Java microservices some thoughts on account security
statement
The content of this article is limited to research, and does not cover the specific source code and risk control strategies of each security vendor. Cybersecurity is everyone's responsibility.
0x01 - The purpose of improving account security
Registering an account is the first step in most cheating scenarios, such as the birth order of the trading scenario, the flash sale activity of the marketing scenario, etc. all require the participation of the account. Secondly, the account has a better initiative than the device, payment card, etc. that can uniquely identify the user, so it is necessary to improve the security capability of the account.
0x02 - Problem analysis
1. Attack ideas
If you want to figure out how to increase account costs, you need to know what costs it costs to create and operate an account. To put it in layman's terms, it is to register and log in in bulk from the perspective of business blues. (Taking Taobao page as an example does not mean that I have attacked Taobao.com)
1.1. Disassembly of page key points
What do I need to prepare to reverse this feature?
(1) Resource preparation includes mobile phone number, verification code recognition (image, behavior or SMS verification code), IP, etc
(2) Protocol preparation includes business agreements and security agreements.
Note: Simulated click-and-click attacks are not considered here.
What specific problem does the above disassembly solve for cheating?
(1) Mobile phone number: solve the problem of registering multiple accounts;
(2) Verification code: solve the problem of strengthened verification;
(3) Proxy IP: solve the problem of IP being uniquely identified;
(4) Business protocol analysis: solve the problem of simulating business request logic and parameters;
(5) Security protocol analysis: solve the problems of unique identification of equipment, risk control parameters, and behavior simulation.
1.2、About increasing account costs
According to the above key points disassembly, the solution idea is:
(1) Increase resource costs;
(2) Increase technical costs.
2. Aggressive behavior
Registration attacks include machine registration, batch registration, and small registration, login attacks include machine login, batch login, malicious credential stuffing, and account theft, and SMS attacks include SMS bombing.
3. Black production resources
Regarding black industry resources, I divide the account profit industry chain into three links: upstream, middle and downstream.
Among them, the upstream (beforehand) is the resources that need to be prepared before the attack, the midstream (during the event) is the resources that need to be prepared for the risk control countermeasures encountered during the attack, and the downstream (after the event) is the target scenario of the black industry attack.
The dimensions that have detection are as follows:
Dimension 1: Resource
(1) IP resources
(2) Mobile phone number resources
(3) Captcha resources
Dimension 2: Cheat tools
(1) Modification tools
(2) Group control software
(3) Automation tools
Next, we will analyze the attack principle and sort out its corresponding defense ideas according to these four dimensions.
0x03 - Spear and shield
Resource dimensions
1. IP resources
1.1. Introduction to IP resources
(1) IP type
(2) Location information
(3) Type of risk
1.2. Attack method
The underlying idea of second dial is to use the principle of domestic home broadband dial-up Internet (PPPoE), and each time the connection is disconnected and reconnected, a new IP will be obtained. Black industry masters a large number of broadband line resources, uses these resources to build a dynamic IP pool, and uses ROS (soft routing) to uniformly allocate and manage virtual hosts and broadband resources, and then uses virtualization and cloud computing technologies to package them into cloud services. This makes it possible to produce a large number of real IPs.
(1) IP pool implementation logic
(2) IP pool page display
1.3. Defensive ideas
(1) Location verification
Check whether the IP address location is consistent with the GPS location.
(2) Cloud host detection
Most cases such as crawlers, machine cheats, proxies, etc. come from data centers (computer rooms). Such as Alibaba Cloud, Tencent Cloud, Meituan Cloud, JD Cloud, Microsoft Cloud, Amazon Cloud, etc. (It should be noted that some office networks also use cloud IP, so it should be judged together with other dimensions when applying policies)
(3) Second dial detection
a) Miaodial has become the core technology at the black IP level, and it is also one of the pain points of current business security;
b) The number of seconddial IPs is huge and the IP pool is shared with normal users.
Detection technology: Use IP scanning of ports, protocols, and packet characteristics to identify whether the current host is a host used by normal users.
(4) Agent detection
a) Protocol identification:
(1) REMOTE_ADDR: The web server will set the REMOTE_ADDR to the IP address of the client;
(2) X-Forwarded-For: X-Forwarded-For is an HTTP extension header used to represent the real IP of the HTTP request.
(3) For high-profile IPs, this method cannot be dealt with.
b) End identification:
(1) http.proxyHost and http.proxyPort in System property;
(2) Virtual NIC.
