Mario van Riesen: The Evolution of Application Security

Yes. Thank you very much. And thank you very much to the audience for your time and interest. Yes. I'd like to give you a short overview about our view of the evolution in the space of application security and to share with you our approach, how we defeat application fraud. And in addition how we can optimize the customer experience in these kind of scenarios and areas. So a lot of you, I think, have never heard about shape and why shape on the market, why we are there. The general thing is that everybody aware that automation and the automation compromised web and mobile traffic.

So it's more than 40 50, 60% depends on the study. You read are automation, traffic, fraud, and traffic are also in this traffic.

And yes, shape has permission to protect web and mobile applications against these kind of abuse. So our approach is that we'd aim to deliver and is not only security, not only fraud protection. We also want to deliver a better customer experience. So a better customer journey for your audience, for your customers on all applications that are protected by shape. So what we really doing is our focus is the number one mitigation of synthetic fraud. Synthetic fraud is automation. So it's more than a bot.

A lot of people think that shape is only a bot vendor, like all the others, but it's much more. Second topic we focus on is also the mitigation of human fraud, because the idea is, and the experience we have is that we are now able, if we get rid of synthetic fraud, let's focus on human fraud activities to mitigate it. And of course all is combined with the vision to offer a friction feel of an experience. I know that topics like multifactor ation authentication will be discussed in this meeting or this session, but we like to share with you our approach.

And in addition, we are now able to deliver you an additional new device identifier. So it's not a cookie, it's really a device identifier where you can leverage additional optimization in your customer journey process or to profile a device.

Yeah, we are on a business since 2011, we mainly protect or on average 4 billion transaction per week. And this is a business where we are in a shape company. So what is our view on the evolution of application security? The thing is how we see it and it's experience. And it was a main driver for the founding of shapes that are more and more attackers around that they don't reach the systems. They try to act like a legitimate user and because they are able to use tools and technologies to really simulate a human being.

And for a lot of customers, it is not easy anymore to really identify, is this a real traffic? Is this a real interaction or is this a fraud guy, or is this an automation that claim to be a human being? And why is this happened? One source for this shift, I would say in the application security approach is the big amount of stone credentials that are available. And around there is a good source for everybody that want to have a look.

How, what is really available. The se has a platinum Institute that, that give us a real time indication about the stone credentials on the market. And really interesting is that since COVID 19, this is of course jumping. So more and more identities are now available on the dark net for sale.

And in addition, this is not only a topic I would say for the global market is already a topic for Germany because the credential stuffing topic was mainly a topic in American market, but didn't analyze or analyze some data from hu Platner and found out already that we have here with the German de extension because I cover the German market. That was the reason for this research that we already have the availability of 267 million stole credential. So username passwords PS are available for cyber crime activities. I think it's a really big enough processive number.

The other reason is that there is this evolution of a text to simulate a human being are tools that are now available in this market because automation is not a new topic for all of us. And I think every company or a lot of people in our audience already take action to identify automation or to identify bots. So they use homegrown tools. They use rough technologies, they use other, I say, bot mitigation approach. But the challenge is of course, the evolution of attack because the motivation we call it, the value behind the lock in is always there.

And there are always attackers around that, like to really bypass these counter measures. And the challenge is that these is more and more now easy to do because there are tools around, I don't know if you ever heard about century MBA or capture server, but there are a lot tools around that make it really easily to start simple. So to start with the script, to use century MBA and to do it called credential staffing.

So validate user in passports for example, but there are also tools around to bypass capture tools to steal fingerprints or the latest tool we have really did our research on is the browser automation studio, where you are now really able to make a copy. For example, of Mario, you can create a second Mario and can hide yourself behind this identity. So it's really tough.

And these times to identify the specification of automation and attacks and this combination of store credentials and technologies make it really easily to change author the attack pattern, or I think the attack methodology that you attempt though, it's easy for attackers to change peer addresses, you block IP addresses, but then the change is and information that change gear location, and this can be done really fast in minutes or in seconds. I would say it depends on the ambition of the attacker to overcome your counter measures. And that is not only in theory, a topic it's also real topic.

I give you an example of a German customer, and it's really nice to see what this picture show, if the look in interface of an application and what we see on the top row is that number one, the technologies are now able or enable and attacker to really hide in the human traffic. So they're blend in really in human traffic interaction. And what we see on the second row is that it's now easily to change the attack pattern. We call it a attack by the way, a campaign.

And what we have seen here on the customer side is that on a Friday evening, they jumped up and attack and suddenly they, he try automation, we call it credential stuffing. So validate using in passports and suddenly he run really into 20% of the traffic of automation for the log in. And when you figure out that it's not needed to do an IP rotation and other ambitious leveraging, leveraging ambitious technology, you changed the tech pattern use only one IP at risk, but ramped up the amount of credentials that you wanted to validate. And this is a real example, German company.

And as you can see here on the time window, the change took only 24 hours to went from one tech strategy to another. So how is now, what is the biggest challenge now is every good industry. And this is also I challenge in this evolution of tech more and more, I would say cyber cyber crime, echo environments are available. You can think of a, kind of like an automotive industry, where for an attacker, it's not really easy to get store credentials on the dark web.

A lot of them, by the way, offer free and also to get easily cyber crime tools that are mentioned like century MBA or others combines these tools, rent a botnet, and then simulate a human being. And this is on a big scale and you can try it on every website because it costs more or less zero or nothing to do a credential stuffing attack, to aim for an account take over, but also a big topic for, especially for eCommerce and retailers is the scraping.

So where really people do spy out your environment to do price comparison, or to find out other competitive information, to make them more competitive to you. And of course, in other industry, it is the topic about fake account creations. Or if you think about loyalty points where people create fake accounts, collect the loyalty points and sell on the dark market. So this is a really change and shift, I would say in the attack surface that these guys are now working like in the distributed industry, and it's really hard to catch them and also to defense this. So where does it really occur?

So the main topics that we are focusing on as shape is see, look in protection or the protection of the passport, because there is the scenario where we see, or our customer sees the biggest value behind the login, because you can do an accounting over, you can compromise private information and also abuse online services, but there are other use cases around where the people use these sophisticated attacks and stimulate a human being and the search environment, as I mentioned, account creation, and also very often in loyalty points and or checkout where they try to validate strong credential cards and information.

So this is mainly the use case where we see this evolution of a text happening. And this is the area where shape is focusing on to protect this. And for people that want to know more about it, about the threat level, I would say about the urgency, if it's an urgency in our market at all, I like to recommend to read the latest Verizon report because there are really good insights about the evolution of these threat landscape, of course, but also good background information. Why storm credentials are more and more as threat in our industry.

And I think it was an oppressive number that in the latest report, they identified that 37% of all data breaches around the globe really rely on this ambition to use credential stuffing at text, but also for the German audience. There are, I think, some good content around you will find really good stuff on the has online environment or it daily net where the information is done, of course, in German available, and also gives you some good examples. What is happening in the German market?

Yes, as I mentioned, what is the motivation about it? It's a fast OI. So because of the distributed cybercrime ecosystem of the available tools, you can start with a handful of euros. This is of course dollars, but a handful of euros, you can start easily and attack, try it out for example, of your, on the favorite eCommerce side, on other telco side or travel side, and to find out what kind of data you can compromise, what kind of account takeover you can execute to one still personal identity.

And of course, to add value to your stolen identities and sell it again to the black market with some higher value because of confirmed information and confirmed private data information. So I think this topic is not really not new of all for a lot of us. And as of course a discussion, yes, I know all about it, but we have capture. And as I mentioned, capture could be a solution, but capture can be bypassed as I've show before. And our approach is to reduce friction and every company need really to think about, do you want to add friction?

Do you want to add capture to the customer experience or do I want to enable speed and convenience to be more competitive? So I think capture of course is an option, but as we mentioned, it's easy to bypass and it's not only bypassed by technologies. It's also bypassed by services. So there are services around, there's a website called desk by capture where you can easily start. I would say to solve one captures only for $1 39. So it's cheap and easy.

These services are outsourced to areas like Vietnam or other low what I say, salary countries, where you can easily enable the services integrated by an API. And yes, captures bypass. So captures not really an answer. And I was not listening the full morning, but I heard that multifactor authentication was a topic. And of course I agree. Multifactor authentication is a good approach to stop credential staffing attacks or to stop automation because you add an additional challenge, but still, it depends on the industry where you want to add this friction like a MFA.

This is of course mandatory thing in the banking environment, but there are still tools around because there is a evolution of attack, like a tool like bot Lika. I dunno if you ever heard about it, it's an environment. It works like in reverse proxy environment where you can collect tokens, you collect other information, personal information of infected device infected by millware and have a Porwal to bypass ation and take over an account easily. So really smart tools around.

And please, if you are interested, follow follows the link on the presentation, it's really an interesting video, how this tool is and available. Other tool. I think I like to mention is here the approach of a company for marketplace like SPH gen fingerprint marketplace. So every time there's evolution around and more and more, it's not easy, really to quantify, to find counter measures against these tools. Especially Genesis is a big topic in America because this tool is a tool where infected devices deliver identities. So you can more or less rent a bot with a stolen identity.

