Interop ITX 2017 Schedule Viewer

Live Account Takeover Hack and Tips on Preventing Today's Most Dangerous Application Threat

Interop ITX 2017 Schedule Viewer

Use this interactive agenda to get an overview of our ever-growing conference program and to sort sessions by pass type, track, day/time, and speaker. Many more sessions will be added in the weeks to come.

All SessionsSpeakersMy Schedule
View Sessions As:
  
  • Live Account Takeover Hack and Tips on Preventing Today's Most Dangerous Application Threat

    Speaker:
    Location:  TBD
    Format: Conference Session
    Track: Security
    Pass Type: All Access, Conference, Thursday Conference - Get your pass now!
    Vault Recording: TBD

    2016 appears to be the year of the hack, with marquee companies experiencing significant breaches on what seems like a daily basis. Account takeover (ATO) hacks have been on the rise within the last few years as hackers have become daringly savvy at acquiring log-in data and putting it to dangerous use -- the LinkedIn and Yahoo incidents being two on record. But while the initial data breach is problematic, the real problems come years afterward. Hackers wait to implement the data -- the compromise phase -- and then use bots to spray the information across the internet hoping to access sensitive information that lives outside of original sites. After the incidents, both LinkedIn and Yahoo advised users to alter passwords, ensuring data would then be safe. What they couldn't control, is that many consumers use the same log-in credentials across many accounts and that information in the hands of a criminal means risk extends beyond the initial breach.

    Society has been dealing with such cyber issues since the dawn of the internet, but these kinds of ATO hacks are changing the game. Prior solutions and changing passwords are no longer enough, as they are no match for today's hackers' tricks.

    In this session, I will stage an ATO attack in real time to show exactly how it is done while underscoring the vulnerabilities that many common sites have allowed it to happen on. I will begin by demonstrating a credential stuffing attack on a simple vulnerable site, fast forwarding to the cat and mouse game of upping your defenses. You'll be able to see how attackers bypass rate limits, geo-fencing, browser profiling and even some types of CAPTCHAs in their pursuit of popping your customers' accounts. The action will finish with a discussion for attendees to better grasp how these attacks can be blocked.