No matter your online activity, you don’t want your accounts taken over by someone else. You’d be unhappy to hear that someone logged into your BestBuy account to use your credit card to buy an 82” LED TV. You’d be upset if someone took over your Twitter account, posted spammy content, and then locked you out. The bottom line? No one wants their online accounts taken over– and no company wants...
In 2015, Sebastian and I created Castle with a simple vision. We saw that it was increasingly difficult for companies to access their online accounts and keep their users safe. We also saw that consumers were being asked again and again to take responsibility for their security through robust passwords and other security measures. We started Castle because we wanted to figure out a way to shift...
We are excited to share a new feature in the dashboard that is aimed to help make the Castle Integration more friendly and self service for developers! When you log into your Castle dashboard, in the top navigation bar, you will now find the Integration Debugger Console. The new Debugger works with all of your Castle environments. It is made of of 4 primary sections, each of which are...
At Castle, we are focused on building tools that power end-to-end user security alongside a frictionless user experience. We believe that when it comes to protecting your users, the ability to detect unauthorized access to their accounts is just the beginning. Beyond the detection, developers are using Castle’s APIs to block the unauthorized access in-line, notify their users in real-time of...
Last week, Reddit announced a security incident in which an attacker compromised employee accounts for Reddit’s cloud and source code hosting providers. Breaches like this serve as reality checks to those of us responsible for securing user data and identities online. Hats off to the Reddit team for the way this incident was handled as incidents are nightmares to deal with, both for users and...
Are your users leaking? One item that is commonplace in a hacker’s toolset is a database of leaked user credentials. The database holds a set of exposed user login credentials — user emails and corresponding passwords for a given site or application. What makes a list like this so valuable for hackers is the fact that most people reuse their passwords across multiple applications. So if a hacker...
DDoS prevention, bot prevention, and WAFs were never built for protecting your users. Yet when facing down growing security and fraud threats of all kinds, many businesses are building a higher and higher wall around their perimeter, often in the form of a web application firewall (WAF) or a bot detection solution. But the moat around your site is really only your first line of a multi-layered...
In the past two years, account takeover attacks have evolved dramatically. One recurring theme we’ve seen is that gaps often emerge when the security program’s focus is misplaced. For us, it starts and ends with protecting the user—which means the emphasis has to be on protecting the user account. But great security doesn’t have to come at the expense of great UX. We put...
Account takeovers (ATOs) are unique in that by the time most companies become aware they have a problem, it’s already too late: When people report back to the company that they’ve been compromised, or they see fraud in the aftermath of an ATO. Ironically, these are the metrics fraud vendors are using to measure the number of ATOs they’ve seen. But by then, the challenge becomes one of clean...
A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised...