Breaking Fraud and Bot Detection Solutions

Explore techniques for breaking fraud and bot detection solutions in this AppSecUSA 2018 conference talk. Delve into browser fingerprinting and user behavior tracking methods employed by most fraud and bot detection systems. Examine the signals collected by JavaScript snippets running in user browsers and understand why these signals can be unreliable. Learn about various attacks against defenses relying on these signals using a realistic threat model. Gain insights from real-world war stories of architectural and implementation flaws discovered in actual deployments. Understand the challenges of bot detection, fraud detection, and inline deployment strategies. Analyze attacker goals and threat models in cloud deployments. Investigate anti-tampering techniques, JavaScript obfuscation, and potential vulnerabilities like stripping and replay attacks. Explore the use of headless browsers and underground tools in bypassing detection. Examine mobile app fingerprinting techniques and architectural considerations. Conclude with key takeaways on implementation issues, limitations of web-based solutions, mobile protection strategies, and inherent privacy concerns in fraud and bot detection systems.

Intro
Bot Detection • Defend against bots trying to automate abuse activities e.g. test credential dumps, scraping etc. • Is this activity from a human or a bot?
Fraud Detection • Defend against fraudulent activities e.g. manual ATOs, credit card transactions etc. . Look for anomalies in activity of a given user, given past activity.
Inline Deployment
Attacker Goal • Conduct fraudulent activity • Automate abuse scripts without getting caught
Threat Model • Attacker has full control over the browser • Attacker can craft requests and modify responses according to the responses from the server
Cloud Deployment
Browser Fingerprinting
Anti-Tampering JavaScript Obfuscation • XOR based packed code • Randomize location of JavaScript file to load
Stripping Attack
Replay Attacks • No check on freshness of payload.
Dynamic JS Tokens • A dynamic token is generated, which is derived from the timestamp. • Same logic can be replicated in a script.
Headless Browsers • Browser without a GUI, often used for automation and testing . Either render full JS or run JS in a virtual DOM
Underground Tool • Anti-Detect $399 in the underground market
Architecture • Recompile mobile app with SDK .JS -Native Code
Android Fingerprinting
Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getting baseline protection across all flows is extremely hard • Inherent privacy issues