, and/or encrypted row of a password database. With enough time and compute power (made much cheaper thanks to Bitcoin and its need for inexpensive SHA256 hashes), it is relatively straightforward to decrypt the subset of passwords via brute force.

How “sure” can a Bloom filter be?

As a probabilistic structure, there is error inherent in the Bloom filter as a storage medium. It is possible for an item to be identified as a member of the set when it was not added, if all of the hash indices return values that were set by some other member of the set. The likelihood of this “false positive” determination being correct is a function of the size of the bit array, the number of items stored in the array, and the number of hashed performed per item. However, the datastore can be sized such that the desired level of precision is maintained, even when the datastore reaches saturation.

The likelihood that the Blackfish Bloom filter implementation will produce a false positive result is less than one in a million.

Should every organization be using Bloom filters to store passwords?

Bloom filters are a fantastic solution for secure storage of passwords when checking for password reuse; but, because of the potential for false-positives, however small, they are ill-suited for credential validation.

Blooms filters work well for applications where the consequences of a false positive determination are small. For example, Google’s Chrome web browser uses a Bloom filter as a first level screen of suspicious URLs, and positive results are subjected to a second level test to confirm the issue before a warning is issued to the user.

In Blackfish’s use case, in the one in a million chance of a false positive, an enterprise falsely believes that a user’s password is compromised and takes an appropriate action. If an enterprise were to use a Bloom filter for their own password storage that would be used to authenticate users, a false positive could mean allowing a non-authorized user access to someone else’s account.

Care to learn more? Visit shapesecurity.com/blackfish or contact blackfish@shapesecurity.com to set up a demo.

How Much Does Credential Stuffing Cost Your Business?

Eight years ago, there wasn’t even a term for the practice of testing consumers’ stolen credentials against multiple e-commerce sites to see if they’ll enable account takeovers (ATOs) and other forms of fraud. Now, the US consumer banking industry alone faces nearly $50 million per day in potential losses due to credential stuffing attacks, while online retail is experiencing losses of about $6 billion per year.

While these numbers are certainly disturbing, many readers will be asking themselves, “What does this mean for my company?” Our new Credential Stuffing Calculator can help answer that question.

Our calculator was developed based on the results of our recently released 2018 Credential Spill Report. This report includes comprehensive statistics on the sources, targets, internal workings and, most importantly for the calculator, financial consequences of credential stuffing.

The calculator provides an estimate of the financial risk for any company doing business with customers via a website or mobile APIs, based on the following variables:

Total daily login attempts
Percentage of logins that are credential stuffing attacks
Percentage of those attacks that result in an ATO
Percentage of ATOs that result in financial loss
Average dollar loss per ATO
Other costs per ATO. These may include fees, consultants, investigations, financial penalties and negative impact on the brand.

Automated for Convenience

Obviously, most companies that aren’t customers of Shape Security won’t know what numbers to enter in the calculator’s fields for variables 2 through 5. Even companies that have implemented IP blocks or other “I am not a robot” technologies can’t be sure about these numbers because today’s most sophisticated (and most successful) attackers use technology that can easily defeat traditional security measures.

For this reason, our Credential Stuffing Calculator automatically fills in these variables for the four most frequently attacked industry sectors: consumer banking, retail (e-commerce), airlines and hotel chains, based on industry data we’ve gathered and analyzed in the course of protecting literally billions of accounts. (Some users will probably be shocked at the percentage of logins in their industry that are both automated and hostile.)

In addition to the automatic fill-in feature, variables 2 through 5 can also be manually adjusted. This allows users to calculate upper and lower limits to the estimated risk, i.e. worst case and best case scenarios. This also enables users outside of the four target industries to enter values that seem appropriate.

Variable 6, Other costs per ATO, is a somewhat softer number, but these costs are often very high. For example, according to one study, a third of the companies that experienced a major data breach in 2016 lost 20 percent of their customers. Beyond damage to a brand’s reputation, there are fines, notification costs and remediation costs for IT systems that also come into play.

Evaluating the Result

The Credential Stuffing Calculator lets companies quantify their risk, based on statistical averages calculated from actual industry data, and gives them a ballpark number to help them decide how much they should consider spending to protect themselves (and their customers) against credential stuffing. The 2018 Credential Spill Report provides even more information to help companies understand the precise nature of the threat facing them.

Credential stuffing is a relatively new problem, and it’s serious. Understanding how it works and quantifying its consequences are critical steps for companies that want to fight back.

Try the Credential Stuffing Calculator now.

How Starbucks Combats Account Takeover (ATO)

Account Takeovers (ATOs) and credential stuffing represent a huge threat to the retail industry. In fact, they pose major problems for any vertical in which customers tend to reuse passwords for multiple accounts. Password reuse makes compromised credentials even more valuable to cyber criminals.

Starbucks recognized this threat more than four years ago, before it was well understood by the industry at large. As Starbucks Director of InfoSec Mike Hughes said in a recent Shape Security webcast, “We started to put eyes on the issue in 2013, looking at it holistically as a problem for the industry and, as a member of the industry, something we would be facing and dealing with.”

Traditional Approaches Fail to Stop ATO

Before 2014, Starbucks relied on traditional security approaches such as throttle rate limits, web application firewalls (WAFs) and IP blocking via CDN bolt-on solutions. None of these worked against persistent and highly sophisticated credential-stuffing attacks. “We had short periods of small efficacy,” said Hughes, “but then came the retooling [by the attackers], and we wouldn’t be able to contain the attack for more than eight to ten hours.” The result was a Whack-A-Mole situation, with a new attack cropping up the moment the old one was blocked.

