+ All Categories
Home > Internet > The Quiet Rise of Account Takeover

The Quiet Rise of Account Takeover

Date post: 13-Feb-2017
Category:
Upload: immunio
View: 169 times
Download: 5 times
Share this document with a friend
35
The Quiet Rise of Account Takeover Mike Milner CTO @immunio [email protected] www.immun.io
Transcript
Page 1: The Quiet Rise of Account Takeover

The Quiet Rise ofAccount Takeover

Mike MilnerCTO @[email protected]

www.immun.io

Page 2: The Quiet Rise of Account Takeover

64

Page 3: The Quiet Rise of Account Takeover

https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

Page 4: The Quiet Rise of Account Takeover

Attacker Motivations• Financial Fraud

• Virtual Currency

• Warranty Fraud

• SPAM

• Influence / Political Motivations

Page 5: The Quiet Rise of Account Takeover

Financial Fraud and Theft

• Directly Stealing Cash

• Direct Theft of Physical Goods

Page 6: The Quiet Rise of Account Takeover

Warranty Fraud

Page 7: The Quiet Rise of Account Takeover

Virtual Currency

• As good as cash

• Easily Monitized

Page 8: The Quiet Rise of Account Takeover

SPAM

• Nobody Likes SPAM

• Fresh accounts have the most restrictions

• An account with a good history and existing connections is far more valuable for SPAM

Page 9: The Quiet Rise of Account Takeover

Influence &Political Motivations

Page 10: The Quiet Rise of Account Takeover

Impact

Page 11: The Quiet Rise of Account Takeover

Attack Techniques• Credential Stuffing

• Brute Force

• Code Vulnerabilities

• Phishing

• Malware

Page 12: The Quiet Rise of Account Takeover

Credential Stuffing

• Hundreds of millions of leaked credentials available online

• More than 50% of users reuse passwords on multiple websites

• Little or no protection on many sites

Page 13: The Quiet Rise of Account Takeover

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

Page 14: The Quiet Rise of Account Takeover
Page 15: The Quiet Rise of Account Takeover

https://haveibeenpwned.com/PwnedWebsites

Page 16: The Quiet Rise of Account Takeover

Brute Force

Page 17: The Quiet Rise of Account Takeover

Code VulnerabilitiesAll your favourites:

• SQL Injection

• Cross Site Scripting (XSS)

• Session Fixation/Hijack

Page 18: The Quiet Rise of Account Takeover

Phishing

Page 19: The Quiet Rise of Account Takeover
Page 20: The Quiet Rise of Account Takeover

Prevention & Detection

• Strengthen Your Login Process

• Have a “Plan B” to use when auth is suspect

• Majority of attacks require large volumes of requests - generally require automation

• Prevent attacks by stopping automated Bots

• Detect compromised accounts with behaviour profiling.

Page 21: The Quiet Rise of Account Takeover

Multi Factor

Page 22: The Quiet Rise of Account Takeover

Plan B

• Disable Account Access

• Force Password Reset through verified Email

• Security Questions

• Ask details about account

Page 23: The Quiet Rise of Account Takeover

CAPTCHA

• Very difficult for a bot to bypass

• Easy (but annoying) for a human

Page 24: The Quiet Rise of Account Takeover

Rate Limiting

• Count volume of events in a sliding time window

• Take action when the threshold is exceeded

Page 25: The Quiet Rise of Account Takeover

Threat Intelligence• Many Botnets are available for rent by

attackers• Each bot IP may end up attacking

many different sites• Threat Intel feeds aggregate

information about bad IP addresses

Page 26: The Quiet Rise of Account Takeover

Browser Fingerprinting

• Web browsers are very complex.

• Very difficult for a Bot script to replicate the entire behaviour of a browser

• Ask browser to do many different tasks. Use the results to distinguish human from bot

Page 27: The Quiet Rise of Account Takeover

FingerprinTLS

https://github.com/LeeBrotherston/tls-fingerprinting

Page 28: The Quiet Rise of Account Takeover

Behaviour Profiling

• Usual devices

• Usual geolocation

• Typical usage behaviour

• For significant changes, ask for additional verification

Page 29: The Quiet Rise of Account Takeover

Sentry MBA

http://engineering.shapesecurity.com/2016/03/a-look-at-sentry-mba.html

Page 30: The Quiet Rise of Account Takeover
Page 31: The Quiet Rise of Account Takeover
Page 32: The Quiet Rise of Account Takeover
Page 33: The Quiet Rise of Account Takeover

Other Resourceshttps://www.owasp.org/images/3/33/Automated-threat-handbook.pdfhttp://www.darkreading.com/endpoint/anatomy-of-an-account-takeover-attack/a/d-id/

1324409

https://www.immun.io/use-case-account-takeover-protection

https://www.owasp.org/index.php/Credential_stuffing

https://www.owasp.org/index.php/Brute_force_attack

Page 34: The Quiet Rise of Account Takeover

Questions?Mike Milner

CTO @[email protected]

www.immun.io

Page 35: The Quiet Rise of Account Takeover

Thank You!Mike Milner

CTO @[email protected]

www.immun.io


Recommended