BT Credential Abuse and Customer Identity and Access Management Event

Transcript

1. Credential Abuse and Customer Identity and Access Management Thursday 9

   May 2019

2. Agenda 14:00 Welcome from David Wrout, CTIO – Production, Supply

   & Retail, BT 14:15 Credential Abuse - Challenges, Detection Strategies & Understanding Your Attack Surface, Richard Meeus, Security Technology and Strategy Director, EMEA, Akamai Technologies 14:55 Akamai Network Operations Command Centre (NOCC) Tour, Ben Woodhouse, Solutions Engineer, Akamai Technologies 15:25 Networking Break 15:40 Introducing Akamai Identity Cloud, Mayur Upadhyaya, Senior Director – Identity Cloud, EMEA, Akamai Technologies 16:10 The Nando’s story – Annabel Busby, Sales Manager, Amido – an independent technical consultancy 16:40 Closing comments 16:50 Networking drinks and canapes

3. Introduction David Wrout, CIO – Production, Supply & Retail

4. The importance of Retail 5% Retail value to UK GDP

   2.9M UK people employed in Retail £381Bn UK Retail Sales $1.2T Mckinsey prediction for economic value of IoT to Retailers 553 EE Retail Stores in the UK…and growing Source: Retail Economics 2018 / Adobe Digital Insights & Mckinsey 82% Of sales still in-store $12Bn Revenue increase to Retail through 5G by 2021

5. Retail Sector Transformation

6. Some key trends in retail – Business & Technology Bricks

   & mortar storesneed to radicallytransform to remainrelevant Automation: AI &Robotics 5G for Retail: High Speed & Low Latency Rapid growth ofIoT Experience & Efficiency Securing the Retail operation 15% Year-on-Year On-line sales growth Seamless personalised customer experience a critical differentiator ‘Digitally dextrous sales associates’with technology in theirhands Business Technology

7. Credential Abuse - Challenges, Detection Strategies & Understanding Your Attack

   Surface Richard Meeus, Security Technology and Strategy Director, EMEA, Akamai Technologies

8. Understanding Credential Abuse

9. None

10. Collection Number 1 772,904,991 email addresses >21,000,000 passwords £0

11. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

12. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

13. Rand omiz ed user agent Brow ser imper sonat ion

    Sessi on repla y Full cookie support JavaScript support Browser fingerprint spoofing Recorded human behavior IP Blocking / Rate Limiting Multiple IPs Low request rate Single IP HTTP Anomaly Detection Browser Fingerprinting User Behavior Analysis BOT SOPHISTICATION Evasions and mitigations SIMPLE SOPHISTICATED

14. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

15. 1 2 $ $ $ 3 4 HOW IT WORKS

    Attackers pull data during a data breach Stolen credentials are sold on the dark web Fraudsters purchase stolen credentials Stolen credentials are tested on other websites

16. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

17. Infrastructure Load Security Customer Satisfaction BUSINESS AND IT IMPACTS

18. The automated effort of cycling through large lists of usernames

    and password combinations on a target website, in hopes of identifying still valid account credentials

19. Reconnaissance Weaponization Delivery Exploitation Action FRAUD KILL CHAIN Understanding the

    role of credential stuffing • Identify target website with high account value • Purchase list of stolen credentials on dark web • Build or rent a botnet to automate validation • Build or buy software tools to evade detection • Purchase compromised account for target site • Use purchased account credentials to login • Perform fraudulent transactions using compromised account OBJECTIVES • Validate list of stolen credentials against login page of target website • Resell validated account credentials on dark web Bot management • Mitigates attack earlier in the kill chain to reduce incidence of downstream fraud SOLUTIONS Fraud prevention • Pros: knows individual users • Cons: high cost, account already compromised
20. None
21. None

22. Amount of money lost to fraud per compromised account FINANCIAL

    IMPACT Ponemon Institute – The Costs of Credential Stuffing Number of accounts targeted per credential stuffing attack Ponemon—The Cost of Credential Stuffing, Oct 2017 Other annualized costs related to credential stuffing

23. Wide-ranging impacts of credential stuffing

24. Whose problem is it?

25. RESPONSIBILITY Dispersed throughout the organization

26. UNDERSTANDING ATTACK SURFACE For transactional endpoints SIGN IN BA G

    SIGN IN BA G LOGIN CREATE ACCOUNT Website GIFT CARD SIGN IN BA G URLs Desktop login Shopping cart Create account Account balance Cart API SIGN IN BA G SIGN IN BA G Login API Mobile app Clients Desktop browser Mobile browser 3rd party Attacker

27. ATTACK CAMPAIGN SIZES Differences between standard web vs. API endpoints

    ATTACKERS ATTEMPT x4 MORE STOLEN ACCOUNTS THROUGH API LOGINS!

28. TRANSACTIONAL ENDPOINTS Two types of bots 1. Scraping Bots 2.

    Transactional Bots Example1 : Price Scraping (Good or Bad) Example2 : Content Scraping (Good or Bad) Example3 : Google Web Crawler (Good)

29. TRANSACTIONAL ENDPOINTS Two types of bots 1. Scraping Bots 2.

    Transactional Bots Example 1 : Login Attack :: Credential Abuse (Bad) Example 2 : Fake Account Signup (Bad) Example 3 : Concert Ticket Grabbers (Bad)

30. Check for free trips ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~

    Reset Password

31. Check for free trips ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~ ~~~~~~~~~~~~~~ ~~~

    Reset Password
32. None
33. None

34. Thank you! We have sent you an email to reset

    your password.

35. Examples of Attacks

36. EXAMPLE – RETAIL Akamai has been protecting this customer since

    September 2018. Once DENY mode was enabled, the bots disappeared. Eventually, the bad actors returned when they discovered a vulnerable API to verify user profiles and promptly launched their attack. When the attack was discovered, the customer onboarded the new endpoint onto the Akamai platform for protection. Bot Requests 13,663,754 IP Address A total of 78,269 IP addresses were detected sending potentially malicious requests User Agent Attackers rotated through 754 user agent strings during the observed period. Countries 68% of blocked requests originate from within the US. The rest of the traffic was split amongst 191 other countries Exploratory probe in an attempt to discover if Bot Migration is still in place. Traffic subsides shortly after. Possible attempt to obfuscation by attacking protected endpoints while simultaneously hitting the new vulnerable API. Human Logins 2,439,702 New endpoint configured once the attack was discovered. Averaging 2.1 million requests per day.

37. EXAMPLE – RETAIL Top 5 User-Agents # of Triggers Mozilla/5.0

    (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 1,253,061 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 366,102 Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.2 Mobile/14C92 Safari/604.1 288,476 Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/10.0.2 Mobile/14A456 Safari/604.1 288,152 Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1 288,065 • Out of the 754 User-Agents used, 85% of the traffic came from 45 User-Agents that appear to be iPhone devices • Each User-Agent was used to generate an average of 275,000 requests over a span of 5 days • All the fake iPhone requests originated from non-cellular networks, suggesting this is malicious traffic

38. EXAMPLE – RETAIL Detection Method # of Triggers ▪ Behavioral

    Telemetry Indicates Advanced Bot 13,171,043 ▪ No Behavioral Telemetry Received 1,584,711 ▪ Session Cookie Missing 10,082 ▪ Behavioral Telemetry Invalid 7,081 ▪ Session Cookie Replay 1,843 • The most advanced bots will send behavior telemetry in an attempt to appear human • Analyzing this telemetry with machine learning algorithms allows Akamai to separate the bots from legitimate human users

39. CASE STUDY Top 10 global financial services institution As one

    of largest financial asset management companies, this organization sees high bot traffic, including financial aggregators as well as credential stuffing and other fraud-related activities. Result Dramatic reduction in account takeovers to 1-3 per month and fraud-related losses to $1-2k per day—across all login endpoints Solution Behavioral-based bot detections deployed in deny in front of every consumer login endpoint Problem 8,000 account takeovers a month across multiple login endpoints, leading to $100k per day in direct fraud-related losses

40. Escalating Bot Detection Tactics

41. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Attack tool sophistication Attack Deployment Sophistication Automated Browsers w/Human Imitation

42. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Attack tool sophistication Attack Deployment Sophistication Automated Browsers w/Human Imitation Network Detections • IP Address • Country of origin • Rate of requests Pros • Simple to implement • Can be done within a WAF

43. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Header Detections • User-Agent • Missing headers • Header order Pros • Simple to implement • Can be done within a WAF Attack tool sophistication Attack Deployment Sophistication

44. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Browser Fingerprinting • Checks to see if client can process .js • Compares browser characteristics with User-Agent Pros • Identifies basic scripts • Isn’t as complex as other solutions Attack tool sophistication Attack Deployment Sophistication

45. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Behavioral Detections (hybrid) • Uses both browser fingerprinting and human telemetry to create a single signature Pros • Identifies basic, moderate and some advanced bots • Starts to look at the user interaction Attack tool sophistication Attack Deployment Sophistication

46. Disposable IPs Dynamic rotating IP Rotating IPs Single IP Primitive

    Pearl, Curl Javascript Engines Headless Browser A LOOK AT THE MOST COMPLEX ATTACKS Automated Browsers w/Human Imitation Behavioral Detections (true) • Creates a unique signature based on human telemetry • Uses browser characteristics to identify Bot tools and improve machine learning Pros • Identifies basic, moderate and some advanced bots • Accurately identify humans Attack tool sophistication Attack Deployment Sophistication

47. CAPTCHA IS NOT A PANACEA • Simple to implement •

    Can be done within a WAP Pros • Customer experience • Detection quality • Risk score based • Not really Bot management • Possible privacy issues • Limited support and development Cons

48. https://www.akamai.com/us/en/multimedia/documents/state-of-the- internet/soti-2018-credential-stuffing-attacks-report.pdf • No silver bullet to address credential stuffing,

    need multiple levels of defence: • Bot solution & Web application firewall • Things you can do on your website: ◦ Implement a robust IAM solution; OWASP has great suggestions ◦ Make MFA mandatory but not via SMS text ◦ Not allow email addresses as usernames for authentication ◦ Add a third informational proof element to login pages, such customer ID or last name
49. None

50. Akamai Network Operations Command Centre (NOCC) Tour Ben Woodhouse, Solutions

    Engineer, Akamai Technologies

51. IDENTITY CLOUD Mayur Upadhyaya, Senior Director – Identity Cloud, EMEA,

    Akamai Technologies

52. PRIVACY: A STRATEGIC IMPERATIVE Janrain was Acquired by Akamai in

    January 2019 Janrain pioneered the Customer Identity landscape Named a Customer Identity and Access Management (CIAM) leader in 2017 Forrester Wave™ Report Named as the overall leader in 2018 Customer Identity Leadership Compass Giving end-users control and choice over their data and how it is used Accelerating sustained compliance of GDPR for their customers Enhancing digital trust

53. What is Identity Cloud? Identity Cloud increases the user’s security

    and privacy, while improving end user engagement and thus brand loyalty Reducing friction in the registration journey; by scaling & performing without latency and allowing customers to bring their own identity Customer Identity & Access Management consists of three key capabilities delivered as a service Offloading & simplifying the management of customer profiles, opt- ins, logins and registrations while de- siloing identity architecture Protecting & securing end user data and password INTRODUCING: AKAMAI IDENTITY CLOUD Formally Janrain

54. DIGITAL TRUST Identity is at the heart of a customer

    centric approach Customer Identity & Access Management Regulation & Compliance Digital Transformation Omnichannel, IoT & Personalisation

55. THE CUSTOMER IDENTITY CHALLENGE Why customer identity is critical DIGITAL

    ECONOMY • 3.8B out of 7.5B people are digitally connected • 5M mobile applications • 1.2B websites • 6.4B connected things MARKETING TO ONE • 4000 marketing companies in 49 categories • Multiple views of customer • Unpersonalised campaigns DATA GOVERNANCE • 1000s of silos of customer data • 100s of consumer data protection regulations • Up to 4% WW annual turnover in penalties for non- compliance IDENTITY SECURITY • 4.5M breached identities per day • 7B breached identities since 2013 • >80% f/bad actors • >60% f/compromised credentials