Shape Enterprise Defense contained the attackers decisively, said Hughes.”We were able to put blocks in place that had a lasting effect.”

Fighting Sophisticated Hackers Takes Total Focus

Shape’s total focus on security is key to its long-term efficacy, Hughes said. He characterized the blocking of bots as “a data analytics problem that needs to be addressed continuously, not a milestone where you achieve protection and then you’re done.” In Hughes’ view, the bolt-on solutions of CDN providers are not sufficient, because “their primary investment structures are around the CDN, not security.” Purpose-built solutions, like Shape’s, have the requisite focus.

Another differentiator for Shape is its advanced signal collection and analysis, which is necessary to deal with today’s hard-to-detect attacks. “If we look back to 2013 or 2014, we saw very bursty attacks,” said Hughes. “They had all sorts of flags. Now, the effort criminals will go to use a headless browser with tools such as PhantomJS to mimic signal telemetry is incredible. They are getting very advanced at masking.”

He also pointed out the value of Shape’s customer base, which includes banking and other verticals beyond retail — enabling Shape to train its ML models with the most advanced attack dataset and create higher efficacy countermeasures. “The broader footprint of other verticals that you can apply back to the data creates more efficacy. When you take a financial institution’s attack profile and risk surface for ATO and train the model against the one for retailers, you’re actually enhancing [your efforts] in a way that you can’t with a simple algorithm.”

With Shape’s Blackfish, Starbucks Can Identify Compromised Credentials

By adding Shape’s Blackfish product, Starbucks further bolstered its security posture. Through patented technology, Blackfish stores mathematical representations of known compromised credentials (not the credentials themselves) obtained from its extensive customer network. It can therefore identify compromised credentials in near real time, even before a breach has been discovered. This collective defense against fraud gives Starbucks customers proactive protection from the threat of an ATO.

“Blackfish gives us the ability to remediate customer issues before the customer experiences them,” said Hughes. “It’s a proactive approach to taking care of security and the customer.” When Starbucks becomes aware of a problem, it notifies customers and suggests an immediate password reset.

Securing Benefits Beyond Security

In addition to sustained efficacy in the real-time blocking of attacks, Hughes cited two other important Shape benefits. One was ease of deployment.

“There was zero effort required from the development teams to place the solution inline,” said Hughes, “and very little effort required from the infrastructure and data center teams. When you can go from no data transiting the devices to full block in less than two weeks, that’s a win. I have no other vendors who can get there that quickly.”

I have no other vendors who can get there that quickly.

A second benefit was reduced infrastructure load. “Looking holistically across retail, upwards of ninety percent of login activity is non-human bot traffic. That means you’re creating tremendous amounts of load. Blocking that means a significant ease on the infrastructure.”

Fraud Isn’t Going Away

The risk of cybercrime and internet fraud has become a fact of life for every transaction involving the internet, and there’s no end in sight. As Hughes put it, “The barrier to entry is so low, the return is so high and the risk of being caught is so low, this isn’t going away.” Starbucks is engaged in a long-term battle to block bots, ATO and credential stuffing attacks — and Shape plans to be there every step of the way.

[ Watch the full video ]

How Cybercriminals Monetize Ecommerce Fraud

E-commerce fraud has grown to the point where it’s a now a bigger drain on retail profits than shoplifting or inventory shrinkage. Based on the information we’ve gathered defending many of the largest retailers, banks and airlines in the world against cyber crime, there are three attack modes that carry particularly high risks for retailers:

Account takeover (credential stuffing)
Fake account creation
Gift card cracking

Ecommerce chargeback costs for retailers, the biggest financial hit associated with account takeovers, have now reached $40 billion per year. Fake account creation and gift card cracking, while less well documented, also result in substantial losses.

All three of these attack modes rely on compromised authentication credentials and their rapid monetization. Credential theft carried out on the scale that’s common today requires considerable time and effort, not to mention technical skill. Why do cyber crime organizations persist? One of our customers, Starbucks Director of InfoSec Mike Hughes, has a simple answer. “The risk is so low, and the reward is so high.”

He’s right. The take for a successful bank robbery runs between $5,000 and $7,000 at best. In 2016 there were eight deaths associated with bank robberies. Seven of them were the perpetrator. The same amount of money could be obtained by cracking between 100 and 150 gift cards (at an average value of about $45 per card), and the risk of being caught, much less killed, is almost zero.

Here’s a closer look at how cyber crime organizations monetize the results of their three favorite attacks.

Account Takeover

The bad actors who engage in credential stuffing to gain control of credit card accounts don’t always monetize those compromised accounts directly. In one common theft chain model, they sell the card information to brokers, who add value by sorting them geographically, determining credit limits and even purchase histories in some cases.

These brokers in turn sell the cards to so-called “carders,” typically in lots of one hundred or one thousand. The carders may use the compromised cards to make high value purchases, most often electronics such as flat screen TVs or smart phones. In this case, the goods are usually shipped to a new address where “mules” aggregate the illegitimate purchases and ship them overseas to be sold at perhaps 50 percent of their market value.

In a variant of this scheme, carders create fake physical cards which they supply to mules who actually make in-store purchases, although this method obviously carries more risk than CNP transactions. Carders may also engage in refund fraud.

