Automated Account Takeover: The Rise of Single Request Attacks

Kevin Gosschalk, Founder and CEO, Arkose Labs twitter, linkedin
abstract slides video

In this talk, Kevin defines “single request attacks,” describes challenges of preventing account takeovers, gives examples of the types of systems bots attack in the wild and how, and recommendations for preventing account takeovers.

Kevin spends the first 6 minutes of this 49 minute talk (~12%) discussing his past work on eye imaging software to detect diabetes earlier and working with Microsoft on Kinect motion sensor-type technology. He starts talking about Account takeovers at 6:16.

Kevin defines account takeover (ATO) to be “using another person’s account information to obtain products and services using that person’s existing accounts.”

Attackers can use compromised accounts to do things like redirect packages (if they’ve compromised a UPS or Fedex account) which they can then sell, scrape private or sensitive content that the victim account has access to, or most commonly, make transactions for their financial benefit.

As the security of most IoT devices is poor (being generous), attackers have been hacking IoT with blatant security flaws or just default passwords, and then routing their brute force login attempts through the devices so the guesses come from a wide range of IPs.

Challenges to Preventing Account Takeovers

• Attackers can use a unique IP for every request, making IP-only solutons ineffective.

• Attackers use a unique identity (e.g. user agent, installed fonts, other fingerprintable aspects) for every request

• Browsers are easy to automate (e.g. headless Chrome, Selenium, PhantomJS), making it hard to differentiate bot clients from real users.

• reCAPTCHA is easy to bypass using modern machine learning techniques. Check out the Russian software XEvil Solver if you need to bypass reCAPTCHA at scale.

There are a number of tools, such as AntiPublic, which for an affordable price, will automate much of the account takeover process for you. You provide a set of email addresses, passwords, and websites you’d like to target, and it’ll give you helpful stats like success rates, which accounts worked, etc. Some of the tools even include a free trial! Such customer service 👍

Bot Attacks in the Wild

Airlines: One airline had all of its seats “sold out” for two weeks into the future, so potential customers couldn’t buy them. Bots would select a seat and continue to payment, where the site redirects to a third-party, such as Alipay or PayPal. However, the bot doesn’t complete the transaction, it just holds the reservation, preventing anyone else from buying it until the transaction times out. Rinse and repeat.

Concerts: Most concert tickets are sold out in 3 minutes now because of bots. The scalpers then resell the tickets for a hefty profit.

Gift cards: When you buy a gift card, they scan it at the cash register, which then “activates” it. Bots can brute force the gift card’s unique number so an attacker can spend the value once the card is activated but before its used. Merry Christmas.

Credit cards: When hackers obtain stolen credit cards that they aren’t sure are working, sometimes they’ll test them by making $1 donations to various charities and see if it succeeds. Bonus: these charity sites tend to have few to no protections against bots and they sometimes give helpful feedback, like “Sorry, that’s the wrong CVV / address,” making determing the correct values much easier.

Clothes: Bots snatch up shoes and other apparel that are released in limited quantities and resell for a nice profit.

Pokemon Go: Hackers used a modified Android OS to bypass SafetyNet, which is an Android API developers can use to “assess the device’s integrity.” (good ‘ol return true).

Dead voters: The Death Master File was leaked at one point, which is a government file that lists who has died, their date of birth, SSN, and last zip code where the person was alive. Hackers have used the list to create accounts on various sites where “real people” are needed, like voting in certain polls, for example, commenting against net neutrality.

Auction abuse: Rivals bid up competitors’ products and then bail out of paying at the last minute, so their items are purchased instead.

How do we stop account takeovers?

In the last four minutes, Kevin shares a few thoughts on stopping account takeovers.

1. Rate limit by email and identity - give users 3 attempts via an IP or identity

2. Lock accounts with suspicious accounts

   • Email the account owner when an incorret password is entered or multiple attempts have been made. Note that this can be a bad user experience, leading you to lose customers.

3. Use MFA

4. Require (and enforce) strict passwords, and test them against the HaveIBeenPwned API.