Fighting Fraud in the Trenches

BSidesLV 2018

Presented by: Amir Shaked
Date: Tuesday August 07, 2018
Time: 17:00 - 17:55
Location: Ground1234!

There are many eCommerce and SaaS businesses that offer loyalty programs. Some involve gift cards and credit points. Some include cash back and currency that can be used somewhere else.Naturally, all these loyalty programs require user authentication before granting access. The authentication method varies from a four-digit code, to a password of your choice. Yet, once you are authenticated, there are no more hurdles before you can use the credited balance.Since this is a single point of failure, you would assume that more attention would be given to defending against automated attacks. But as we’ll see, that assumption is dangerously wrong.In this talk, we will disprove this assumption by exploring examples based on data from our customers (anonymized, of course). With real world data we will show how automated attacks are used to access the accounts and from there the funds, and subsequently siphon them away.We will also go through the entire process, targeting the demo mobile application. Starting from reversing the APK up to running the automated fraud.We will also cover some approaches to protect both the business and the consumer from such attacks.

Amir Shaked


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats