IRC log of wpsig-public on 2022-09-15

Timestamps are in UTC.

21:05:52 [RRSAgent]
RRSAgent has joined #wpsig-public
21:05:52 [RRSAgent]
logging to https://www.w3.org/2022/09/15-wpsig-public-irc
21:05:57 [Bert]
present+ Bert Bos
21:05:58 [Ian]
Meeting: Joint Antifraud/WPSIG meeting
21:06:05 [Ian]
Chair: Ian
21:06:09 [smcgruer_[EST]]
present+
21:06:09 [Ian]
present+
21:06:12 [smcgruer_[EST]]
present+ adam_kelly
21:06:15 [David_Turner]
David_Turner has joined #wpsig-public
21:06:15 [NakjoShishkov]
NakjoShishkov has joined #wpsig-public
21:06:16 [smcgruer_[EST]]
present+ erhardbrand
21:06:19 [smcgruer_[EST]]
present+ philippp
21:06:20 [ChristianA]
ChristianA has joined #wpsig-public
21:06:22 [smcgruer_[EST]]
present+ Christina_Hulka
21:06:25 [smcgruer_[EST]]
present+ Gerhard
21:06:31 [svaldez___]
present+ svaldez
21:06:35 [NakjoShishkov]
present+ NakjoShishkov
21:06:35 [smcgruer_[EST]]
present+ Bert_Bos
21:06:37 [ChristianA]
present+
21:06:54 [Ian]
Topic: Patterns in payment fraud
21:07:51 [Ian]
Erhard: I'd like to take you through some patterns we've seen and some possible solutions.
21:08:05 [Ian]
[On Entersekt]
21:08:26 [Ian]
Entersekt: Some of our clients use us for authentication during 3DS challenge flows; we also have our own ACS
21:08:39 [Ian]
...online sales increase and fraud grows every year.
21:08:49 [Ian]
...anti-fraud workflows are difficult to build
21:09:03 [Ian]
...security v. usability (and cart abandonment)
21:09:35 [Ian]
...we'd like to have seamless MFA.
21:09:51 [Ian]
...exceed regulatory requirements
21:09:57 [Ian]
...use contextual authentication where possible
21:10:28 [Ian]
present+ Carey
21:11:05 [Ian]
...payment fraud is an entire value chain
21:11:39 [Ian]
...fraudsters steal passwords and cards, attempt small purchases, attempt logins, attempt logins to extract PIIs
21:12:12 [Ian]
...Account takeover: Phishing
21:12:23 [Ian]
...all you need is an email address and phone number.
21:13:32 [Ian]
...some of this can be mitigated through 2FA and through education.
21:13:39 [Ian]
...Account takeover: SIM Swap
21:13:52 [Ian]
...requires credit card number and PII
21:14:04 [Ian]
...so OTP codes sent to another device
21:14:28 [Ian]
...can be mitigated by looking at SIM age
21:14:42 [Ian]
Account takeover: Social Engineering
21:15:02 [Ian]
required - bank details, some PII
21:15:09 [Ian]
...fraudster poses as bank employee
21:15:45 [Ian]
...to mitigate: behavior biometrics and clear messaging to user (e.g., account information, specifics)
21:16:20 [Ian]
Chargeback fraud (where 3DS not widely used)
21:16:23 [dcrousso_]
dcrousso_ has joined #wpsig-public
21:16:31 [Ian]
...required: credit card number, customer PII
21:17:01 [Ian]
mitigation: 3DS challenge flow
21:17:11 [Ian]
Triangulation Fraud (which is less common)
21:17:14 [Ian]
required: customer PII
21:17:48 [magda_sypula]
magda_sypula has joined #wpsig-public
21:17:48 [Ian]
mitigation: 3DS challenge flow
21:17:58 [Ian]
...use descriptive messages during 3DS
21:18:25 [Ian]
Erhard: COVID-19 has fueled a surge in e-commerce, but corresponding rise in account takeover
21:18:39 [Ian]
...card tokenization can help mitigate stolen cards
21:18:50 [Ian]
...ability to recognize returning browser would help more mitigations
21:19:09 [Ian]
...some attacks:
21:19:28 [Ian]
* Card sniffing / skimming attacks. Relies on cross-site scripting
21:19:58 [Ian]
...compromised JS executes in the payment page. Upload collected data
21:20:10 [Ian]
...there were 17K domains affected by a 2019 attack
21:20:18 [Ian]
mitigations: JS integrity hash; CSP
21:20:31 [Ian]
* Card testing /card cracking fraud
21:20:44 [Ian]
...JS used to test stolen credit cards
21:20:53 [Ian]
...most common form of fraud in NA in 2021
21:21:13 [Ian]
mitigations: use 3DS, velocity checking, origin IP address monitoring, monitoring multiple declines on card, bot detection
21:21:32 [Ian]
Erhard: XSS is still a widely used attack
21:21:40 [Ian]
...browser fingerprints can be spoofed
21:21:49 [Ian]
...CSP rules often lacking or not implemented.
21:22:19 [nicktr]
nicktr has joined #wpsig-public
21:22:20 [Ian]
Erhard: study of 1000 sites in 2020 found 92% of evaluated websites expose data to 17 domains
21:22:26 [Ian]
[How to address fraud patterns]
21:22:39 [Ian]
Erhard: Browser fingerprinting is not good enough anymore
21:22:44 [Ian]
...use FIDO & SPC
21:22:54 [Ian]
...but we are looking for better signals for frictionless flows
21:22:57 [Ian]
...some ideas:
21:23:02 [Ian]
* Context aware challenges
21:23:32 [Ian]
Erhard: Geolocation - users will opt in if positioned correctly.
21:23:43 [Ian]
...FIDO/SPC even within the issuer's iframe
21:23:50 [Ian]
..register user in a 1p context (banking portal)
21:23:51 [nicktr]
present+ Nick_Telford_Reed
21:24:05 [Ian]
...3DS checkout can take advantage of cross-origin iframe calls
21:24:12 [Ian]
...SPC can improve UX over WebAuthn dialog
21:24:32 [Ian]
...in the future, delegation with SPC
21:24:39 [Ian]
* Browser behavior biometrics
21:24:47 [Ian]
...detect velocity with the form
21:25:02 [Ian]
...you can check familiarity with addresses
21:25:10 [Ian]
...multiple logins from same endpoint
21:25:13 [Ian]
...modified browser detection
21:25:20 [Ian]
...geolocation + IP checks
21:25:43 [Ian]
Erhard: We'd like to make the most use of 3DS2 frictionless flow, which involves the Method URL
21:26:11 [Ian]
...this approach in a cross-origin context is being shut down
21:26:24 [Ian]
...we'd like to demonstrate that a user is returning to the same browser.
21:26:43 [Ian]
...can the browser ask the user if they trust this domain to improve payment experiences going forward.
21:26:44 [smcgruer_[EST]]
q?
21:26:53 [Ian]
Erhard: We've experimented with WebCrypto API
21:27:09 [Ian]
...you can store in indexDB and mark as non-extractable
21:27:13 [Ian]
....clearable by the user
21:27:26 [Ian]
...would be valuable if the crypto object could be tied to hardware
21:27:28 [svaldez]
Vaguely sounds like token binding/channel binding.
21:27:31 [philippp]
q+
21:27:33 [Ian]
...and tie into the browser attestation proposal
21:27:46 [Ian]
...take the customer through a trust ceremony where they can opt-in to be remembered on this browser.
21:27:50 [Ian]
ack philippp
21:28:19 [svaldez]
q+
21:28:21 [Ian]
Erhard: Hardware-backed will help avoid clearing
21:28:31 [Ian]
ack svaldez
21:28:40 [Ian]
svaldez: Even without hardware backed, I think browsers would want to reset
21:28:50 [SameerT]
SameerT has joined #wpsig-public
21:28:55 [Ian]
..what you want is "more persistent key" not necessarily "hardware backed"
21:28:59 [careyf_]
careyf_ has joined #wpsig-public
21:28:59 [Ian]
q?
21:29:01 [MoAllibhai]
MoAllibhai has joined #wpsig-public
21:29:14 [Ian]
Erhard: I reviewed the Antifraud CG proposals to evaluate utility in light of these fraud patterns.
21:29:19 [Ian]
* Trust token
21:29:22 [careyf_]
present + Carey_Ferro
21:29:34 [Ian]
....this could identify a good browser, but need some way to associate with the browser.
21:30:22 [Ian]
...is there a way during remember me process that requires user consent and friction, and user opt-in, after that, the trust token could let you issue anonymously or with id provided at registration time.
21:30:29 [Ian]
trust tokens are valuable in cross-origin context as well
21:31:51 [rbyers]
rbyers has joined #wpsig-public
21:32:26 [SameerT]
q+
21:32:41 [Ian]
svaldez: The extra layer of user consent helps; just need a signature
21:33:15 [Ian]
SameerT: User consent is an important part here; they would have full knowledge. If this device attestation is happening with a user gesture, would that meet some of the criteria?
21:33:25 [Ian]
svaldez: It's not trust tokens anymore; it's just a signature
21:33:27 [rbyers]
q+
21:33:31 [Gerhard]
q+
21:33:37 [Ian]
ack SameerT
21:33:45 [Ian]
svaldez: Given user consent, the privacy impact is ok.
21:33:48 [Ian]
q+
21:33:51 [nicktr]
q?
21:33:51 [SameerT]
q+
21:33:51 [Ian]
ack rbyers
21:34:14 [Ian]
rbyers: Why not webAuthn?
21:34:29 [philippp]
q+
21:34:37 [Ian]
SameerT: User consent is at registration time. Once binding has been created, at authentication time, the issuer doesn't have to challenge.
21:34:57 [Ian]
rbyers: I suspect that the browsers wouldn't be ok with "no challenge at authentication" time.
21:35:09 [Ian]
ack Gerhard
21:35:39 [MarieJordan]
MarieJordan has joined #wpsig-public
21:35:42 [Ian]
Gerhard: The friction does impose as real cost on merchants (cf Monday presentation from Microsoft)
21:36:04 [Ian]
...maybe there's an answer where you use WebAuthn, but where there's a way to have less friction for the next few challenges.
21:36:20 [Ian]
...this could be based on consent given through WebAuthn
21:36:47 [Ian]
..maybe it's not completely frictionless, the user still has to perform a gesture, but that can trigger a signature in the browser.
21:36:51 [Ian]
q?....
21:36:55 [Ian]
q-
21:37:05 [Ian]
ack SameerT
21:37:35 [Ian]
SameerT: In looking at signals come from the device, there are multiple signals (e.g., transaction data).
21:37:42 [Ian]
ack ph
21:38:09 [Ian]
philippp: It seems like what we want is minimal friction and typing number in a 3p context.
21:38:22 [Gerhard]
q+
21:38:25 [Ian]
...we want to reidentify the user in a 3p context for one use case
21:38:34 [Ian]
...we want the user to be informed they will identified.
21:38:42 [Ian]
...the user has entered a card number.
21:38:54 [Ian]
..the browser could do a passive check because they are not further identifying the browser.
21:38:58 [rbyers]
I like it
21:39:18 [Ian]
John_Bradley: We already kind of have that in SPC where you talk to the ACS and get a list of credential IDs that have to be presented to the authenticator
21:39:44 [Ian]
...it is technically possible with WebAuthn to not require userPresence (possible in CTAP, but not in WebAuthn)
21:40:06 [Ian]
...in this case the goal is to silently authenticate the user in a special context where they have the credential registered.
21:40:20 [Ian]
...so a small change where SPC could request with userpresence=none .
21:40:30 [Ian]
smcgruer_[EST]: With UI in your phase
21:40:36 [Ian]
q+
21:41:24 [Ian]
smcgruer_[EST]: I think this is roughly asking the question "how much UX is ok" to unlock the information.
21:41:39 [Ian]
..we've worked through "zero friction" to "minimal friction" etc.
21:41:57 [Ian]
...would payments folks be ok with the dialog?