56. Increases the user’s security and privacy, while improving end user

    engagement and brand loyalty Secure your customer identities & protect against identity fraud Identity Cloud consists of three key functions delivered as a service: Optimise user experience & marketing efforts Manage your online customer identities HOW IDENTITY CLOUD HELPS Understanding Customer Identity and Access Management

57. MANAGING Your online customer Identities Authentication SSO Social/BYOID Traditional •

    Offload authentication and self-registration • Reduce friction allowing consumers to bring their own identity (e.g social) • Allow customers to move seamlessly across properties • Flexible user experience • Customer Support Representative Screens

58. • CIAM/PII protected by the Akamai offerings you know and

    trust • Ability to lock down data access by attribute and application • Standards compliant, working against vendor lock in • Strong Customer Authentication SECURING Your online customer Identities ABAC Authorisation Secure Edge

59. • Give customer control and choice with consent and preference

    Store • Ability to store attributes without compromise • Identity Analytics • Internationalisation and version control OPTIMISING Your online customer experience Identity Consent Profile Identity Analytics

60. Cloud-native, multi-tenant Identity Cloud 99.999% availability Consumer and IoT scale

    Sustained performance during high-traffic events Secure Edge circumventing millions of attacks Broadest compliance with certifications & attestations Identity proofing services Flexible directory schema . Fine-grained privacy & data governance Bulk and event- driven data integrations Real-time data identity analytics API-centric for App Developers THE IDENTITY CLOUD DIFFERENCE What sets Akamai apart from the competition?

61. MOBILE PAYMENTS INNOVATION AND DRIVING LOYALTY

62. CREATING VALUE Customer identity impacts roles across the enterprise Infrastructure

    owner • Offload and simplify—offload identification to the edge, put your identity store in the cloud, de-silo your identity architecture, and simplify access policy enforcement • Better performance / security for your IAM infrastructure Security owner • Compliance with GDPR and other regional data privacy regulations • Better security for your end users—strong data protection, threat intelligence to detect account compromise, behavioral analysis to detect automated attacks Business owner • Improve end user experience—better performance, less unnecessary friction, and a more personalised experience • Improve revenues through better cross sell and upsell with better customer insight
63. None
64. None
65. None

66. LOW TOUCH LOW CAP INVESTMENT HIGH TOUCH HIGH CAP INVESTMENT

    First 20 Years Next 20 Years New Kinds of Business

67. Housing ©2018 Andreessen Horowitz. Page 43 Transport Food Entertainment Global

    consumer spending Household Clothes Health First 20 Years Next 20 Years £30tr Personalised Drugs Netflix / Food delivery Grocery delivery Autonomous Cars Buying properties Listings, mortgage comparison Tickets Restaurant reviews Symptoms New Kinds of Business

68. Social Instagram & YouTube Rental & Subscriptions Vast amounts of

    data Machine Learning New Building Blocks

69. Two Models of Retail Retail as logistics Amazon Retail as

    tastemaker ASOS / Casper

70. £ £ £ £ £ £ £ £ £ £

    £ £ £ £ £ £ £ £ £ Homegrown Solution Can’t Tailor Campaigns Marketing to One or Many? Adding New Channels Takes Months Multiple Logons (Friction) Multiple Data Stores Can’t See Trends No Identity Platform….Is this the Impact on Your Business?

71. Supermarkets Take-away Wifi Loyalty Card Mobile App Brand Delivery Nando’s

    Stores

72. Loyalty Mobile App Delivery Take Away Nando’s Challenges

73. Loyalty Mobile App Delivery Take Away Integration with third-parties Authentication

    & Authorisation Nando’s API Nando’s ID Nando’s Change Log Nando’s Solution

74. Nando’s Results One Log on Anonymous to Known Customer Paper

    to Cardless Customer Loyalty SaaS Platform Reduced Security Footprint Easier GDPR Compliance Cleaner Data Collection API First Business New Channels Instantaneously Single View of Change

75. [email protected]

76. Closing Comments

77. Networking Drinks and Canapes