the quiet rise of account takeover
TRANSCRIPT
![Page 2: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/2.jpg)
64
![Page 3: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/3.jpg)
https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/
![Page 4: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/4.jpg)
Attacker Motivations• Financial Fraud
• Virtual Currency
• Warranty Fraud
• SPAM
• Influence / Political Motivations
![Page 5: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/5.jpg)
Financial Fraud and Theft
• Directly Stealing Cash
• Direct Theft of Physical Goods
![Page 6: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/6.jpg)
Warranty Fraud
![Page 7: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/7.jpg)
Virtual Currency
• As good as cash
• Easily Monitized
![Page 8: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/8.jpg)
SPAM
• Nobody Likes SPAM
• Fresh accounts have the most restrictions
• An account with a good history and existing connections is far more valuable for SPAM
![Page 9: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/9.jpg)
Influence &Political Motivations
![Page 10: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/10.jpg)
Impact
![Page 11: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/11.jpg)
Attack Techniques• Credential Stuffing
• Brute Force
• Code Vulnerabilities
• Phishing
• Malware
![Page 12: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/12.jpg)
Credential Stuffing
• Hundreds of millions of leaked credentials available online
• More than 50% of users reuse passwords on multiple websites
• Little or no protection on many sites
![Page 13: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/13.jpg)
http://www.verizonenterprise.com/verizon-insights-lab/dbir/
![Page 14: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/14.jpg)
![Page 15: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/15.jpg)
https://haveibeenpwned.com/PwnedWebsites
![Page 16: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/16.jpg)
Brute Force
![Page 17: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/17.jpg)
Code VulnerabilitiesAll your favourites:
• SQL Injection
• Cross Site Scripting (XSS)
• Session Fixation/Hijack
![Page 18: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/18.jpg)
Phishing
![Page 19: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/19.jpg)
![Page 20: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/20.jpg)
Prevention & Detection
• Strengthen Your Login Process
• Have a “Plan B” to use when auth is suspect
• Majority of attacks require large volumes of requests - generally require automation
• Prevent attacks by stopping automated Bots
• Detect compromised accounts with behaviour profiling.
![Page 21: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/21.jpg)
Multi Factor
![Page 22: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/22.jpg)
Plan B
• Disable Account Access
• Force Password Reset through verified Email
• Security Questions
• Ask details about account
![Page 23: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/23.jpg)
CAPTCHA
• Very difficult for a bot to bypass
• Easy (but annoying) for a human
![Page 24: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/24.jpg)
Rate Limiting
• Count volume of events in a sliding time window
• Take action when the threshold is exceeded
![Page 25: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/25.jpg)
Threat Intelligence• Many Botnets are available for rent by
attackers• Each bot IP may end up attacking
many different sites• Threat Intel feeds aggregate
information about bad IP addresses
![Page 26: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/26.jpg)
Browser Fingerprinting
• Web browsers are very complex.
• Very difficult for a Bot script to replicate the entire behaviour of a browser
• Ask browser to do many different tasks. Use the results to distinguish human from bot
![Page 27: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/27.jpg)
FingerprinTLS
https://github.com/LeeBrotherston/tls-fingerprinting
![Page 28: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/28.jpg)
Behaviour Profiling
• Usual devices
• Usual geolocation
• Typical usage behaviour
• For significant changes, ask for additional verification
![Page 29: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/29.jpg)
Sentry MBA
http://engineering.shapesecurity.com/2016/03/a-look-at-sentry-mba.html
![Page 30: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/30.jpg)
![Page 31: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/31.jpg)
![Page 32: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/32.jpg)
![Page 33: The Quiet Rise of Account Takeover](https://reader035.vdocuments.us/reader035/viewer/2022062412/58a0c23f1a28ab6d018b471d/html5/thumbnails/33.jpg)
Other Resourceshttps://www.owasp.org/images/3/33/Automated-threat-handbook.pdfhttp://www.darkreading.com/endpoint/anatomy-of-an-account-takeover-attack/a/d-id/
1324409
https://www.immun.io/use-case-account-takeover-protection
https://www.owasp.org/index.php/Credential_stuffing
https://www.owasp.org/index.php/Brute_force_attack