21:42:12 [Ian]
...if you are willing to put something in the user's face, why not open a popup>
21:42:30 [Ian]
John_Bradley: In a 1p context, it's easy
21:42:42 [Ian]
....WebCrypto is designed to not be used cross-origins
21:42:57 [Ian]
ack Gerhard
21:43:23 [Ian]
Gerhard: Many times the merchant has card-on-file and it's tokenized
21:44:15 [Ian]
...I like John's idea where the transaction dialog is shown, but without the biometric.
21:44:31 [smcgruer_[EST]]
q+
21:44:40 [Ian]
...it's not an extra step for the user ; the page can be designed for just one button push
21:44:56 [Ian]
..just getting the dialog for "Yes" would be a good improvement
21:45:11 [Ian]
John_Bradley: Without any changes to WebAuthn, you can ask for noUserVerification
21:46:11 [Ian]
smcgruer_[EST]: This will require different UX. What does WebAuthn UX do on various platforms?
21:46:38 [Ian]
John_Bradley: There's extra only UX only when you are making a credential.
21:46:58 [Ian]
...platform authenticators may not allow noUserVerification
21:47:06 [SameerT]
q+
21:47:38 [Ian]
smcgruer_[EST]: What we would want to be sure of, is that the user is providing their identity to a particular entity.
21:47:56 [Ian]
JOhn_Bradley: The uX could be optimized.
21:48:01 [Ian]
ack smcgruer_[EST]
21:48:13 [Ian]
SameerT: To understand this solution, we went from no user clicks to 3 steps
21:48:43 [Gerhard]
q+
21:48:53 [Ian]
John_Bradley: You can do this in a 1p context (WebCrypto). In a 3p context you have to avoid tracking. We could probably collapse the UX to one click with SPC.
21:49:03 [smcgruer_[EST]]
q?
21:49:03 [smcgruer_[EST]]
q+
21:49:12 [Ian]
ack SameerT
21:49:44 [Ian]
zakim, close the queue
21:49:44 [Zakim]
ok, Ian, the speaker queue is closed
21:51:14 [Gerhard]
Comment: There are 2 items/paths to explore:
21:51:51 [Gerhard]
* Silent detection of known browser. Not currently possible even with Webcrypto since browsers can clear this at their will. And no 'registration journey'
21:52:08 [Ian]
queue==
21:52:13 [Ian]
zakim, open the queue
21:52:13 [Zakim]
ok, Ian, the speaker queue is open
21:52:13 [Gerhard]
* Optimal Challenge with a single click. It's possible and will have great consent.
21:52:24 [Ian]
Ian: I'd like to work with Philipp on characterizing requirements
21:52:37 [Ian]
Erhard: Another Antifraud proposal is "device integrity attestation through the browser"
21:52:42 [Ian]
...that would be helpful for payments fraud
21:52:43 [Ian]
q?
21:52:48 [Ian]
zakim, clear the queue
21:52:48 [Zakim]
I don't understand 'clear the queue', Ian
21:52:53 [Ian]
queue==
21:53:16 [Ian]
Erhard: There are challenges with custom browsers and those with extensions
21:53:23 [Ian]
...as discussed in the Antifraud CG
21:53:28 [Ian]
...but I'd like to explore that
21:53:41 [Ian]
Erhard: Another proposal was eTLD+1 to expose domain spoofing
21:53:50 [Ian]
...this could be useful for an ACS to detect a fake storefront
21:54:01 [philippp]
Whether or not the browser/device is modified/automated seems somewhat independent of whether the payment instrument is seen on the same device
21:54:14 [Ian]
Erhard: How to address these fraud patterns?
21:54:20 [Ian]
* Involve customer during a browser trust process
21:54:25 [philippp]
When we have time, it'd be good to understand the specific threats (scaled fraud?) we'd be going after with browser integrity attestation
21:54:32 [Ian]
* Some form of identifier or credential is needed for a specific customer
21:54:47 [Ian]
* Browser access to hardware backed scores storage could have a big impact
21:55:06 [Ian]
q?
21:55:34 [Ian]
Topic: Phish in sheep's clothing
21:55:35 [Ian]
https://www.usenix.org/conference/usenixsecurity22/presentation/lin-xu
21:56:13 [Ian]
Xu: Thanks for inviting me to present our current work
21:56:29 [Ian]
...I'll present our recent publication
21:56:50 [Ian]
...phishing is the most prevalent hijacking vector.
