One of our core values at White Ops is “be good.” This means, when possible, we tip the balance in the world towards good. Exposing threats and educating the larger internet community on cybercrime are pieces of this.
We are often asked about what can be done to improve business practices beyond Invalid Traffic (IVT) concerns. Our team of security experts came up with some best practices that will help keep your company and customers safer. Taking these tangible steps does not replace the need for a security team or third-party bot mitigation technology, but they can provide you with some additional security to combat attacks.
Account Protection Best Practices
Credential Stuffing, one of the biggest security concerns today, automates the injection of breached username/password pairs to gain access to user accounts. Bad actors use credentials leaked through data breaches to gain access to accounts to use for their own benefit, generally leveraging botnets to enable high-volume breaches. A classic recommendation to combat credential stuffing—that many companies fail to follow—is to ensure stronger password generation.
Additionally, companies should train employees and ensure their awareness of the various mechanisms used to steal credentials, such as phishing, social engineering, and SIM-jacking; however, companies must also combat sophisticated attacks with their own sophisticated practices:
- If possible, require Multi-Factor Authentication (MFA).
- If valid credentials are entered from a different region than where the user initially created the account, require the user to revalidate the account. Maintain a list of all validated IP addresses or areas, corresponding to reported account addresses.
- If there are more than three to five failed login attempts, lock the account for 24 hours and require revalidation.
- Set a timeout for lack of activity on account. Revalidate at a 30/60/90 day threshold.
- Require a phone number that validates to a text or a phone call.
- Validate that it is not from a web-based VoIP provider (there are lists of VoIP phone numbers and other methods to determine if a number is VoIP).
Block all disposable phone numbers.
- Block temporary email providers and their domains.
- Strengthen password requirements using these guidelines:
- Passwords should be a minimum of 12 characters, upper/lower case, and numbers: remember, length is stronger than complexity.
- Ban simple passwords such as 12345678, password.
- Advise users to leverage a password manager.
- Help users migrate away from the mindset of a “password” and to a “passphrase”
- Search for domain homophones of your brand name to identify phishing sites (for example, if your domain is example[.]com, look for examp1e[.]com or example[.]co).
- Leverage a solution that finds and flags compromised credentials or that assesses user behavior on web applications to identify automated login attempts.
- Enable time-limited tokens for accessing API, and force the rotation of new API keys each month.
- There are methods to have this automatically regenerated without the need for a user to do this manually.
- If possible, create a whitelist IP address list for accessing your API.
- Have up to three IP addresses that a user can specify in their account settings.
If you’d like to take things a step further, we suggest:
- Attend The National Cyber-Forensics and Training Alliance (NCFTA) trainings and events.
- Develop relationships with social media platforms to identify compromised accounts.
- Partner with large email providers to look for spoofing/phishing attempts against your customer base.
This is not an exhaustive list of options, but rather several strong solutions you can implement to protect your website. These will not stop 100% of all attacks or fraud; however, they should help to reduce them significantly. By strengthening your defenses, you will better protect your enterprise and your customers. Good luck, be good, and keep it human.