presented at AppSec USA 2018

1. 11
Breaking Fraud & Bot Detection
Solutions
Mayank Dhiman

2. 22
whoami

3. 33
● Defend against bots trying to automate abuse
activities e.g. test credential dumps, scraping
etc.
● Is this activity from a human or a bot?
Bot Detection
Account Take Over Fake Accounts PII / PHI Theft

4. 44
● Defend against fraudulent activities e.g.
manual ATOs, credit card transactions etc.
● Look for anomalies in activity of a given user,
given past activity.
Fraud Detection

5. 55
Motivation

6. 66
Architecture

7. 77
Cloud Deployment

8. 88
Inline Deployment

9. 99
Attacker Goal
● Conduct fraudulent activity
● Automate abuse scripts without getting caught

10. 1010
Threat Model
● Attacker has full control over the browser
● Attacker can craft requests and modify
responses according to the responses from
the server

11. 1111
No client-side
attestation

12. 1212
Attacker can reverse
engineer the entire sensor

13. 1313
Browser Fingerprinting
https://panopticlick.eff.org/

14. 1414
Hardware
- CPU Architecture
- GPU Canvas
Fingerprinting
- Audio Stack
Fingerprinting
Software
- User Agent
- OS Version
Customizations
- Fonts
- Plugins
- Codecs
- Language packs
- Mime types
- Timezone
Browser Fingerprinting
Storage
- LocalStorage
- SessionStorage
Display
- Screen Size
- Color Depth
Misc.
- Floating-point
calculations
- Insert Objects in
DOM

15. 1515
User Tracking
● Mouse Movements
● Key Presses
● Touchpad
● Device Orientation
Timing information along with event type can be used to create a very
accurate picture of what interactions took place on the webpage.

16. 1616
Anti-Tampering
● JavaScript Obfuscation
● XOR based packed code
● Randomize location of JavaScript file to load

17. 1717
Payload
● Payload Encoding (Base64)
● Symmetric Encryption
● Custom Encryption Schemes

18. 1818
No guarantees of correct
execution of JavaScript

19. 1919
Stripping Attack

20. 2020
Stripping Attack

21. 2121
● No check on freshness of payload.
Replay Attacks

22. 2222
Dynamic JS Tokens
● A dynamic token is generated, which is
derived from the timestamp.
● Same logic can be replicated in a script.

23. 2323
Headless Browsers
● Browser without a GUI, often used for
automation and testing
● Either render full JS or run JS in a virtual DOM

24. 2424
No guarantees of
legitimacy of fingerprints

25. 2525
Forging Fingerprints
● FPRANDOM -- Modified browser which
introduces noise in browser fingerprint
● Database of normal fingerprints
https://github.com/plaperdr/fprandom

26. 2626

27. 2727
Forging Fingerprints

28. 2828
Underground Tool
● Anti-Detect* $399 in the underground market
https://krebsonsecurity.com/2015/03/antidetect-helps-thieves-hide-digital-fingerprints/

29. 2929
JavaScript can’t
protect all flows

30. 3030
Device Attestation
● Android’s SafetyNet API
● iOS DeviceCheck API

31. 3131
Architecture
● Recompile mobile app with SDK
● JS → Native Code
● Browser Fingerprint → Device Fingerprint

32. 3232
Device
- Brand
- Model
- IMEI Number
- Device Build
Carrier
- SIM serial no.
- Carrier name
- Phone no. (MSISDN)
Hardware
- CPU Information
- RAM Information
- Camera Information
- Battery Information
- Hardware serial no.
Android Fingerprinting
Storage
- External Capacity
- Internal Capacity
Display
- Screen Resolution
- Screen Orientation
Misc.
- Uptime
- Is Rooted?
- Is Emulator?
Applications
- List of installed apps
- App versions
- List of running
processes
Localisation
- Geolocation
- Country
- Locale
- Timezone
Network
- IP Address
- MAC Address
- Proxy settings
- WiFi SSID
OS
- OS Name
- OS Version
- Kernel Information
- System Fonts
- System Directory
Structure
- BuildID
- Build Fingerprint

33. 3333
What about iOS?

34. 3434
What about API?

35. 3535
Takeaways
● Implementation and architectural issues in
multiple deployments
● Not possible to win the race on web, given no
root-of-trust via browsers
● State of the world in mobile is better
● Getting baseline protection across all flows is
extremely hard
● Inherent privacy issues

36. 3636
Other Issues
● Fraud/Bot detection solutions are also
fingerprintable

37. 3737
Questions?