2. Mobile phone number resources
2.1. Introduction to mobile phone number resources
(1) Overseas card
(2) Virtual card
(3) Risk card
2.2. Attack method
There are roughly three types of channels for purchasing mobile phone numbers, the first is to purchase ready-made historical accounts, the second is through third-party sellers such as Taobao, and the third is the code receiving platform.
(1) Taobao three-party sellers
(2) Code receiving platform
(3) Conclusion on the cost of the attack
a) Finished Product No. Price > Resource Price
b) Finished product: mobile phone number registration number price > email registration number price
c) Resources: E-commerce platform three-party seller price > code receiving platform price
d) Resources: Probability of free code receiving platform resources being blocked > The probability of charging code receiving platform resources being blocked
f) Risk: domestic resources > foreign resources (the specific reason is that domestic security manufacturers do not have the ability to identify foreign risk mobile phone numbers)
2.3. Defensive ideas
(1) Overseas card
Country number non-86; Common Hong Kong cards and Macau cards are simpler to obtain, so when testing overseas cards, focus on the card numbers of these two places.
(2) Virtual card
162、165、167、170、171;
Overseas cards and virtual cards themselves exist for normal user use, and can only be marked and detected as factors combined with other strategies.
(3) Risk card detection
In the registration and login scenarios, faced with a new mobile phone number, you must rely on external platforms to identify risky mobile phone numbers through channels such as enterprise sharing, coding platforms, and operators.
3. Captcha resources
3.1. Verification code generation
(1) The first generation: mainly using simple knowledge to build verification codes. Such as Chinese, English, numbers, etc.
(2) The second generation: Based on the first generation of verification codes, the verification code is built with the idea of innovative interaction. Such as looking at the title to choose words, looking at pictures and selecting objects, etc.
(3) The third generation: collect data information in multiple scenarios and dimensions to provide three-dimensional security protection for websites.
3.2. Attack method
(1) Image recognition
Image recognition is performed by RNN and CNN.
(2) Automated clicking
Selenium + Headless or chrome plugins for simulated clicks.
(3) Coding platform
Ruokuai, Feifei, Superman and other coding platforms carry out manual coding.
(4) Protocol cracking
Protocol cracking of third-generation verification codes.
Cheat tools
4.1. Introduction to cheating tools
(1) Tampering with the software
(2) Group control software
(3) Automation software
4.2. Attack methods
The attack flow is generally: tampering + driving.
(1) Tampering with the software
Common HOOK tools include Xposed, Frida, etc., and common finished product modification tools include ChangeKing, Change, etc. By tampering with the unique identifier and related environmental detection information, the purpose of evading detection is achieved, and the relevant driver code is subsequently added, which can be called as a black box, or it can be combined with automated clicks to complete the rectification attack process.
(2) Automation software
Common behavior simulation tools auto.js, script wizard. In addition to ready-made behavior simulation tools, automation (driving) purposes can also be achieved by listening to events or coordinate recognition.
4.3. Defensive thinking
(1) Device fingerprint
Based on the device and operating environment, a unique identity that cannot be tampered with is generated for each device, which is the device fingerprint.
(2) Environmental testing
Analysis of the principle of reverse means, reverse tools, and cheating tools in the market. Targeted risk detection of the current application operating environment.
0x04 - O&M phase
1. Account rating
Use account scoring as the standard for communication between the risk control system and the business system.
For example, for activities with high resource investment, the winning probability of users can be appropriately adjusted through the criteria of account scoring to achieve the purpose of controlling the risk of the activity.
2. Black-white-gray list system
(1) Whitelist
The high probability is that it is a high-quality user and can be used as the basis for judging the accuracy of risk control.
For example, if 20% of the users blocked by the risk control policy of a new application are whitelisted users, it can be preliminarily judged that the strategy is unreasonable.
(2) Grey list
You need to monitor its behavior.
For example, abnormal behaviors such as frequent access, frequent machine changes, and frequent account changes during monitoring can be blocked.
(3) Blacklist
Users who have been banned in history need to consider the ban period.
For example, can the transfer of a user's device or mobile phone number to another normal user be unblocked?
What needs to be done in the account security operation and maintenance stage has not been thoroughly thought through, and it will be supplemented later if there is an opportunity to practice.
0x05 - Ending
Software engineering has no silver bullet, reverse engineering always wins.
I don't know much, I do too little. Criticism and correction are welcome.