Last week, Reddit announced a security incident in which an attacker compromised employee accounts for Reddit’s cloud and source code hosting providers. Breaches like this serve as reality checks to those of us responsible for securing user data and identities online. Hats off to the Reddit team for the way this incident was handled as incidents are nightmares to deal with, both for users and...
Are your users leaking? One item that is commonplace in a hacker’s toolset is a database of leaked user credentials. The database holds a set of exposed user login credentials — user emails and corresponding passwords for a given site or application. What makes a list like this so valuable for hackers is the fact that most people reuse their passwords across multiple applications. So if a hacker...
Intro I’ve long been a promoter of Ruby, and it’s part of what brought me to Castle, the user security platform where I’m on the engineering team. Castle’s co-founder, Sebastian, reached out to me because the team had been using some of my open source projects, and wanted me to contribute full-time—while still maintaining projects like Karafka. Ruby is a great language for a startup like Castle...
DDoS prevention, bot prevention, and WAFs were never built for protecting your users. Yet when facing down growing security and fraud threats of all kinds, many businesses are building a higher and higher wall around their perimeter, often in the form of a web application firewall (WAF) or a bot detection solution. But the moat around your site is really only your first line of a multi-layered...
In the past two years, account takeover attacks have evolved dramatically. One recurring theme we’ve seen is that gaps often emerge when the security program’s focus is misplaced. For us, it starts and ends with protecting the user—which means the emphasis has to be on protecting the user account. But great security doesn’t have to come at the expense of great UX. We put...
Account takeovers (ATOs) are unique in that by the time most companies become aware they have a problem, it’s already too late: When people report back to the company that they’ve been compromised, or they see fraud in the aftermath of an ATO. Ironically, these are the metrics fraud vendors are using to measure the number of ATOs they’ve seen. But by then, the challenge becomes one of clean...
A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised...
A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we...
In the last six months, we’ve seen an evolution in how attackers are launching password list attacks, which in turn is impacting how best to fight these attacks. It’s become easier than ever to obtain ranges of hundreds of IPs, which makes it possible to masquerade traffic as coming from multiple different sources. Similarly, many of these IPs are registered in the United States. Taken together...
Many operators in the anti-fraud space are experts at flagging the fraud that stems from credit card chargebacks, fake account registration, and spam posting. Unfortunately, their focus on individual user actions doesn’t address one of the fastest-growing forms of fraud, account takeover (ATO). ATO presents a fundamentally different problem than traditional fraud, which means it requires a...