21:57:03 [Ian]
...researches found 2FA is a critical defense against these attacks.
21:57:28 [Ian]
...web sites want to minimize inconvenience
21:57:39 [Ian]
...so 2FA is sometimes triggered only for suspicious attempts
21:58:37 [Ian]
...fingerprinting adoption on top 10K sites has gone from .4% in 2013 to 25% in 2021
21:58:49 [Ian]
...advanced ris-based authentication uses browser fingerprinting.
21:59:48 [Ian]
...attackers can trick websites into not considering a login attempt to be suspicious
22:00:31 [Ian]
[Overview of our attack workflow]
22:01:18 [Ian]
...we developed 2 extensions to do fingerprint extraction and then spoofing.
22:01:58 [Ian]
...the extractor captures the site's exact fingerprinting code
22:02:45 [Ian]
...basic fingerprints are identical across sites
22:02:55 [Ian]
...advanced fingerprints vary depending on the fingerprint generation process.
22:04:20 [Ian]
...in second phase (the attack), the fingerprint is reproduced by the stolen code
22:04:54 [Ian]
..so when the user visits the phishing web site, the extension gets fingerprint code and credentials.
22:05:28 [Ian]
..then the attacker can use the spoofer extension to replace the page's fingerprint script, they trick the site into thinking it's the legit user's device
22:05:35 [Ian]
...and then 2FA is bypassed.
22:06:07 [AramZS]
AramZS has joined #wpsig-public
22:06:12 [AramZS]
q+ Sam
22:07:18 [AramZS]
ack Sam
22:07:23 [AramZS]
q+ weiler
22:09:40 [Ian]
[Experimental evaluation]
22:09:55 [Ian]
Xu: We looked at top 10K sites
22:10:14 [Ian]
...top 10K sites employ more advanced fingerprinting techniques on login pages compared to home pages.
22:11:00 [Ian]
...50% of bank sites are using fingerprinting for user authentication
22:11:45 [Ian]
...we wanted to see if our attack was feasible on 14 sites using our personal accounts.
22:11:59 [Ian]
[Chart of fingerprinting techniques]
22:12:00 [weiler]
q+ to thank Xu and ask (anyone) if this has been seen in the wild
22:12:16 [Ian]
...more than half were vulnerable
22:13:05 [Ian]
...we bypassed 2FA in 9/14 sites that use FP for authentication.
22:13:47 [Ian]
...what prevented our attack was IP address checks, but even in those cases we could bypass the restriction by injecting an X-Forwarded-For header
22:14:04 [Ian]
q+ John_Bradley
22:14:08 [Ian]
ack weiler
22:14:08 [Zakim]
weiler, you wanted to thank Xu and ask (anyone) if this has been seen in the wild
22:14:41 [Ian]
weiler: (Met you at Usenix. :). Have you seen anyone doing this in the wild. Are there any known real malicious actors?
22:14:54 [Ian]
Philipp: I can attest that it's being done for account takeover.
22:15:30 [Ian]
John_Bradley: I'm surprised that this work for financial institutions. Were any of these sites using things like first party cookies that were signed? Or were they just relying on fingerprinting the browser without a cookie?
22:15:52 [philippp]
q+
22:16:08 [Ian]
Xu: In these cases, they were not using cookies. Our focus was not cookie-hijacking
22:16:21 [Ian]
John_Bradley: I would have imagined that most sites would use cookie tracking and fingerprinting.
22:16:39 [AramZS]
q+
22:16:39 [Ian]
...these are all 1p logins
22:16:51 [Ian]
..if this was an analysis of people logging in an iframe, that would be different?
22:16:58 [Ian]
weiler: Are you assuming you can steal the cookies?
22:17:16 [Ian]
John_Bradley: But you can't. Does your domain assume you can issue fraudulent SSL certificates?
22:17:35 [Ian]
..there are ways of binding cookies to browsers.
22:18:18 [Ian]
Xu: Regarding cookies, we did find some sites that use cookies and fingerprints together...e.g., a web infrastructure web site
22:18:21 [Ian]
ack John
22:18:55 [Ian]
ack philippp
22:19:08 [Ian]
philippp: There's a variant of this where malware steals cookie jar.