Fake Account Creation

Creating fake accounts, also known as synthetic fraud, is a growing problem now that chip-bearing EMV credit cards are gaining traction. Creating fake accounts at scale requires automation or low-wage workers often referred to as “mechanical Turks,” but the rewards can be high. One monetization scheme cashes in on new-account promotions, whose value can be substantial, particularly when a cyber crime organization is dealing with hundreds of fake cards at any given time.

Another scheme is a long game, where fake cards are used to make small purchases and paid off every month until their credit limits grow. Fraudsters can then max out the fake card on high-value items, running up a bill they will never pay.

Gift Card Cracking

There are several monetization options for compromised gift cards. Cards can simply be sold for cash via legitimate card exchange sites that may offer rates as high as 60 percent of a card’s value. Other sites enable cyber crime organizations to auction off cards to the highest bidder.

The worst case scenario is when a gift card is connected to another account, such as a credit card account. In this case, fraudsters can use the gift card to drain the connected account.

Beyond monetization, gift cards have two other functions. It’s not uncommon for fraudsters to transfer money from a stolen credit card to a gift card before spending it, because this makes the transaction harder to tracer. Gift cards are also a very convenient vehicle for money laundering.

The Bottom Line Is the Bottom Line

Cyber criminal organizations, like legitimate businesses, have a strong focus on the bottom line. They engage in account takeover, fake account creation and gift card cracking because these activities are extremely lucrative. As long as they can continue to reap huge profits, they will pose a continuing threat.

To learn more about the mechanics of these attacks, and how they can be stopped in their tracks before any loss occurs, watch our newest webinar, The 3 Most Expensive Types of eCommerce Fraud.

World Password Day keeps coming and going, but password reuse sticks around

Password reuse allows fraudsters to use credentials stolen on one website to take over accounts on other sites.

It’s World Password Day again, the day created to herald the guardians of our corporate secrets, personal correspondence, medical information, purchasing information and, of course, our money.

The scary fact is this: As guardians of our identity, passwords aren’t doing a very good job. As a matter of fact, according to the most recent edition of the Verizon Data Breach Investigations Report, 81 percent of the breaches involved stolen or weak passwords. Why aren’t passwords protecting our accounts the way they should?

Good passwords are hard to create and easy to forget

On the IT side, password issues are the number-two problem faced by help desks, second only to, “My printer won’t print.” And, for businesses as a whole, password issues are a major source of friction, especially for retail transactions. A recent UK study indicates that strict password rules can lead to a checkout abandonment rate of 18.75%—almost one in five buyers. For users, the picture is just as bad. According to an Intel study, the average individual has 27 passwords. The same study reported that 37% of us forget at least one password per week, not that we need statistics to confirm that remembering passwords is difficult.

And this difficulty leads to one of the most common—and dangerous—password practices around: password reuse. Almost half of us use the same password on multiple accounts. This means that, more often than not, the theft of one password will compromise multiple accounts.

Passwords are not going away any time soon

If passwords are so much trouble and lead to so much risk, why do they still play such a dominant role in security? The answer is, at least for now, that no better alternative exists.

Multi-factor authentication (MFA) is often put forth as a solution to the shortcomings of passwords, but MFA itself has problems. To begin with, it adds friction to every transaction. Biometric authentication reduces friction, but woe to those whose biometric credentials are compromised: You can’t change your fingerprints or your iris image. You can’t change your mother’s maiden name, either, which is why challenge questions aren’t a perfect solution; their answers can also be stolen. Token-based MFA, meanwhile, is inconvenient, especially when the token is a physical object that can be forgotten, lost or stolen.

Undiscovered stolen passwords are a big problem

High-profile breaches at companies like Equifax, Anthem, and Yahoo have put the problem of stolen passwords in the headlines. In response, companies have set up password defenses—but they tend to do so only after discovering a breach.The window of time between breach and discovery can be weeks, even months—and it’s during this window that companies and their consumers face the most risk.

The greatest window of risk is the period of time between the date of the breach and the date of its discovery.

During this period, neither users nor the breached organizations (retail chains, banks, etc.) are aware that there’s a problem. Cybercrime organizations have free reign to pilfer the vulnerable account—and they do. Then, when they’re finished extracting as much value as they can, they post the stolen passwords on the dark web, where other criminals can buy and use them on as many sites as they can. The monetization of stolen passwords, carried out at scale via the use of automated attacks such as credential stuffing, costs more than $10 billion in fraud losses annually.

Protecting customers from themselves

Living in the password economy comes with certain responsibilities. Among them, we must prevent fraudsters from using stolen credentials on any web site as soon as they’re stolen. Shape Security’s Blackfish technology does just that.

Here’s how it works. Shape Security protects more than 1.4 billion user accounts at some of the world’s largest brands from automated attacks. We know immediately when a password at one of these sites has been compromised. Blackfish, in turn, can immediately alert companies when a stolen password is used on their web or mobile applications. Then companies can take action such as a forced password reset, a step-up authentication flow, or placement on a watch list.

Say goodbye to World Password Day?

By lowering the success rate of automated attacks, Blackfish actually changes the economics of these forms of cybercrime. When success rates drop, so do the profits of the organizations perpetrating them. They may be forced to shut down operations—or at least look to cause trouble elsewhere.

Maybe one day we can say goodbye to World Password Day.

How Big Banks Fight Online Fraud

Three top strategies fraudsters use against banks—and how they can be defeated.

When it comes to cybercrime, banks have a target on their back. In fact, financial institutions in general are one of the prime hunting grounds for hacking organizations. In 2017 there were 134 data breaches in the banking industry, resulting in 3.1 million compromised records. Equifax, one of the three largest credit agencies in the U.S., suffered a breach involving as many as 143 million consumers.

