Hacker News new | ask | show | jobs
by helloworld4728 241 days ago
Oh boy this was a major problem at our budding fintech. Here's what DIDN't work:

1. Browser fingerprinting or ip bans. They used advanced fingerprint-shifting browsers and residential proxy ips.

2. Phone number 2FA. Significantly slowed legitimate user access but still didn't fully stop credential stuffers.

What did work:

3. rate limits and carefully tailored scripts that detected usage patterns and autobanned. Eventually they gave up on us guess wasn't worth the trouble. However I'm sure we lost a few legitimate users too in the process.

What I would try in the future:

- Passkeys as 2fa. Most browser automation platforms can't handle passkey auth inside a VM.
4 comments
tptacek 241 days ago
I spent a year doing security for a highly targeted fintech-adjacent where credential stuffing was the primary security threat, and all non-phishing-resistant MFA was table stakes: all the real work was in combatting cred-stuffing attacks that had already defeated (usually through elaborate phishing) the MFA.
link
lesuorac 241 days ago
> 1. Browser fingerprinting or ip bans. They used advanced fingerprint-shifting browsers and residential proxy ips.

Don't you typically use that for valid users? As-in, you allow access when the fingerpint matches their existing fingerprint and when it doesn't you require additional information to be presented (i.e. security code).

So if somebody shifts their ip around they end up needing more information than just user+pass to login but somebody that doesn't (i.e. a normal person at home) does have the easy way to login.

link
dilyevsky 241 days ago
Not sure why financial institutions still bother with passwords - every time i try to login to wise or something it requires email code/link. At that point just use the email auth.
link
netdevphoenix 240 days ago
Sending an email every time you want to log in sounds expensive.
link
robotnikman 241 days ago
>They used advanced fingerprint-shifting browsers

I'm guessing this would be Firefox, possibly using in house extensions or userscripts designed to help further avoid fingerprinting?

link
bobbiechen 241 days ago
There are a lot of dedicated anti-detect browsers, you can search for that term or fingerprint switcher, multi-accounting browsers, etc. Many of them are based on Chromium.

In my experience they're generally detectable by mismatches in various attributes compared to the "real" browser whose user agent they are spoofing (though of course, the ground truth of adversarial detection is always hard to know for sure).

link