21:05:52 RRSAgent has joined #wpsig-public 21:05:52 logging to https://www.w3.org/2022/09/15-wpsig-public-irc 21:05:57 present+ Bert Bos 21:05:58 Meeting: Joint Antifraud/WPSIG meeting 21:06:05 Chair: Ian 21:06:09 present+ 21:06:09 present+ 21:06:12 present+ adam_kelly 21:06:15 David_Turner has joined #wpsig-public 21:06:15 NakjoShishkov has joined #wpsig-public 21:06:16 present+ erhardbrand 21:06:19 present+ philippp 21:06:20 ChristianA has joined #wpsig-public 21:06:22 present+ Christina_Hulka 21:06:25 present+ Gerhard 21:06:31 present+ svaldez 21:06:35 present+ NakjoShishkov 21:06:35 present+ Bert_Bos 21:06:37 present+ 21:06:54 Topic: Patterns in payment fraud 21:07:51 Erhard: I'd like to take you through some patterns we've seen and some possible solutions. 21:08:05 [On Entersekt] 21:08:26 Entersekt: Some of our clients use us for authentication during 3DS challenge flows; we also have our own ACS 21:08:39 ...online sales increase and fraud grows every year. 21:08:49 ...anti-fraud workflows are difficult to build 21:09:03 ...security v. usability (and cart abandonment) 21:09:35 ...we'd like to have seamless MFA. 21:09:51 ...exceed regulatory requirements 21:09:57 ...use contextual authentication where possible 21:10:28 present+ Carey 21:11:05 ...payment fraud is an entire value chain 21:11:39 ...fraudsters steal passwords and cards, attempt small purchases, attempt logins, attempt logins to extract PIIs 21:12:12 ...Account takeover: Phishing 21:12:23 ...all you need is an email address and phone number. 21:13:32 ...some of this can be mitigated through 2FA and through education. 21:13:39 ...Account takeover: SIM Swap 21:13:52 ...requires credit card number and PII 21:14:04 ...so OTP codes sent to another device 21:14:28 ...can be mitigated by looking at SIM age 21:14:42 Account takeover: Social Engineering 21:15:02 required - bank details, some PII 21:15:09 ...fraudster poses as bank employee 21:15:45 ...to mitigate: behavior biometrics and clear messaging to user (e.g., account information, specifics) 21:16:20 Chargeback fraud (where 3DS not widely used) 21:16:23 dcrousso_ has joined #wpsig-public 21:16:31 ...required: credit card number, customer PII 21:17:01 mitigation: 3DS challenge flow 21:17:11 Triangulation Fraud (which is less common) 21:17:14 required: customer PII 21:17:48 magda_sypula has joined #wpsig-public 21:17:48 mitigation: 3DS challenge flow 21:17:58 ...use descriptive messages during 3DS 21:18:25 Erhard: COVID-19 has fueled a surge in e-commerce, but corresponding rise in account takeover 21:18:39 ...card tokenization can help mitigate stolen cards 21:18:50 ...ability to recognize returning browser would help more mitigations 21:19:09 ...some attacks: 21:19:28 * Card sniffing / skimming attacks. Relies on cross-site scripting 21:19:58 ...compromised JS executes in the payment page. Upload collected data 21:20:10 ...there were 17K domains affected by a 2019 attack 21:20:18 mitigations: JS integrity hash; CSP 21:20:31 * Card testing /card cracking fraud 21:20:44 ...JS used to test stolen credit cards 21:20:53 ...most common form of fraud in NA in 2021 21:21:13 mitigations: use 3DS, velocity checking, origin IP address monitoring, monitoring multiple declines on card, bot detection 21:21:32 Erhard: XSS is still a widely used attack 21:21:40 ...browser fingerprints can be spoofed 21:21:49 ...CSP rules often lacking or not implemented. 21:22:19 nicktr has joined #wpsig-public 21:22:20 Erhard: study of 1000 sites in 2020 found 92% of evaluated websites expose data to 17 domains 21:22:26 [How to address fraud patterns] 21:22:39 Erhard: Browser fingerprinting is not good enough anymore 21:22:44 ...use FIDO & SPC 21:22:54 ...but we are looking for better signals for frictionless flows 21:22:57 ...some ideas: 21:23:02 * Context aware challenges 21:23:32 Erhard: Geolocation - users will opt in if positioned correctly. 21:23:43 ...FIDO/SPC even within the issuer's iframe 21:23:50 ..register user in a 1p context (banking portal) 21:23:51 present+ Nick_Telford_Reed 21:24:05 ...3DS checkout can take advantage of cross-origin iframe calls 21:24:12 ...SPC can improve UX over WebAuthn dialog 21:24:32 ...in the future, delegation with SPC 21:24:39 * Browser behavior biometrics 21:24:47 ...detect velocity with the form 21:25:02 ...you can check familiarity with addresses 21:25:10 ...multiple logins from same endpoint 21:25:13 ...modified browser detection 21:25:20 ...geolocation + IP checks 21:25:43 Erhard: We'd like to make the most use of 3DS2 frictionless flow, which involves the Method URL 21:26:11 ...this approach in a cross-origin context is being shut down 21:26:24 ...we'd like to demonstrate that a user is returning to the same browser. 21:26:43 ...can the browser ask the user if they trust this domain to improve payment experiences going forward. 21:26:44 q? 21:26:53 Erhard: We've experimented with WebCrypto API 21:27:09 ...you can store in indexDB and mark as non-extractable 21:27:13 ....clearable by the user 21:27:26 ...would be valuable if the crypto object could be tied to hardware 21:27:28 Vaguely sounds like token binding/channel binding. 21:27:31 q+ 21:27:33 ...and tie into the browser attestation proposal 21:27:46 ...take the customer through a trust ceremony where they can opt-in to be remembered on this browser. 21:27:50 ack philippp 21:28:19 q+ 21:28:21 Erhard: Hardware-backed will help avoid clearing 21:28:31 ack svaldez 21:28:40 svaldez: Even without hardware backed, I think browsers would want to reset 21:28:50 SameerT has joined #wpsig-public 21:28:55 ..what you want is "more persistent key" not necessarily "hardware backed" 21:28:59 careyf_ has joined #wpsig-public 21:28:59 q? 21:29:01 MoAllibhai has joined #wpsig-public 21:29:14 Erhard: I reviewed the Antifraud CG proposals to evaluate utility in light of these fraud patterns. 21:29:19 * Trust token 21:29:22 present + Carey_Ferro 21:29:34 ....this could identify a good browser, but need some way to associate with the browser. 21:30:22 ...is there a way during remember me process that requires user consent and friction, and user opt-in, after that, the trust token could let you issue anonymously or with id provided at registration time. 21:30:29 trust tokens are valuable in cross-origin context as well 21:31:51 rbyers has joined #wpsig-public 21:32:26 q+ 21:32:41 svaldez: The extra layer of user consent helps; just need a signature 21:33:15 SameerT: User consent is an important part here; they would have full knowledge. If this device attestation is happening with a user gesture, would that meet some of the criteria? 21:33:25 svaldez: It's not trust tokens anymore; it's just a signature 21:33:27 q+ 21:33:31 q+ 21:33:37 ack SameerT 21:33:45 svaldez: Given user consent, the privacy impact is ok. 21:33:48 q+ 21:33:51 q? 21:33:51 q+ 21:33:51 ack rbyers 21:34:14 rbyers: Why not webAuthn? 21:34:29 q+ 21:34:37 SameerT: User consent is at registration time. Once binding has been created, at authentication time, the issuer doesn't have to challenge. 21:34:57 rbyers: I suspect that the browsers wouldn't be ok with "no challenge at authentication" time. 21:35:09 ack Gerhard 21:35:39 MarieJordan has joined #wpsig-public 21:35:42 Gerhard: The friction does impose as real cost on merchants (cf Monday presentation from Microsoft) 21:36:04 ...maybe there's an answer where you use WebAuthn, but where there's a way to have less friction for the next few challenges. 21:36:20 ...this could be based on consent given through WebAuthn 21:36:47 ..maybe it's not completely frictionless, the user still has to perform a gesture, but that can trigger a signature in the browser. 