protecting users from fraud

Protecting Users from Fraudmy experience combating phishing and fraud using DMARC and assorted other techniques

First Up, What do I know?Barry JonesSoftware Architect for ACS Technologies, IncPreviouslyDirector of Application Development for a 14 year old, high end electronics resale marketplaceBasically ebay for a niche market

Well, ebay ifeverything worked via direct user email

Now imagineThat the entire thing gets rebuilt without any of the previous security toolsAnd users want features that are missingAnd phishers, fraudsters and spammers capitalize on the chaos And you get hired to fix it

Good timesSo what were the methods of attack?

PhishingSending emails that appeared to be from usUsing our domainUsing variations of our domain Linking to a fake login page hosted with a free companySteal usernames and passwordsLogin to the users account and change the contact info before they can reset the password Launch these phishing sites at times when our staff was less likely to be available to request takedowns

Western Union ScamBuy things in the marketplaceanythingSend a fake overpayment via Western UnionDiscuss the problem and have the seller deposit the check and then wire back the excess amountWhen the original check bounces, the seller is still out the amount wired backAnd potentially the merchandise

SpamBombarding users through the systemMarketing sometimesOthers trying to bait somebody into a transaction

Fake ListingsPutting up appealing items at steep discountsPaying for the listings with stolen credit cardsPayment gateway issues cost per chargeback fees when people challenge the transactions from stolen cardsUsers fall for the fake listings and get ripped off

And when you close an accountthey just make a new one

Users lose trustSo how do you combat it?

Multipart ProcessSecure YOUR domains email (with DMARC)Make phishing more obviousIdentify compromised accountsBring dialog within the site to identify spamAdd more difficult user verification stepsIdentify potentially fraudulent credit cardsEducate usersDont let the bad guys know theyre caught

DMARCSecuring your domains email

Email Sender VerificationSPFSender Policy FrameworkDNS recordIdentify where your domain email comes fromEasy to implementBus analogyOnly allow busses from TulsaDKIMDomainKeys Identified MailPublic/Private Key in an EmailDNS RecordHeader with Encrypted KeyMore complicated, must control where email originates Bus analogyVerify each person on the bus came from Tulsa

DMARCMail servers have no idea how strictly youve implemented SPF or DKIMSo they guessDMARC lets you remove the guess workDeclare what youve implementedYou decide how failures are handledFlagged as spam (quarantine)Discarded completelyOnly implemented on a percentage of failuresGet reports on exactly what happenedEven get copies of emails that failed

DMARC ReportsEmailed zipped XMLYou can parse them if you want but theyre easy enough to readWhen setting up, all you care about is verifying YOUR email is passing checks

207.126.144.129 1 none stefanomail.com stefanomail.com pass stefanomail.com pass

Sample DNS RecordsSPF (TXT &&/|| SPF)v=spf1 a mx include:mailgun.org include:spf.mtasv.net ~allDKIM (TXT)k=rsa; p=MIGfMA0aBc3DMARC (TXT)v=DMARC1; p=reject; rua=mailto:postmaster@your_domain.com

Getting SetupSPFDNS RecordDKIMEmail senders must include DKIMGmail, Sendgrid, Postmark, Mailgun, etcWill provide the DNS record for youDMARCDNS Record

ResourcesDMARCUnderstanding DMARChttps://support.google.com/a/answer/2466580?hl=enDMARC Analyzerhttps://www.dmarcanalyzer.com/Kitterman SPF Testing Toolshttp://www.kitterman.com/spf/validate.htmldmarcianhttps://dmarcian.com/

Port25check-auth@verifier.port25.com

==========================================Summary of Results==========================================SPF check: passDomainKeys check: neutralDKIM check: passSender-ID check: passSpamAssassin check: ham

==========================================Details:==========================================HELO hostname: mail-yh0-x229.google.comSource IP: 2607:f8b0:4002:c01::229mail-from: john@example.com

Combined that will ensureReal emailGets throughPhishing emailDoesntButtheres moreFake other domainsSpelling variationsShuffling interior letters

Butat least this is easier for users to identify

To stop that you canNotify the owners of those domainsHave them setup SPF and DMARCContact registrars regarding the activityPurchase the domains and setup an empty SPF recordindicates no email sent from the domain

Take down the endpointPhishing emails inevitably link back to a siteTake down the site, you eliminate the riskContact a host abuse team to notify themResponse times will vary by companyHave the user report the site to GoogleMicrosoftPhishTank (OpenDNS)McAfeeUS GovernmentDoesnt hurt to use a honeypot eitherTry to login with a fake user and passwordLook for those fake credentials on login to spot the phisher using his list

Identify users who fell for itTrack login history by IP addressRecord geolocation of IPNginx GeoIPMaxmind database/servicesCloudflareIdentify logins by distance from normal center pointLock the accountNotify the user of where the login came fromGive them a link to unlock it disable the check if theyre travellingIf not, tell them they need to change their passwordUsers respond well to this, makes them feel safer because youre looking out for them

Track email changesMaintain an entire email change history per accountNotify users when their email address was changed and provide a link to reverse the changeIf a user reverses the changeInvalidate all reversal links AFTER that emailbut not beforeso the original change is always validOtherwise a hacker will change the email multiple times and keep reversing it back

Verify UsersTrust scores for completed transactionsAka user ratingsLet new users verify themselves other waysText verificationCan be prone to fraudStill harder to fake than emailPhone verificationAPIs can identify TYPE of phoneLand line, cell, disposable cell, pay phoneCredit Card verificationRun a transactionUse MaxMind minFraud service to flag risky cardsConsider verification steps in a trust formulaDegrade strictness based on activity and trust scoresDont hassle your good users

Bring Communication In HouseInternal user message / dialog systemsTrack targets and actions of flagged accountsIdentify patterns of bad behaviorAutomate flagging based on those patterns

Use CAPTCHAWhen users try to send a lot of messagesDefine a lot by trust scoresLook for near identical messagesLevenshtein Distance AlgorithmExcellent for calculating string similarityAdjust similarity thresholds by trust scoresReview stopped messages automaticallyTypically spammers keep sendingThe ones that didnt are probably fine to deliver so a catch and release policy for probably not spam is a good idea

Fark that guyThis is important

Farks Banning SystemYoure bannedBut you dont KNOW youre bannedSo you keep posting like an idiotAnd nobody else can see it

This is important and worksWhen you catch a spamming accountBanning it will just result in a NEW accountSo dont let them knowLet them keep manually filling out CAPTCHAFor hoursAnd hours and hours and hoursDailyKeep a dashboard of time wasted for your own amusementThen every couple of weeks, ban them so they think you caught them

Educate your usersEstablish clear, simple guidelines of things you wont ask for

Send emails with hashed linksEmails with a link to bypass login for one useGets users used to NOT entering their loginIf clicking emails from your site never results in seeing a login screen, getting a login screen will seem strangePhishing sites cant fake an automated login

EvercookieA virtually undeletable cookieTrack it with logins so you can trace multiple accounts and IPs back to a single computerhttps://github.com/samyk/evercookiehttp://samy.pl/evercookie/

MaxMinds IP Service will identify Tor/Proxies with great successDont let people do important things from an anonymous connectionhttps://www.maxmind.com/en/geoip2-services-and-databases Also track with etag/if-none-match headersEvery ad system trick out there works for tracking fraudhttp://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags

And of course2 Factor Authentication

Thanks!