Play all

Intro

Bot Detection • Defend against bots trying to automate abuse activities e.g. test credential dumps, scraping etc. • Is this activity from a human or a bot?

Fraud Detection • Defend against fraudulent activities e.g. manual ATOs, credit card transactions etc. . Look for anomalies in activity of a given user, given past activity.

Inline Deployment

Attacker Goal • Conduct fraudulent activity • Automate abuse scripts without getting caught

Threat Model • Attacker has full control over the browser • Attacker can craft requests and modify responses according to the responses from the server

Cloud Deployment

Browser Fingerprinting

Anti-Tampering JavaScript Obfuscation • XOR based packed code • Randomize location of JavaScript file to load

Stripping Attack

Replay Attacks • No check on freshness of payload.

Dynamic JS Tokens • A dynamic token is generated, which is derived from the timestamp. • Same logic can be replicated in a script.

Headless Browsers • Browser without a GUI, often used for automation and testing . Either render full JS or run JS in a virtual DOM

Underground Tool • Anti-Detect $399 in the underground market

Architecture • Recompile mobile app with SDK .JS -Native Code

Android Fingerprinting

Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getti…

Description:

Explore techniques for breaking fraud and bot detection solutions in this AppSecUSA 2018 conference talk. Delve into browser fingerprinting and user behavior tracking methods employed by most fraud and bot detection systems. Examine the signals collected by JavaScript snippets running in user browsers and understand why these signals can be unreliable. Learn about various attacks against defenses relying on these signals using a realistic threat model. Gain insights from real-world war stories of architectural and implementation flaws discovered in actual deployments. Understand the challenges of bot detection, fraud detection, and inline deployment strategies. Analyze attacker goals and threat models in cloud deployments. Investigate anti-tampering techniques, JavaScript obfuscation, and potential vulnerabilities like stripping and replay attacks. Explore the use of headless browsers and underground tools in bypassing detection. Examine mobile app fingerprinting techniques and architectural considerations. Conclude with key takeaways on implementation issues, limitations of web-based solutions, mobile protection strategies, and inherent privacy concerns in fraud and bot detection systems. Read more

Breaking Fraud and Bot Detection Solutions

OWASP Foundation

Add to list

#Conference Talks #Computer Science #Fraud Detection #Information Security (InfoSec) #Cybersecurity #Mobile Security #Web Security #Browser Fingerprinting #Ethical Hacking #Replay Attacks