Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used...
Transcript of Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used...
![Page 1: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/1.jpg)
BreakingFraud&BotDetectionSolutions
MayankDhimanStealthSecurity
![Page 2: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/2.jpg)
Agenda
• ArchitecturalOverview• ThreatModel• Issues&Attacks• Takeaways
![Page 3: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/3.jpg)
FraudDetection
• Defendagainstfraudulentlogins,paymentsetc.
• Lookforanomaliesinactivityofauser,givenpastactivity.
![Page 4: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/4.jpg)
BotDetection
• Defendagainstbotstryingtotestcredentialdumps,scrapingetc.
• Botdetectionsolutionslookforanomaliesacrossentirepopulationsandtimeperiods.
Account TakeOver FakeAccounts PII/PHITheft
![Page 5: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/5.jpg)
CloudDeployment
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
![Page 6: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/6.jpg)
InlineDeployments
InlineDevice
ClientBrowser WebServer
Allow
Block
2
WebRequest1
3 4
4
Fingerprint.js2
![Page 7: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/7.jpg)
ThreatModel
• Attackerhasfullcontroloverthebrowser.• Attackercancraftrequestsandmodifyresponsesaccordingtotheresponsesfromthewebserver.
![Page 8: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/8.jpg)
FundamentalIssueI
• Attackercanreverseengineertheentiresensor
![Page 9: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/9.jpg)
BrowserFingerprinting
https://panopticlick.eff.org/
![Page 10: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/10.jpg)
BrowserFingerprinting• Hardware
– CPU Architecture&DeviceMemory– GPUCanvasFingerprinting– AudioStackFingerprinting
• Software– UserAgent– OSVersion
• Storage– LocalStorage– SessionStorage
• Display– ColorDepth– ScreenSize
• BrowserCustomizations– Fonts– Plugins– Codecs– MimeTypes– Timezone– UserLanguage
• Misc.– Floatingpointcalculations– Addbehavior/callbacks/objectstoDOMtocheckarealJSexecutionengine
![Page 11: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/11.jpg)
BrowserFingerprinting(Fingerprintjs2)
https://github.com/Valve/fingerprintjs2
![Page 12: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/12.jpg)
UserBehavior• Mouse
– Coordinatesofwherethemovemoved– Coordinatesofclicks
• Keyboard– Streamofkeypresses
• Touchpad– Coordinatesofwherethescreenwas
touched
![Page 13: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/13.jpg)
UserBehavior
• DeviceOrientation– 3Dangleofdevicewhenevertheorientationchanges
• DevicePosition– Recordspeedofchangeofdevice’sposition.
Timing informationalongwitheventtypecanbeused tocreateaveryaccuratepictureofwhatinteractionstookplaceonthewebpage.
![Page 14: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/14.jpg)
Anti-Tampering&Anti-Reversing
• JavaScriptObfuscation• XORbasedpackedcode• Randomizename/locationoftheJavaScriptfiletoload
• DynamicFields
![Page 15: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/15.jpg)
Payload
• PayloadEncoding(Base64)• SymmetricEncryption(DES)• CustomEncryptionSchemes
![Page 16: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/16.jpg)
FundamentalIssueII
• TherearenoguaranteesofthecorrectexecutionofJavaScript
![Page 17: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/17.jpg)
HeadlessBrowsers
• BrowserwithoutaGUI,oftenusedforautomationandtesting.
• EitherrenderfullJSorrunJSinavirtualDOM.
![Page 18: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/18.jpg)
StrippingAttack
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
![Page 19: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/19.jpg)
StrippingAttack
Mitigator
ServiceProvider
ClientBrowser WebServer
WebRequest1
Fingerprint.js2
3
4.FormSubmission4
5.RiskScore5
6.Block6
6.Allow6
![Page 20: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/20.jpg)
StrippingAttack
InlineDevice
ClientBrowser WebServer
Allow
Block
2
WebRequest1
3 4
4
Fingerprint.js2
![Page 21: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/21.jpg)
StrippingAttack
InlineDevice
ClientBrowser WebServer
Allow
Block
WebRequest1
4
4
Fingerprint.js2
FormPOST3
MITMProxy
![Page 22: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/22.jpg)
ReplayAttacks
• Nocheckonfreshnessofpayload.
![Page 23: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/23.jpg)
DynamicTokens
• Adynamictokenisgenerated,whichisderivedfromthetimestamp.
• Samelogiccanbereplicatedinascript.
![Page 24: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/24.jpg)
FundamentalIssueIII
• TherearenoguaranteesofthelegitimacyofthedatacollectedbytheJavaScriptsensors.
![Page 25: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/25.jpg)
ForgingBrowserFingerprints
• FPRANDOM– Modifiedbrowserwhichintroducesnoiseduringbrowserfingerprint.
• OpenWPM –WebPrivacyMeasurementsoftware.
• DatabaseofNormalFingerprints
https://github.com/plaperdr/fprandomhttps://github.com/citp/OpenWPM
![Page 26: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/26.jpg)
![Page 27: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/27.jpg)
ForgingBrowserFingerprints
![Page 28: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/28.jpg)
BadGuysAreAlreadyDoingthis
• Anti-Detect*$399intheunderground
https://krebsonsecurity.com/2015/03/antidetect-helps-thieves-hide-digital-fingerprints/
![Page 29: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/29.jpg)
UserBehavior
• Replaywithchangedtimestamps• Addripplesanddisturbances• UseMITMProxy
![Page 30: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/30.jpg)
FundamentalIssueIV
• JavaScriptcan’tprotectallflows.
![Page 31: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/31.jpg)
FundamentalIssueV
• Themitigative actionactsasanoraclefortheattacker.
![Page 32: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/32.jpg)
OtherIssues
• Fraud/BotDetectionSolutionsarethemselvesFingerprintable.
• SimilarissuesexistformobileappSDKbasedsolutions.
![Page 33: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/33.jpg)
Takeaways
• ImplementationandArchitecturalIssuesinmultipledeployments.
• JavaScriptrunsinanattackercontrolledenvironment.
• Understandthelimitationsofsuchsolutions.• Protectallflows.
![Page 34: Breaking F&B Solutions · 2018. 2. 11. · Headless Browsers • Browser without a GUI, often used for automation and testing. • Either render full JS or run JS in a virtual DOM.](https://reader035.fdocuments.net/reader035/viewer/2022071404/60f8ad92bb05f862647045fa/html5/thumbnails/34.jpg)
Questions?