protecting users from fraud

Download Protecting Users from Fraud

Post on 15-Jul-2015

181 views

Category:

Internet

0 download

Embed Size (px)

TRANSCRIPT

  • Protecting Users from Fraudmy experience combating phishing and fraud using DMARC and assorted other techniques

  • First Up, What do I know?Barry JonesSoftware Architect for ACS Technologies, IncPreviouslyDirector of Application Development for a 14 year old, high end electronics resale marketplaceBasically ebay for a niche market

  • Well, ebay ifeverything worked via direct user email

  • Now imagineThat the entire thing gets rebuilt without any of the previous security toolsAnd users want features that are missingAnd phishers, fraudsters and spammers capitalize on the chaos And you get hired to fix it

  • Good timesSo what were the methods of attack?

  • PhishingSending emails that appeared to be from usUsing our domainUsing variations of our domain Linking to a fake login page hosted with a free companySteal usernames and passwordsLogin to the users account and change the contact info before they can reset the password Launch these phishing sites at times when our staff was less likely to be available to request takedowns

  • Western Union ScamBuy things in the marketplaceanythingSend a fake overpayment via Western UnionDiscuss the problem and have the seller deposit the check and then wire back the excess amountWhen the original check bounces, the seller is still out the amount wired backAnd potentially the merchandise

  • SpamBombarding users through the systemMarketing sometimesOthers trying to bait somebody into a transaction

  • Fake ListingsPutting up appealing items at steep discountsPaying for the listings with stolen credit cardsPayment gateway issues cost per chargeback fees when people challenge the transactions from stolen cardsUsers fall for the fake listings and get ripped off

  • And when you close an accountthey just make a new one

  • Users lose trustSo how do you combat it?

  • Multipart ProcessSecure YOUR domains email (with DMARC)Make phishing more obviousIdentify compromised accountsBring dialog within the site to identify spamAdd more difficult user verification stepsIdentify potentially fraudulent credit cardsEducate usersDont let the bad guys know theyre caught

  • DMARCSecuring your domains email

  • Email Sender VerificationSPFSender Policy FrameworkDNS recordIdentify where your domain email comes fromEasy to implementBus analogyOnly allow busses from TulsaDKIMDomainKeys Identified MailPublic/Private Key in an EmailDNS RecordHeader with Encrypted KeyMore complicated, must control where email originates Bus analogyVerify each person on the bus came from Tulsa

  • DMARCMail servers have no idea how strictly youve implemented SPF or DKIMSo they guessDMARC lets you remove the guess workDeclare what youve implementedYou decide how failures are handledFlagged as spam (quarantine)Discarded completelyOnly implemented on a percentage of failuresGet reports on exactly what happenedEven get copies of emails that failed

  • DMARC ReportsEmailed zipped XMLYou can parse them if you want but theyre easy enough to readWhen setting up, all you care about is verifying YOUR email is passing checks

    207.126.144.129 1 none stefanomail.com stefanomail.com pass stefanomail.com pass

  • Sample DNS RecordsSPF (TXT &&/|| SPF)v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~allDKIM (TXT)k=rsa; p=MIGfMA0aBc3DMARC (TXT)v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com

  • Getting SetupSPFDNS RecordDKIMEmail senders must include DKIMGmail, Sendgrid, Postmark, Mailgun, etcWill provide the DNS record for youDMARCDNS Record

  • ResourcesDMARCUnderstanding DMARChttps://support.google.com/a/answer/2466580?hl=enDMARC Analyzerhttps://www.dmarcanalyzer.com/Kitterman SPF Testing Toolshttp://www.kitterman.com/spf/validate.htmldmarcianhttps://dmarcian.com/

    Port25check-auth@verifier.port25.com

    ==========================================Summary of Results==========================================SPF check: passDomainKeys check: neutralDKIM check: passSender-ID check: passSpamAssassin check: ham

    ==========================================Details:==========================================HELO hostname: mail-yh0-x229.google.comSource IP: 2607:f8b0:4002:c01::229mail-from: john@example.com

  • Combined that will ensureReal emailGets throughPhishing emailDoesntButtheres moreFake other domainsSpelling variationsShuffling interior letters

    Butat least this is easier for users to identify

  • To stop that you canNotify the owners of those domainsHave them setup SPF and DMARCContact registrars regarding the activityPurchase the domains and setup an empty SPF recordindicates no email sent from the domain

  • Take down the endpointPhishing emails inevitably link back to a siteTake down the site, you eliminate the riskContact a host abuse team to notify themResponse times will vary by companyHave the user report the site to GoogleMicrosoftPhishTank (OpenDNS)McAfeeUS GovernmentDoesnt hurt to use a honeypot eitherTry to login with a fake user and passwordLook for those fake credentials on login to spot the phisher using his list

  • Identify users who fell for itTrack login history by IP addressRecord geolocation of IPNginx GeoIPMaxmind database/servicesCloudflareIdentify logins by distance from normal center pointLock the accountNotify the user of where the login came fromGive them a link to unlock it disable the check if theyre travellingIf not, tell them they need to change their passwordUsers respond well to this, makes them feel safer because youre looking out for them

  • Track email changesMaintain an entire email change history per accountNotify users when their email address was changed and provide a link to reverse the changeIf a user reverses the changeInvalidate all reversal links AFTER that emailbut not beforeso the original change is always validOtherwise a hacker will change the email multiple times and keep reversing it back

  • Verify UsersTrust scores for completed transactionsAka user ratingsLet new users verify themselves other waysText verificationCan be prone to fraudStill harder to fake than emailPhone verificationAPIs can identify TYPE of phoneLand line, cell, disposable cell, pay phoneCredit Card verificationRun a transactionUse MaxMind minFraud service to flag risky cardsConsider verification steps in a trust formulaDegrade strictness based on activity and trust scoresDont hassle your good users

  • Bring Communication In HouseInternal user message / dialog systemsTrack targets and actions of flagged accountsIdentify patterns of bad behaviorAutomate flagging based on those patterns

  • Use CAPTCHAWhen users try to send a lot of messagesDefine a lot by trust scoresLook for near identical messagesLevenshtein Distance AlgorithmExcellent for calculating string similarityAdjust similarity thresholds by trust scoresReview stopped messages automaticallyTypically spammers keep sendingThe ones that didnt are probably fine to deliver so a catch and release policy for probably not spam is a good idea

  • Fark that guyThis is important

  • Farks Banning SystemYoure bannedBut you dont KNOW youre bannedSo you keep posting like an idiotAnd nobody else can see it

  • This is important and worksWhen you catch a spamming accountBanning it will just result in a NEW accountSo dont let them knowLet them keep manually filling out CAPTCHAFor hoursAnd hours and hours and hoursDailyKeep a dashboard of time wasted for your own amusementThen every couple of weeks, ban them so they think you caught them

  • Educate your usersEstablish clear, simple guidelines of things you wont ask for

  • Send emails with hashed linksEmails with a link to bypass login for one useGets users used to NOT entering their loginIf clicking emails from your site never results in seeing a login screen, getting a login screen will seem strangePhishing sites cant fake an automated login

  • EvercookieA virtually undeletable cookieTrack it with logins so you can trace multiple accounts and IPs back to a single computerhttps://github.com/samyk/evercookiehttp://samy.pl/evercookie/

    MaxMinds IP Service will identify Tor/Proxies with great successDont let people do important things from an anonymous connectionhttps://www.maxmind.com/en/geoip2-services-and-databases Also track with etag/if-none-match headersEvery ad system trick out there works for tracking fraudhttp://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags

  • And of course2 Factor Authentication

  • Thanks!

Recommended

View more >