21:36:51 q?.... 21:36:55 q- 21:37:05 ack SameerT 21:37:35 SameerT: In looking at signals come from the device, there are multiple signals (e.g., transaction data). 21:37:42 ack ph 21:38:09 philippp: It seems like what we want is minimal friction and typing number in a 3p context. 21:38:22 q+ 21:38:25 ...we want to reidentify the user in a 3p context for one use case 21:38:34 ...we want the user to be informed they will identified. 21:38:42 ...the user has entered a card number. 21:38:54 ..the browser could do a passive check because they are not further identifying the browser. 21:38:58 I like it 21:39:18 John_Bradley: We already kind of have that in SPC where you talk to the ACS and get a list of credential IDs that have to be presented to the authenticator 21:39:44 ...it is technically possible with WebAuthn to not require userPresence (possible in CTAP, but not in WebAuthn) 21:40:06 ...in this case the goal is to silently authenticate the user in a special context where they have the credential registered. 21:40:20 ...so a small change where SPC could request with userpresence=none . 21:40:30 smcgruer_[EST]: With UI in your phase 21:40:36 q+ 21:41:24 smcgruer_[EST]: I think this is roughly asking the question "how much UX is ok" to unlock the information. 21:41:39 ..we've worked through "zero friction" to "minimal friction" etc. 21:41:57 ...would payments folks be ok with the dialog? 21:42:12 ...if you are willing to put something in the user's face, why not open a popup> 21:42:30 John_Bradley: In a 1p context, it's easy 21:42:42 ....WebCrypto is designed to not be used cross-origins 21:42:57 ack Gerhard 21:43:23 Gerhard: Many times the merchant has card-on-file and it's tokenized 21:44:15 ...I like John's idea where the transaction dialog is shown, but without the biometric. 21:44:31 q+ 21:44:40 ...it's not an extra step for the user ; the page can be designed for just one button push 21:44:56 ..just getting the dialog for "Yes" would be a good improvement 21:45:11 John_Bradley: Without any changes to WebAuthn, you can ask for noUserVerification 21:46:11 smcgruer_[EST]: This will require different UX. What does WebAuthn UX do on various platforms? 21:46:38 John_Bradley: There's extra only UX only when you are making a credential. 21:46:58 ...platform authenticators may not allow noUserVerification 21:47:06 q+ 21:47:38 smcgruer_[EST]: What we would want to be sure of, is that the user is providing their identity to a particular entity. 21:47:56 JOhn_Bradley: The uX could be optimized. 21:48:01 ack smcgruer_[EST] 21:48:13 SameerT: To understand this solution, we went from no user clicks to 3 steps 21:48:43 q+ 21:48:53 John_Bradley: You can do this in a 1p context (WebCrypto). In a 3p context you have to avoid tracking. We could probably collapse the UX to one click with SPC. 21:49:03 q? 21:49:03 q+ 21:49:12 ack SameerT 21:49:44 zakim, close the queue 21:49:44 ok, Ian, the speaker queue is closed 21:51:14 Comment: There are 2 items/paths to explore: 21:51:51 * Silent detection of known browser. Not currently possible even with Webcrypto since browsers can clear this at their will. And no 'registration journey' 21:52:08 queue== 21:52:13 zakim, open the queue 21:52:13 ok, Ian, the speaker queue is open 21:52:13 * Optimal Challenge with a single click. It's possible and will have great consent. 21:52:24 Ian: I'd like to work with Philipp on characterizing requirements 21:52:37 Erhard: Another Antifraud proposal is "device integrity attestation through the browser" 21:52:42 ...that would be helpful for payments fraud 21:52:43 q? 21:52:48 zakim, clear the queue 21:52:48 I don't understand 'clear the queue', Ian 21:52:53 queue== 21:53:16 Erhard: There are challenges with custom browsers and those with extensions 21:53:23 ...as discussed in the Antifraud CG 21:53:28 ...but I'd like to explore that 21:53:41 Erhard: Another proposal was eTLD+1 to expose domain spoofing 21:53:50 ...this could be useful for an ACS to detect a fake storefront 21:54:01 Whether or not the browser/device is modified/automated seems somewhat independent of whether the payment instrument is seen on the same device 21:54:14 Erhard: How to address these fraud patterns? 21:54:20 * Involve customer during a browser trust process 21:54:25 When we have time, it'd be good to understand the specific threats (scaled fraud?) we'd be going after with browser integrity attestation 21:54:32 * Some form of identifier or credential is needed for a specific customer 21:54:47 * Browser access to hardware backed scores storage could have a big impact 21:55:06 q? 21:55:34 Topic: Phish in sheep's clothing 21:55:35 https://www.usenix.org/conference/usenixsecurity22/presentation/lin-xu 21:56:13 Xu: Thanks for inviting me to present our current work 21:56:29 ...I'll present our recent publication 21:56:50 ...phishing is the most prevalent hijacking vector. 21:57:03 ...researches found 2FA is a critical defense against these attacks. 21:57:28 ...web sites want to minimize inconvenience 21:57:39 ...so 2FA is sometimes triggered only for suspicious attempts 21:58:37 ...fingerprinting adoption on top 10K sites has gone from .4% in 2013 to 25% in 2021 21:58:49 ...advanced ris-based authentication uses browser fingerprinting. 21:59:48 ...attackers can trick websites into not considering a login attempt to be suspicious 22:00:31 [Overview of our attack workflow] 22:01:18 ...we developed 2 extensions to do fingerprint extraction and then spoofing. 22:01:58 ...the extractor captures the site's exact fingerprinting code 22:02:45 ...basic fingerprints are identical across sites 22:02:55 ...advanced fingerprints vary depending on the fingerprint generation process. 22:04:20 ...in second phase (the attack), the fingerprint is reproduced by the stolen code 22:04:54 ..so when the user visits the phishing web site, the extension gets fingerprint code and credentials. 22:05:28 ..then the attacker can use the spoofer extension to replace the page's fingerprint script, they trick the site into thinking it's the legit user's device 22:05:35 ...and then 2FA is bypassed. 22:06:07 AramZS has joined #wpsig-public 22:06:12 q+ Sam 22:07:18 ack Sam 22:07:23 q+ weiler 22:09:40 [Experimental evaluation] 22:09:55 Xu: We looked at top 10K sites 22:10:14 ...top 10K sites employ more advanced fingerprinting techniques on login pages compared to home pages. 22:11:00 ...50% of bank sites are using fingerprinting for user authentication 22:11:45 ...we wanted to see if our attack was feasible on 14 sites using our personal accounts. 22:11:59 [Chart of fingerprinting techniques] 22:12:00 q+ to thank Xu and ask (anyone) if this has been seen in the wild 22:12:16 ...more than half were vulnerable 22:13:05 ...we bypassed 2FA in 9/14 sites that use FP for authentication. 22:13:47 ...what prevented our attack was IP address checks, but even in those cases we could bypass the restriction by injecting an X-Forwarded-For header 22:14:04 q+ John_Bradley 22:14:08 ack weiler 22:14:08 weiler, you wanted to thank Xu and ask (anyone) if this has been seen in the wild 22:14:41 weiler: (Met you at Usenix. :). Have you seen anyone doing this in the wild. Are there any known real malicious actors? 22:14:54 Philipp: I can attest that it's being done for account takeover. 22:15:30 John_Bradley: I'm surprised that this work for financial institutions. Were any of these sites using things like first party cookies that were signed? Or were they just relying on fingerprinting the browser without a cookie? 22:15:52 q+ 22:16:08 Xu: In these cases, they were not using cookies. Our focus was not cookie-hijacking 22:16:21 John_Bradley: I would have imagined that most sites would use cookie tracking and fingerprinting. 