3. 33
● Defend against bots trying to automate abuse
activities e.g. test credential dumps, scraping
etc.
● Is this activity from a human or a bot?
Bot Detection
Account Take Over Fake Accounts PII / PHI Theft
4. 44
● Defend against fraudulent activities e.g.
manual ATOs, credit card transactions etc.
● Look for anomalies in activity of a given user,
given past activity.
Fraud Detection
10. 1010
Threat Model
● Attacker has full control over the browser
● Attacker can craft requests and modify
responses according to the responses from
the server
14. 1414
Hardware
- CPU Architecture
- GPU Canvas
Fingerprinting
- Audio Stack
Fingerprinting
Software
- User Agent
- OS Version
Customizations
- Fonts
- Plugins
- Codecs
- Language packs
- Mime types
- Timezone
Browser Fingerprinting
Storage
- LocalStorage
- SessionStorage
Display
- Screen Size
- Color Depth
Misc.
- Floating-point
calculations
- Insert Objects in
DOM
15. 1515
User Tracking
● Mouse Movements
● Key Presses
● Touchpad
● Device Orientation
Timing information along with event type can be used to create a very
accurate picture of what interactions took place on the webpage.
32. 3232
Device
- Brand
- Model
- IMEI Number
- Device Build
Carrier
- SIM serial no.
- Carrier name
- Phone no. (MSISDN)
Hardware
- CPU Information
- RAM Information
- Camera Information
- Battery Information
- Hardware serial no.
Android Fingerprinting
Storage
- External Capacity
- Internal Capacity
Display
- Screen Resolution
- Screen Orientation
Misc.
- Uptime
- Is Rooted?
- Is Emulator?
Applications
- List of installed apps
- App versions
- List of running
processes
Localisation
- Geolocation
- Country
- Locale
- Timezone
Network
- IP Address
- MAC Address
- Proxy settings
- WiFi SSID
OS
- OS Name
- OS Version
- Kernel Information
- System Fonts
- System Directory
Structure
- BuildID
- Build Fingerprint
35. 3535
Takeaways
● Implementation and architectural issues in
multiple deployments
● Not possible to win the race on web, given no
root-of-trust via browsers
● State of the world in mobile is better
● Getting baseline protection across all flows is
extremely hard
● Inherent privacy issues