So it's a single identity where you get the fingerprint, the cookies, the lock, and the passports, everything of this stolen identity for sale on the market, including an update service. So even if I change my passport or I change some other parameters on my machine, if my device is still infected with this mail where this marketplace get updated. And it's really easy to these guys for these guys that leveraging this marketplace to sell identities, fingerprints, and think like that.

And so it's hard to combine this then also with human interaction, because now I'm able to steal identities to take over accounts, fully automated. And then I use click farms or other human interactions to cash out my stolen information. So these are challenges. I would say that it's really hard to quantify and how to identify. So a lot of people think, okay, we know about it. We invest in new technologies. For example, like Ava, we add new counter measures in our fraud detection, or we add new power meters in our identity verification.

But the thing is that all these solutions are based on rules. And if you imagine, if you simulate a human being, it's tough for a rule based system, a rule based system to identify a legitimate traffic that is in real time, a malicious traffic, because I act like a human being and I act legitimate. And our approach to identify or to defense, this kind of challenges is our approach to leverage only telemetry signals. So we don't use PI data. We don't use browser information. We only collect telemetry data on the client side.

We combine this with behavioral and then build model predictive models with AI and ML technologies to define counter measures, to identify in real time and interaction. So every post get interaction get really be monitored or questions by shape because our approach is to authenticate a malicious behavior on three main questions that we ask every interaction, because if an interaction is lying to us, then it give us an indicator that these interaction is potential malicious, or need to be stopped or blocked by a shape environment. So what we are doing in every interaction is are you a human?

So is this interaction really executed by an automation? Or is this executed by a human, what kind of interaction do I do? So is this a good intent of my interaction or other anomalies? I would say that indicates that this is a be interaction. And of course it's the environment, the environment it claims to be. So it looks like an iPhone, but really it's in the machine that is acting on scale on my account. So all these questions will be asked in every interaction. So every post get request to identify SSS a legitimate interaction or this malicious behavior.

And as I mentioned, so if we identify lies, then we can define this is a bad or a good traffic. So this is I think, a totally new approach to act on behavioral analytics on not on static and rule based analytics anymore. So what we really collect for people that are interested in this number one, one of the key indicator for us are header pattern information. So we take a look to the header, how it's audit, things like that. This is a common thing also for a lot of companies. If you do a kind of manual lock analyzes, you identify the lock files.

You take a look as an indication of bots, but this approach, if you do it manually, of course is always too late to act on. But the big competence that we bring in is, as I mentioned before, the collection of telemetry data on the client side. So we interrogate always the environment. We interrogate browser information, and it's not a fingerprint, a simple fingerprint it's really environment signals that we collect. So screen size plugins. And we challenge of course the browser. Yeah. Short example. So for example, if you, how do you render emoji? So every browser render a emoji differently.

So this is one of the challenge, but we have more and more say, say circuit source and IP shape, specific parameters that we leverage to really identify is this a real device? Is this repeating activities? Is this the environment it's say it is to be, or is it a bot? And of course, but not last, we take a look to the be human behaviors. So it's not all about what you are keying in. It's the classification and identification, how you key it in. So what are the key strokes? What are the mouse movements? What is the attempt?

How do you, how fast, how slow, what do you copy and paste, things like that. So all these parameters we collect and combine to identify the activity. And in addition, this is not only done for automation. We have developed our system also to make it capital, to options, new capabilities, to do it also for manual transactions. So what we learned on automation is now available on manual interaction on the application. So what is the copy and paste operation? What is the most movement?

So the same methodology that we have leveraging to identify automation is now also available for manual fraud detection. And this will enable us, or it has enabled us to deliver now a platform, not only in anti automation platform, where you can act on real time, it's a bot or it's a human traffic. This now has enabled us to use this telemeter and experience to also to add additional value for our clients. For example, we call it chip recognize where you can now identify shared devices or single devices to improve lock end experience. So for example, session, extension, things like that.

So it's number one, you get rid of automation. Number two, you qualify your end user devices. You are kind of profiling the environment, Mario, not Sorry to, to, to interrupt you, but we are running a little bit out of time. Okay.

But, but I, so perhaps one last sentence to wrap up and then we need to move on. Sorry for that. Yeah. The last sense. So what we have enabled over the time is a platform to offer you bot mitigation, get rid of synthetic traffic, expand user experience, and now also manual fraud detection. So if people are in the audience that have interest beyond it, security and to fraud, fraud prevention, it's also an option now to talk to she because we leveraging these smart telemetry data and behavioral analytics to identify it in real time. That's it.