Are your users leaking? One item that is commonplace in a hacker’s toolset is a database of leaked user credentials. The database holds a set of exposed user login credentials — user emails and corresponding passwords for a given site or application. What makes a list like this so valuable for hackers is the fact that most people reuse their passwords across multiple applications. So if a hacker...
DDoS prevention, bot prevention, and WAFs were never built for protecting your users. Yet when facing down growing security and fraud threats of all kinds, many businesses are building a higher and higher wall around their perimeter, often in the form of a web application firewall (WAF) or a bot detection solution. But the moat around your site is really only your first line of a multi-layered...
In the past two years, account takeover attacks have evolved dramatically. One recurring theme we’ve seen is that gaps often emerge when the security program’s focus is misplaced. For us, it starts and ends with protecting the user—which means the emphasis has to be on protecting the user account. But great security doesn’t have to come at the expense of great UX. We put...
Account takeovers (ATOs) are unique in that by the time most companies become aware they have a problem, it’s already too late: When people report back to the company that they’ve been compromised, or they see fraud in the aftermath of an ATO. Ironically, these are the metrics fraud vendors are using to measure the number of ATOs they’ve seen. But by then, the challenge becomes one of clean...
A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised...
A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we...
In the last six months, we’ve seen an evolution in how attackers are launching password list attacks, which in turn is impacting how best to fight these attacks. It’s become easier than ever to obtain ranges of hundreds of IPs, which makes it possible to masquerade traffic as coming from multiple different sources. Similarly, many of these IPs are registered in the United States. Taken together...
Many operators in the anti-fraud space are experts at flagging the fraud that stems from credit card chargebacks, fake account registration, and spam posting. Unfortunately, their focus on individual user actions doesn’t address one of the fastest-growing forms of fraud, account takeover (ATO). ATO presents a fundamentally different problem than traditional fraud, which means it requires a...
The state of online identity is bleak—mostly because it relies on an outdated username and password model. Each year, 1 billion credentials are leaked or breached, and 73 percent of passwords are being reused across sites. These dynamics have led to an increase in account takeovers (ATOs), in which a hacker tries stolen credentials across a variety of websites and takes over entire accounts to...
Six months ago we graduated from Y Combinator, which was by far the most fun and intense passage of our startup lives. After Demo Day we decided to dedicate the coming six months to full-on focus. We dedicated the radio silence to onboarding and learning from customers, finishing a 1.0 release, and building out our team in San Francisco. Today, we are proud to announce our 2 million dollar seed...