While the exploits that hit major brands make the news, small institutions are by no means safe. In 2016, banks and credit unions with less than $35 million in annual revenue accounted for 81 percent of hacking and malware breaches at financial institutions, up from 54 percent the year before.

Shape protects three of the top four banks in the U.S. Working with them has given us important insights into the current threats that banks are most likely to encounter, and the defensive strategies that work. After tackling the biggest threat, account takeover via credential stuffing, the most common online fraud problems stem from man-in the browser attacks, relationships with financial aggregators, and manual attacks using stolen identities.

Man-in-the-Browser

Man-in-the-browser (MITB) attacks are initiated by client desktops, laptops, smartphones and other devices that have become infected with malware inadvertently downloaded by a user—typically by clicking on a malicious link in an email. Once in place, the malware continuously watches all the web traffic on the user’s device. When the user’s browser downloads a page from a bank that’s been targeted for attack, the malware interposes itself between the bank’s web application and the user’s browser.

Sitting between the two, it can do whatever it wants and remain undetected. It can pretend to be the user and send unauthorized transactions. It can modify transactions, e.g. by changing the beneficiary details on a payment. It can also scrape PII and user credentials.

One of the most difficult problems with MITB exploits is the fact that they originate from the client’s device, over which banks have no control. Many banks believe that multi-factor identification (MFA) can foil MITB. This is not always the case, as digital wallet start-up Zelle learned the hard way. When that company was attacked, the malware allowed the fraudsters to loiter until end users authenticated themselves using MFA, and then manipulated their transactions.

Financial Aggregators

By consolidating information from multiple financial accounts in one place, financial aggregators make it easy for their customers to get a global picture of where they stand and easily track their spending. But with this convenience comes a significant security risk.

Shape has observed that aggregators make up 20% of a typical bank’s traffic and log in 2.5 times as often as real users. Furthermore, banks themselves often relax their security procedures when dealing with an aggregator. As a result, bad actors use aggregators as a backdoor into banks because they know their traffic is much less likely to be blocked.

For large banks, tracking login patterns is a key weapon against aggregator-based fraud. The trick is to distinguish between good and bad traffic. Shape Security solutions achieve this through the use of real-time statistical analysis and pattern recognition. When a suspicious pattern reveals an exploit in progress, this information can be used to trigger a defensive response.

Manual Fraud

Fraudsters typically use manual methods to apply for credit cards using stolen identities. They buy “fullz” files on the dark web that include a credit card number, CVV and expiration date, plus the cardholder’s name, address, email address, SSN and even security question responses. With this information, fraudsters could easily indulge in an online shopping spree, or apply for new cards, changing only the physical and email addresses. Fraudsters can typically apply for a few dozen cards per day, or they can use human farms and complete several hundred card applications per day. Once they get approvals, they can have access to thousands of dollars per card.

Learn How Shape Fights Fraud

Join our live threat briefing: How 3 of the Top 4 US Banks Defeat Account Takeover & Manage Aggregators as we go into detail about the tactics big banks use to protect their customers, and how all banks can leverage this knowledge to fight fraudsters and win. Sign up now

Complying with NIST Guidelines for Stolen Passwords

It seems everyone today is talking about stolen passwords, but this is an older problem than people realize. Protecting your enterprise from credential stuffing attacks and account takeover as a result of stolen credentials is at the heart of the discussion—and as more business moves online it’s an increasingly expensive problem.

The Stolen Password

During the final phase of the Peloponnesian War, ¹ a series of tactical errors led to the defeat of the superior Athenian forces. Among the many errors was an inadequate identification system, reliant on a shared watchword. At the final and crucial battle of Syracuse, the besieged Syracusan army discovered the Athenian watchword that was used for identifying allies. Quietly disseminating this password between them, the Syracusan forces created havoc during a nighttime battle, preventing the dazed Athenian forces from identifying ally from foe and ultimately leading to their devastation.²

Step forward a few thousand years to the 1960s, when limited computing resources at MIT resulted in the Compatible Time-Sharing System. Given the limited power of computers at the time, a short phrase was the simplest way to identify users on the platform. But, the first password breach soon followed when in 1962 Allan Sherr, looking for a way to increase his allotted time on the platform, managed to request a printout of the entire password file.³

Since then, the history of the password remains consistently problematic. Passwords are complicated, easily forgotten, and usually represent a single point of failure. Wake up to find your password compromised and the results, although not quite as devastating as for the Athenians, can often be financially or socially shattering. In efforts to make passwords themselves more secure, increasingly arbitrary rules on their construction have been enforced. Unfortunately, these rules often force users to adopt practices that directly contradict the intent, driving users to adopt the same password across websites,⁴⁵⁶ or preventing the use of tools like password managers.

Meanwhile, despite growing awareness of multi-factor authentication systems, statistics around adoption rates are difficult to find and are widely thought to be worryingly low.

Introducing NIST

NIST (or the National Institute of Standards and Technology) is a non-regulatory United States Government Agency with a mission to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”⁷ Within this mandate, NIST has established the NIST Cybersecurity Framework. The original intent was to develop a voluntary framework to help organizations manage cybersecurity risk across critical infrastructure, but the framework has been adopted much more widely throughout the world. Of particular interest is the four-volume Special Publication 800-63 on Digital Identity Guidelines which is available on the NIST Website and NIST GitHub. It includes:

Password Guidance, the In-and-Out

Section 10.2 of 800-63B includes updated rules which contradict much of the conventional wisdom on passwords.

In:

Support passwords of at least 64 characters, allow spaces, and encourage users to make passwords as long as possible to encourage the use of passphrases.
Compare new passwords to a dictionary and don’t allow common, easily-guessed passwords (such as password, abc123, etc.).
Offer the option to display the password, rather than dots or asterisks.

Out:

Don’t enforce composition rules (no more: your password should include upper and lower case characters, and at least one number). These encourage passwords with the illusion of complexity, like Passw0rd, which any dictionary attack will take into account.
Don’t use password hints, as users tend to populate these hints with enough information to make guessing the password trivial. Instead, focus on supporting easily memorized passwords and phrases.
Don’t expire passwords unless there’s a user request or evidence of authenticator compromise.
Don’t use Knowledge Based Authentication (e.g. what was the name of your childhood pet?).
Don’t use SMS as a 2-Factor Authentication method.

Updated Password Storage Guidance

NIST also includes guidance on encryption and storage of user passwords. As we’ve seen from previous breaches, weak and reversible encryption lets attackers access vast sets of credentials that can easily be used against other sites⁸. To limit the effect of breaches on other sites, NIST recommends that:

Passwords should be salted and hashed using a suitable one-way key derivation function.
Use approved key derivation function PBKDF2 using SHA-1, SHA-2, or SHA-3 with at least 10,000 iterations.

Breach Corpuses

The appendix of 800-63b lays out some hard truths about the choices we make as users:

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.

Maintaining a list of compromised credentials from previous breaches is a noble effort, but there are a number of factors to balance. For example, Facebook attracted criticism when it announced in 2016 that it had been purchasing credentials from the dark web⁹ in order to secure its own users. Such purchases could effectively help power the market, funding and encouraging further breaches and supporting the black market credential ecosystem. Plus, the huge window of time that exists between a data breach and the eventual emergence of the stolen credentials means that traditional breach corpus lists are often ineffective – and that’s something Shape Security is addressing with Blackfish. Shape co-founder Sumit Agarwal explains it best:

Shape has grown into one of the largest processors of login traffic on the entire web. We have built machine learning and deep learning systems to autonomously identify credential stuffing attacks in real-time. These systems now generate an important byproduct: direct knowledge of stolen usernames and passwords when criminals are first starting to exploit them against major web and mobile apps. What this means is that we see the stolen assets months or years before they appear on the dark web.

Of course, once you’ve found a way to compile it, a vast list of the freshest credentials is itself a major target, so to minimize risk (as well as ensure absolute compliance with regulations such as GDPR), Shape does not store any direct username/password pairs but instead leverages a probabilistic data structure called a Bloom filter.

Conclusion

As Jim Fenton, one of the publication contributors, points out, “If it’s not user friendly, users cheat.”¹⁰ Frustrating password policies have been long overdue for an overhaul and the new NIST Digital Identity Guidelines rightly place the burden upon the verifier, not the user. While verifiers of users should ensure they’re following the guidelines to give users the best chance of securing their accounts, they should also take additional steps to ensure that security breaches originating from outside their own organization are stopped before they create more damage closer to home. In light of the recent FTC ruling on credential stuffing, it might be more than just best practices that encourage verifiers to comply.

To learn more about NIST guidelines, stolen credentials and the breach corpus, watch “After the Data Breach” – a live webinar with Justin Richer, co-author of NIST Special Publication 800-63B.

________________

[1] https://en.wikipedia.org/wiki/Peloponnesian_War

[2] http://perseus.uchicago.edu/perseus-cgi/citequery3.pl?dbname=GreekTexts&getid=1&query=Thuc.%207.44.6

[3] https://it.slashdot.org/story/12/01/28/024220/how-allan-scherr-hacked-around-the-first-computer-password

[4] https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/

[5] https://www.infoworld.com/article/2623504/data-security/study-finds-high-rate-of-password-reuse-among-users.html

[6] https://mashable.com/2017/02/28/passwords-reuse-study-keeper-security/

[7] https://www.nist.gov/director/pao/nist-general-information

[8] https://medium.com/shape-security/2017-credential-spill-report-1ec31c411472

[9] https://www.csoonline.com/article/3142404/security/security-experts-divided-on-ethics-of-facebooks-password-purchases.html

[10] https://www.slideshare.net/jim_fenton/toward-better-password-requirements

Biggest Threat to Retail? (hint: it’s not Amazon)

Retailers lost a whopping $57B to online attacks in 2017, eclipsing losses from shoplifting and inventory shrinkage. The biggest online threat: “Account takeover,” or ATO, wherein fraudsters steal the credentials of legitimate customers. Attackers aren’t just hurting bottom lines; they’re also harming consumer faith overall.

Attacks are escalating in size and scope. By December 2017, some 10 million credentials were spilling onto the web each day. Criminals, working in concert across time-zones and national boundaries, use those credentials to overwhelm even the savviest retailers. Big investments in security, by themselves, haven’t foiled these attacks.

The stark reality for every e-commerce retailer today is that online fraud is the biggest threat to your business.

So what is a retailer to do?

Shape’s answer might surprise you: We believe that retailers should run in packs. Just as criminals share information and ingenuity across networks, so too retailers must band together to defeat them—both by understanding the threat and by developing cross-company defenses.

There is Safety in Numbers

Already, many retailers have joined industry groups like the Retail Cyber Intelligence Sharing Center and the Merchant Risk Council, where they trade tips about criminal activity and how to respond. Some retailers are also deploying collective defense capabilities. A network like Shape’s Blackfish uses real-time attack data from many of the world’s largest consumer sites. Then Blackfish can alert companies in the network to known threats, so they can block them—before an attack even takes place.

