Cloud based services are growing rapidly and more people are doing online business. At the same time Internet frauds are increasing and affecting a lot of online businesses. Many web based applications face a challenge of fraudulent account creation by malicious users.
Each business faces different types of fraud and security related issues. Identification and prevention of many automated attacks are easier with use of firewalls however it can not avoid every attack.
The ability of hacking into a system is growing with the advancements in computing power. This requires smarter systems to identify organized attacks.
Sometimes when we try to prevent more fraud and improve security on our system it creates a bad user experience for a genuine user.
I am trying to focus of the fraud prevention techniques that web based businesses can use to minimize frauds related to malicious user account creation and activities at the same time retaining a genuine user experience.
First Thing First: Understand The Normal User Behavior
Knowing your users is really key to identifying the malicious users. If you have identified a pattern for users who are good you may easily be able to provide them a good user experience. At the same you can also identify the users who are not showing normal behavior. Some of the common ways to identify such accounts are
- A newly created account keeps repeating same activity of (lets say review)
- Too many inactive accounts from one domain name.
Identify The Real Motive Of Fraud
Understand the reason why people are trying to do the fraud. What is the end goal of user (e.g. money or review or ratings). Then improve and limit those systems with a reputation based access for users.
- A real good example is stackoverflow site reputation system. A new user has little access on the system however can accomplish most of the task. A regular user gets a better reputation and gets to access more advanced and privileged features like voting and commenting.
- Another good example is eBay seller rating system. A sellers selling limits are decided based on her performance over a period of time. Limits are waived as the seller starts performing well. The selling limits are also imposed on each category that makes it difficult for fraudulent sellers to sustain for long time.
Capture Every Relevant Action And Analyze
You must log all relevant actions by a user and analyze them offline.
Track Important Actions
Try to capture every relevant action in your system and observe the pattern of each action. Understand the normal frequency of a important user action then analyze.
- To identify usage pattern see what a regular user does on your site. This way you will be able to identify non-regular users.
- Fraud accounts will most probably just try to do the fraud action and nothing else. Where as a genuine user will do a lot more things that can differentiate them.
For example, If you have a rating or review system, make sure that only users with good reputation have access to those.
Analyze Velocity Of Actions
- Know what is a regular velocity of account creation in your web site. Know what is the highest rates days (may be during product launch or a promo)
- Know what is a regular velocity of specific action in your web site. Keep a watch on unusual velocity trends.
Create Automated Alerts
- Make sure system can notify when this velocity is exceeded and a manual action can be taken if required.
- If a real time system is not possible have a off-line system that can generate some alerts and inform about unusual behavior.
Such alerts may help you take manual actions and avoid future attacks.
Browser Based Identification
Identify the returning users based on browser provided information. This may not be 100% trustworthy however you may take extra steps if the user is coming from unknown browser.
For example, Bank of America will ask for only user name and location on the login screen and if you are using a new browser or a different system it will prompt you with a security question challenge before password prompt.
Inspect Any New Account From A Unknown/new Domain
- For example, If majority of accounts with emails from a domain are not used or misused, then block/limit future creates from that domain.
- Brand new domain can have a observation duration lets say 30 days, If possible have a dedicated security team analyze these domains and see if these domains are not known fraud domains. If yes block them.
- Place rules for number of account creation from a new domain during observation period. Lets say any new domain email can not have more than 1000 accounts in observation period.
- Place Rules for speed of account creation from a new domain during observation period. Lets say users coming from any new domain email can not create more than 100 accounts per hour.
- if during observation period too many accounts are created then there is a chance its a suspicious domain. You may want to setup some alerts based on such rules.
- If most of the accounts with emails from a specific domain are not used or misused, then limit or block future creates from that domain.
- Reverse lookup the IP of a new domain and block domains that are suspicious. Sometimes you will observe that many malicious domains resolve to same IP addresses.
Detect If A User Is Coming From A Country That Is Not Normal
Lets say, a person only logs in from USA and then suddenly lots of attempts from (lets say China) are observed. If it was a real user, the first login from China would succeed and then China can be allowed in the future for this user. However if it was a hacker a lot of failed attempts may mean this is a malicious user and should be blocked.