22:16:39 q+ 22:16:39 ...these are all 1p logins 22:16:51 ..if this was an analysis of people logging in an iframe, that would be different? 22:16:58 weiler: Are you assuming you can steal the cookies? 22:17:16 John_Bradley: But you can't. Does your domain assume you can issue fraudulent SSL certificates? 22:17:35 ..there are ways of binding cookies to browsers. 22:18:18 Xu: Regarding cookies, we did find some sites that use cookies and fingerprints together...e.g., a web infrastructure web site 22:18:21 ack John 22:18:55 ack philippp 22:19:08 philippp: There's a variant of this where malware steals cookie jar. 22:19:21 John_Bradley: We came up with a standard called token binding in the IETF to mitigate these things. 22:19:27 q? 22:19:40 John_Bradley: It was designed to bind TLS and cookies to a browser. 22:19:49 ...and provided an attestation about veracity of browser. 22:19:56 ack AramZS 22:20:18 Aram: I think both in the publishing industry and on ad-tech, we've seen fingerprinting companies go strong 22:20:38 ...the fact that this could happen is not surprising, but the fact that it's happening to banks is a surprise. 22:21:09 Aram: I was wondering also in terms of what this study was showing you...did this give you an impression that there was less uniqueness among fingerprints, 22:21:13 or just that they were easy to replicate. 22:22:12 Xu: Because the browser fingerprints rely on JS APIs and the objects are mutable, it doesn't matter if they are unique 22:22:40 ...even in some web sites we found some new fingerprinting techniques 22:23:20 ...we are currently working on a system that could raise the bar for fingerprinting attackers. 22:23:57 Aram: In terms of developers who are running services in their site that are relying on fingerprinting, do you think that the top window could mitigate the possibility of this attack by blocking off some JS APIs to the windows in the page? 22:24:09 ...such as iframe 22:25:30 q? 22:25:33 Xu: Randomizing features could prevent attack, but it might also break functionality. 22:25:51 ...for example, the site might end up doing 2FA for each login because fingerprint is different each time. 22:27:15 magda_sypula has joined #wpsig-public 22:28:01 [Phishing and Fingerprinting] 22:28:19 ..majority of sites are collecting fingerprints and that number is increasing with time 22:28:29 ...we also catalog fingerprinting techniques 22:29:03 9-14% of sites collecting advanced fingerprints (canvas being popular for those approaches) 22:30:09 ...sharp decline in phishing sites for a particular bank may be due tot he IP Address requirement 22:30:57 [What can we do to prevent attacks?] 22:31:01 * 2FA 22:31:15 * Chain sessions may help (requires memory of prior sessions) 22:31:25 * Combine strict IP address checks and presence of specific cookies 22:31:33 {user defenses} 22:31:38 * enable 2FA 22:31:42 * user password managers 22:31:52 I have made the request to generate https://www.w3.org/2022/09/15-wpsig-public-minutes.html Ian 22:32:13 q+ 22:33:02 jeeeeeez 22:33:27 ack me 22:33:53 q? 22:34:00 RRSAGENT, set logs public 22:34:08 I can't believe anyone was genuinely relying on fingerprints for security. The whole process was designed solely for ad targeting originally. This is insane to find out that banks are using it for auth. 22:34:08 q+ 22:34:10 ack AramZS 23:09:36 AramZS has joined #wpsig-public 23:14:17 SameerT has joined #wpsig-public 23:14:25 present+ 23:15:38 careyf has joined #wpsig-public 23:15:46 careyf has left #wpsig-public 23:16:03 ChristianA has joined #wpsig-public 23:17:38 Ian, do you have Microsoft's presentation handy? 23:18:16 q+ 23:33:11 ChristianA has left #wpsig-public 23:41:47 rrsagent, make minutes 23:41:47 I have made the request to generate https://www.w3.org/2022/09/15-wpsig-public-minutes.html Ian 23:41:51 rrsagent, set logs public