Collective defense capabilities help retailers defeat many of the most dangerous online attacks.

Top Three Online Attacks Against Retailers

1) Credential Stuffing

Easy, effective and powerful, credential stuffing is a tool of choice for cybercriminals—and is the fastest-growing security issue facing retailers today.

How it works: Criminals grab readily available usernames and passwords and use them to attack retail websites. On a typical retail website, credential stuffing makes up 50-70% of total traffic. In some cases, that number exceeds 95%. Once they get in, criminals can make purchases using credit cards linked to the account or drain gift cards.

Credential stuffing is difficult to eliminate because criminals adapt to defensive measures quickly, often within 12 to 24 hours. They’re able to invest in rapid response because the profit margins are high. Defeating credential stuffing is very difficult for a single retailer in isolation—but is manageable as part of a network of allied retailers.

2) Creating Fake Accounts

With a fake account, a criminal can exploit stolen credit cards, defraud other users, reap new-customer perks, and much else. Creating fake accounts at scale requires either automation (i.e. programs that impersonate real users) or mechanical Turks (low-wage workers). Either way, the traffic flows through the same channels as legitimate new customer accounts.

The last thing a retailer wants to do is to muck up that channel—or introduce any sort of friction for new customers. That’s why a solution that protects against automated and manual fraud is critical. It can eliminate fake accounts without affecting real users at all.

3) Cracking Gift Cards

Gift card cracking occurs when criminals correctly guess a valid gift card number which has a non-zero balance. At that point, the criminals either transfer the balance to a card they control, or sell the card on a site like Raise.com or eBay.

How does the criminal guess a valid number? He gets a little help from the retailers. Every retailer operates a website or mobile app that allows customers to make purchases or check gift card balances. Criminals exploit these portals. They use programs that impersonate real users and try every possible gift card number. Soon enough, the criminal will have a trove of valid gift card numbers primed for crime.

Customer-selected PINs and other authorization steps have proven flimsy defenses—and so, retailers often face a difficult choice. Many preventative measures create more friction for their customers. But with a real-time adaptive application defense system, retailers can actually block attacks without customers even realizing it.

Additional Reading

Here are some additional resources to help you stay ahead of the threats:

NIST provides digital identity guidelines on detecting stolen passwords
R-CISC is a community for cybersecurity practitioners in the retail industry
MRC is an industry association for e-commerce payment and risk professionals

To learn more about these threats, explore new attack techniques from the holiday season and best practices we observed from Top 10 Retailers, watch our Retail Threat Intelligence Briefing webinar on-demand.

How Cybercriminals Bypass CAPTCHA

The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), was originally designed to prevent bots, malware, and artificial intelligence (AI) from interacting with a web page. In the 90s, this meant preventing spam bots. These days, organizations use CAPTCHA in an attempt to prevent more sinister automated attacks like credential stuffing.

Almost as soon as CAPTCHA was introduced, however, cybercriminals developed effective methods to bypass it. The good guys responded with “hardened” CAPTCHAs but the result remains the same: the test that attempts to stop automation is circumvented with automation.

There are multiple ways CAPTCHA can be defeated. A common method is to use a CAPTCHA solving service, which utilizes low-cost human labor in developing countries to solve CAPTCHA images. Cybercriminals subscribe to a service for CAPTCHA solutions, which streamline into their automation tools via APIs, populating the answers on the target website. These shady enterprises are so ubiquitous that many can be found with a quick Google search, including:

DeathbyCAPTCHA
2Captcha
Kolotibablo
ProTypers
Antigate

This article will use 2Captcha to demonstrate how attackers integrate the solution to orchestrate credential stuffing attacks.

2Captcha

Upon accessing the site 2Captcha.com, the viewer is greeted with the image below, asking whether the visitor wants to 1) work for 2Captcha or 2) purchase 2Captcha as a service.

Option 1 – Work for 2Captcha

To work for 2Captcha, simply register for an account, providing an email address and PayPal account for payment deposits. During a test, an account was validated within minutes.

New workers must take a one-time training course that teaches them how to quickly solve CAPTCHAs. It also provides tips such as when case does and doesn’t matter. After completing the training with sufficient accuracy, the worker can start earning money.

After selecting “Start Work,” the worker is taken to the workspace screen, which is depicted above. The worker is then provided a CAPTCHA and prompted to submit a solution. Once solved correctly, money is deposited into an electronic “purse,” and the worker can request payout whenever they choose. There is seemingly no end to the number of CAPTCHAs that appear in the workspace, indicating a steady demand for the service.

2Captcha workers are incentivized to submit correct solutions much like an Uber driver is incentivized to provide excellent service—customer ratings. 2Captcha customers rate the accuracy of the CAPTCHA solutions they received. If a 2Captcha worker’s rating falls below a certain threshold, she will be kicked off the platform. Conversely, workers with the highest ratings will be rewarded during times of low demand by receiving priority in CAPTCHA distribution.

Option 2 – 2Captcha as a service

To use 2Captcha as a service, a customer (i.e., an attacker) integrates the 2Captcha API into her attack to create a digital supply chain, automatically feeding CAPTCHA puzzles from the target site and receiving solutions to input into the target site.