22:19:21 [Ian]
John_Bradley: We came up with a standard called token binding in the IETF to mitigate these things.
22:19:27 [Ian]
q?
22:19:40 [Ian]
John_Bradley: It was designed to bind TLS and cookies to a browser.
22:19:49 [Ian]
...and provided an attestation about veracity of browser.
22:19:56 [Ian]
ack AramZS
22:20:18 [Ian]
Aram: I think both in the publishing industry and on ad-tech, we've seen fingerprinting companies go strong
22:20:38 [Ian]
...the fact that this could happen is not surprising, but the fact that it's happening to banks is a surprise.
22:21:09 [Ian]
Aram: I was wondering also in terms of what this study was showing you...did this give you an impression that there was less uniqueness among fingerprints,
22:21:13 [Ian]
or just that they were easy to replicate.
22:22:12 [Ian]
Xu: Because the browser fingerprints rely on JS APIs and the objects are mutable, it doesn't matter if they are unique
22:22:40 [Ian]
...even in some web sites we found some new fingerprinting techniques
22:23:20 [Ian]
...we are currently working on a system that could raise the bar for fingerprinting attackers.
22:23:57 [Ian]
Aram: In terms of developers who are running services in their site that are relying on fingerprinting, do you think that the top window could mitigate the possibility of this attack by blocking off some JS APIs to the windows in the page?
22:24:09 [Ian]
...such as iframe
22:25:30 [smcgruer_[EST]]
q?
22:25:33 [Ian]
Xu: Randomizing features could prevent attack, but it might also break functionality.
22:25:51 [Ian]
...for example, the site might end up doing 2FA for each login because fingerprint is different each time.
22:27:15 [magda_sypula]
magda_sypula has joined #wpsig-public
22:28:01 [Ian]
[Phishing and Fingerprinting]
22:28:19 [Ian]
..majority of sites are collecting fingerprints and that number is increasing with time
22:28:29 [Ian]
...we also catalog fingerprinting techniques
22:29:03 [Ian]
9-14% of sites collecting advanced fingerprints (canvas being popular for those approaches)
22:30:09 [Ian]
...sharp decline in phishing sites for a particular bank may be due tot he IP Address requirement
22:30:57 [Ian]
[What can we do to prevent attacks?]
22:31:01 [Ian]
* 2FA
22:31:15 [Ian]
* Chain sessions may help (requires memory of prior sessions)
22:31:25 [Ian]
* Combine strict IP address checks and presence of specific cookies
22:31:33 [Ian]
{user defenses}
22:31:38 [Ian]
* enable 2FA
22:31:42 [Ian]
* user password managers
22:31:52 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/09/15-wpsig-public-minutes.html Ian
22:32:13 [Ian]
q+
22:33:02 [AramZS]
jeeeeeez
22:33:27 [Ian]
ack me
22:33:53 [nicktr]
q?
22:34:00 [Ian]
RRSAGENT, set logs public
22:34:08 [AramZS]
I can't believe anyone was genuinely relying on fingerprints for security. The whole process was designed solely for ad targeting originally. This is insane to find out that banks are using it for auth.
22:34:08 [AramZS]
q+
22:34:10 [AramZS]
ack AramZS
23:09:36 [AramZS]
AramZS has joined #wpsig-public
23:14:17 [SameerT]
SameerT has joined #wpsig-public
23:14:25 [SameerT]
present+
23:15:38 [careyf]
careyf has joined #wpsig-public
23:15:46 [careyf]
careyf has left #wpsig-public
23:16:03 [ChristianA]
ChristianA has joined #wpsig-public
23:17:38 [SameerT]
Ian, do you have Microsoft's presentation handy?
23:18:16 [SameerT]
q+
23:33:11 [ChristianA]
ChristianA has left #wpsig-public
23:41:47 [Ian]
rrsagent, make minutes
23:41:47 [RRSAgent]
I have made the request to generate https://www.w3.org/2022/09/15-wpsig-public-minutes.html Ian
23:41:51 [Ian]
rrsagent, set logs public