Completed
Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getti…
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Breaking Fraud and Bot Detection Solutions
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Bot Detection • Defend against bots trying to automate abuse activities e.g. test credential dumps, scraping etc. • Is this activity from a human or a bot?
- 3 Fraud Detection • Defend against fraudulent activities e.g. manual ATOs, credit card transactions etc. . Look for anomalies in activity of a given user, given past activity.
- 4 Inline Deployment
- 5 Attacker Goal • Conduct fraudulent activity • Automate abuse scripts without getting caught
- 6 Threat Model • Attacker has full control over the browser • Attacker can craft requests and modify responses according to the responses from the server
- 7 Cloud Deployment
- 8 Browser Fingerprinting
- 9 Anti-Tampering JavaScript Obfuscation • XOR based packed code • Randomize location of JavaScript file to load
- 10 Stripping Attack
- 11 Replay Attacks • No check on freshness of payload.
- 12 Dynamic JS Tokens • A dynamic token is generated, which is derived from the timestamp. • Same logic can be replicated in a script.
- 13 Headless Browsers • Browser without a GUI, often used for automation and testing . Either render full JS or run JS in a virtual DOM
- 14 Underground Tool • Anti-Detect $399 in the underground market
- 15 Architecture • Recompile mobile app with SDK .JS -Native Code
- 16 Android Fingerprinting
- 17 Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getti…