You may use geolocation softwares to identify the country or city of a IP address. There are plenty web service based options available now.
By Mobile Text Message
This method may be costly, however you can choose to do it for a privileged access rights. Lets say the mobile validated users are allowed to specific actions on the system. other users may be restricted.
For Example Google provides a way to enable higher security on your account using mobile SMS. Its painful for users and costly for Google, however it can establish trust on each other with a higher level of security.
By Credit Card Auth
This method may not be easy since a lot of users may not like it. Though if your site involves payment or purchase you may very well use this by doing a zero amount auth just to verify a genuine user.
By Mailing Or Billing Address
You may ask for a actual mailing address and validate it against address standardization database. This may help you relate accounts that are using same mailing addresses and take action (if required).
For example in one of my recent projects we had a limit on number of times a mailing address can be used inside whole application. This helped us reduce a lot of fraud related products that required shipping.
Password Driven Strategies
Hashed Password Storage
Storing passwords as plain text can be really dangerous since one successful attack can expose all the passwords. You must hash the passwords with a one way hashing technique (with unique salt per user) this will ensure that nobody (not even DBAs) can see the plain text password.
To match the password during a login attempt you can create one way hash of user provided password and match with the hash value in database.
One way hashing is not impossible to crack, however it will be much difficult for hacker to crack all the hashed passwords in your database.
Have A Password Policy
You must have a password policy to avoid easy to crack passwords. Most common easy passwords should be disallowed. You may want to maintain a list of disallowed passwords. This will simplify your bot attack identification process as well since any disallowed password attempt can potentially come from a bot.
In case you have a password policy to disallow weak passwords. You can easily catch a bot attack by simply monitoring a special type of password attempt. Lets say your password policy does not allow any user to keep password as “qwerty” if a login attempt is made using password “qwerty”, you may choose to challenge the user with a CAPTCHA for next attempt.
There are many public databases that list the weak passwords and you application should not allow them to be used as valid password.
For example eBay user login system will prompt you with a CAPTCHA if you try to login using a commonly known weak password such as “password”.
Monitor And Act On Password Attempts
Monitoring password attempts will help you identify brute force attacks much faster. Some of the criteria you can use are
- Allow limited attempts for different password attempts. (lets say only 10 different passwords can be tried on same user id)
- Allow much higher attempts for same password retry (lets say 50)
- Offer a password reset page or CAPTCHA after some failed attempts.
- Keep experimenting with threshold of failed attempts and keep it configurable for easy change.
You may also want to read a simple strategy to monitor and act on password based hacking attack.
Challenge Unusual Behavior
Knowing the regular user behavior will allow you to be able to challenge the abnormal behavior. You do this in many ways, some of the proven ways are listed below.
Throwing captcha on all users is not a smart thing since it may be annoying to your genuine users.
In case you suspect a unusual source is attempting to create accounts on your website, you can challenge them with a captcha. There are many captcha implementations available that are difficult for bots but easy for humans. You may want to choose wisely depending on your audience.
With Mobile Text Message
You can challenge a suspicious attempt by sending a mobile text message for one time verification.
For example, ICICI Bank, India sends a one time password to a registered user mobile for verifying a transaction.
You can also challenge a suspicious attempt by sending email confirmation and asking for the user to follow a verification link. This is common way user account registration is verified, however you can also use the same for verifying important transactions.
Use Firewall System That Have Integration API Support
Deploy Firewall and Security Systems that support interaction with other systems for dynamic rules
Most firewall solutions do have option of manually updating the firewall for a specific rule or blocking traffic from a source. This feature is really useful for common problems, however it fails in case when there are immediate actions required.
If you deploy a firewall that can be dynamically configured using programs or API your life may be much easier.
Create Complimenting Systems To Firewalls
Firewalls are used to prevent most common type of frauds. You can focus on developing systems that can identify more application specific attacks and feed into firewalls to work more efficiently.