2Captcha helpfully provides example scripts to generate API calls in different programming languages, including C#, JavaScript, PHP, Python, and more. The example code written in Python has been reproduced below:

Integrating 2CAPTCHA into an Automated Attack

How would an attacker use 2Captcha in a credential stuffing attack? The diagram below shows how the different entities interact in a CAPTCHA bypass process:

Technical Process:

Attacker requests the CAPTCHA iframe source and URL used to embed the CAPTCHA image from the target site and saves it locally
Attacker requests API token from 2Captcha website
Attacker sends the CAPTCHA to the 2Captcha service using HTTP POST and receives a Captcha ID, which is a numerical ID attributed with the CAPTCHA image that was submitted to 2Captcha. The ID is used in step 5 for an API GET request to 2Captcha to retrieve the solved CAPTCHA.
2Captcha assigns the CAPTCHA to a worker who then solves it and submits the solution to 2Captcha.
Attacker programs script to ping 2Captcha using CAPTCHA ID (every 5 seconds until solved). 2Captcha then sends the solved CAPTCHA. If the solution is still being solved, the attacker receives a post from 2Captcha indicating “CAPTCHA_NOT_READY” and the program tries again 5 seconds later.
Attacker sends a login request to the target site with the fields filled out (i.e. a set of credentials from a stolen list) along with the CAPTCHA solution.
Attacker iterates over this process with each CAPTCHA image.

Combined with web testing frameworks like Selenium or PhantomJS, an attacker can appear to interact with the target website in a human-like fashion, effectively bypassing many existing security measures to launch a credential stuffing attack.

Monetization & Criminal Ecosystem

With such an elegant solution in place, what does the financial ecosystem look like, and how do the parties each make money?

Monetization: CAPTCHA solver

Working as a CAPTCHA solver is far from lucrative. Based on the metrics provided on 2Captcha’s website, it’s possible to calculate the following payout:

Assuming it takes 6 seconds per CAPTCHA, a worker can submit 10 CAPTCHAs per minute or 600 CAPTCHAs per hour. In an 8 hour day that’s 4800 CAPTCHAs. Based on what was earned during our trial as an employee for 2Captcha (roughly $0.0004 per solution), this equates to $1.92 per day.

This is a waste of time for individuals in developed countries, but for those who live in locales where a few dollars per day can go relatively far, CAPTCHA solving services are an easy way to make money.

Monetization: Attacker

The attacker pays the third party, 2Captcha, for CAPTCHA solutions in bundles of 1000. Attackers bid on the solutions, paying anywhere between $1 and $5 per bundle.

Many attackers use CAPTCHA-solving services as a component of a larger credential stuffing attack, which justifies the expense. For example, suppose an attacker is launching an attack to test one million credentials from Pastebin on a target site. In this scenario, the attacker needs to bypass one CAPTCHA with each set of credentials, which would cost roughly $1000. Assuming a 1.5% successful credential reuse rate, the attacker can take over 15,000 accounts, which can all be monetized.

Monetization: 2Captcha

2Captcha receives payment from the Attacker on a per 1000 CAPTCHA basis. As mentioned above, customers (i.e. attackers) pay between $1 and $5 per 1000 CAPTCHAs. Services like 2Captcha then take a cut of the bid price and dole out the rest to their human workforce. Since CAPTCHA solving services are used as a solution at scale, the profits add up nicely. Even if 2Captcha only receives $1 per 1000 CAPTCHAs solved, they net a minimum of 60 cents per bundle. The owners of these sites are often in developing countries themselves, so the seemingly low revenue is substantial.

What about Google’s Invisible reCAPTCHA?

In March of this year, Google released an upgraded version of its reCAPTCHA called “Invisible reCAPTCHA.” Unlike “no CAPTCHA reCAPTCHA,” which required all users to click the infamous “I’m not a Robot” button, Invisible reCAPTCHA allows known human users to pass through while only serving a reCAPTCHA image challenge to suspicious users.

You might think that this would stump attackers because they would not be able to see when they were being tested. Yet, just one day after Google introduced Invisible reCAPTCHA, 2CAPTCHA wrote a blog post on how to beat it.

The way Google knows a user is a human is if the user has previously visited the requested page, which Google determines by checking the browser’s cookies. If the same user started using a new device or recently cleared their cache, Google does not have that information and is forced to issue a reCAPTCHA challenge.

For an attacker to automate a credential stuffing attack using 2Captcha, he needs to guarantee a CAPTCHA challenge. Thus, one way to bypass Invisible reCAPTCHA is to add a line of code to the attack script that clears the browser with each request, guaranteeing a solvable reCAPTCHA challenge.

The slightly tricky thing about Invisible reCAPTCHA is that the CAPTCHA challenge is hidden, but there is a workaround. The CAPTCHA can be “found” by using the “inspect element” browser tool. So the attacker can send a POST to 2Captcha that includes a parameter detailing where the hidden CAPTCHA is located. Once the attacker receives the CAPTCHA solution from 2Captcha, Invisible reCAPTCHA can be defeated via automation in one of two ways:

JavaScript action that calls a function to supply the solved token with the page form submit
HTML code change directly in the webpage to substitute a snippet of normal CAPTCHA code with the solved token input.

The fact that Invisible reCAPTCHA can be bypassed isn’t because there was a fatal flaw in the design of the newer CAPTCHA. It’s that any reverse Turing test is inherently beatable when the pass conditions are known.

As long as there are CAPTCHAs, there will be services like 2Captcha because the economics play so well into the criminal’s hands. Taking advantage of low cost human labor minimizes the cost of doing business and allows cybercriminals to reap profits that can tick upwards of millions of dollars at scale. And there will always be regions of the world with cheap labor costs, so the constant demand ensures constant supply on 2Captcha’s side.

The world doesn’t need to develop a better CAPTCHA, since this entire approach has fundamental limitations. Instead, we should acknowledge those limitations and implement defenses where the pass conditions are unknown or are at least difficult for attackers to ascertain.

Sources

Holmes, Tamara E. “Prepaid Card and Gift Card Statistics.” CreditCards.com. Creditcards.com, 01 Dec. 2015. Web.

Hunt, Troy. “Breaking CAPTCHA with Automated Humans.” Blog post. Troy Hunt. Troy Hunt, 22 Jan. 2012. Web.

Motoyama, Marti, Kirill Levchenko, Chris Kanich, and Stefan Savage. Re: CAPTCHAs–Understanding CAPTCHA-solving Services in an Economic Context. Proc. of 19th USENIX Security Symposium, Washington DC. Print.

Learn More

Watch the video, “Learn How Cybercriminals Defeat CAPTCHA“

Don’t Let Stolen Credentials Ruin Your Holiday Gift Giving

2016 is the year of stolen credentials used for account takeover; the holiday season, starting with Cyber Monday, is the peak time at risk for the retail industry

The research team here at Shape Security has been monitoring credential spills throughout the course of the year and tallying up the massive number of usernames and passwords stolen in 2016. That includes news reports of credentials spilled from data breaches at LinkedIn in May, Dropbox in August, and Yahoo in September.

The hard truth is: we just surpassed two billion stolen credentials in 2016 alone. While these numbers are staggering and perhaps make 2016 “the year of stolen credentials,” what’s more concerning is that these stolen credentials are the fuel for sophisticated automated fraud.

We’re sharing this now—as we head into Black Friday, Cyber Monday and more broadly the busiest shopping season of the year—so that retailers and consumers alike remain vigilant.

Cybercriminals are going to be shopping with these stolen credentials

Stolen credentials enable credential stuffing attacks, where cybercriminals test for the reuse of login credentials (usernames and passwords) on websites and mobile applications—including those serving up the hottest holiday gifts at the cheapest prices.

Once the cybercriminals are into a consumer’s account, the retailer’s goods are theirs for the taking. The cybercriminals can order any fancy gadget they please with the victim’s stored credit card number, change the victim’s shipping address to their own for delivery convenience, and resell the goods for cash. Of course, once they’ve maxed out one credit card, they can also rinse and repeat the process for all the other accounts they were able to crack. If there’s no stored credit card number, they can also drain reward point balances, too.

Tips for staying secure online this holiday shopping season:

Don’t reuse passwords across sites. Even if you’re rushing to quickly set up an account to grab the retailer’s best deal before it’s gone, take the time to generate a new, unique password. This doesn’t have to be a cumbersome process and there are tricks and systems you can use to make it easier.
Monitor your accounts closely and report unusual activity or charges.This includes keeping an eye out for any email or text alerts claiming you’ve had failed login attempts to a certain site, if you hadn’t actually tried to log in. Always navigate to a website directly if contacted over email or text, rather than clicking on one of the message’s included links, so you can ensure you’re not falling victim to phishing by clicking on a password-change link sent by an attacker.
Keep an eye on your gift card and reward point balances. Gift cards and loyalty program points are essentially just one step removed from cash for cybercriminals. Your hard-earned rewards, such as airline miles, can easily be monetized by cybercriminals in automated fraud schemes. Keep an eye on how many points you have, and let the affiliated site know if you notice an unexpected change.

While consumers may be preparing to wait up in the wee hours of the night to buy the hottest new VR headset, GoPro drone, Apple Watch or Fitbit, the hottest item for cybercriminals this holiday season is stolen credentials. Don’t let yours be their gift!

For more on what retailers can do to stop automated fraud this holiday season, read Shape’s customer case studies on how one retail giant stopped $25M in a single year from fraudulent transactions and chargeback fees.

What is a Bloom filter?

How does Blackfish use Bloom filters?

How is a knowledge base built on Bloom filters safer from attack than a database of hashed passwords?

How “sure” can a Bloom filter be?

Should every organization be using Bloom filters to store passwords?

Share this:

Like this:

Share this:

Like this:

Traditional Approaches Fail to Stop ATO

Fighting Sophisticated Hackers Takes Total Focus

With Shape’s Blackfish, Starbucks Can Identify Compromised Credentials

Securing Benefits Beyond Security

Fraud Isn’t Going Away

Share this:

Like this:

Share this:

Like this:

Password reuse allows fraudsters to use credentials stolen on one website to take over accounts on other sites.

Good passwords are hard to create and easy to forget

Passwords are not going away any time soon

Undiscovered stolen passwords are a big problem

Protecting customers from themselves

Say goodbye to World Password Day?

Share this:

Like this:

Share this:

Like this:

The Stolen Password

Introducing NIST

Password Guidance, the In-and-Out

Updated Password Storage Guidance

Breach Corpuses

Conclusion

Share this:

Like this:

There is Safety in Numbers

Top Three Online Attacks Against Retailers

1) Credential Stuffing

2) Creating Fake Accounts

3) Cracking Gift Cards

Additional Reading

Share this:

Like this:

2Captcha

Option 1 – Work for 2Captcha

Option 2 – 2Captcha as a service

Integrating 2CAPTCHA into an Automated Attack

Monetization & Criminal Ecosystem

Monetization: CAPTCHA solver

Monetization: Attacker

Monetization: 2Captcha

What about Google’s Invisible reCAPTCHA?

Sources

Learn More

Share this:

Like this:

Share this:

Like this: