Opened 9 years ago

Last modified 4 years ago

#250 assigned new feature

Velocity tests on failed logins

Reported by: tobixen Owned by: shevek
Priority: major Milestone: unassigned
Component: BW Profile Keywords: security, login, velocity, fraud
Cc:

Description

During the last days at my work place, we've had incidents with one (or more) persons cracking into our site - probably using lists of usernames and passwords from the database of a competing company. I don't think it's a try-and-fail with random usernames and passwords, the hit-ratio (number of successful logins vs unsuccessful logins) is too big, and almost all cracked user accounts are from the same country ... I hope we are ahead of the situation now.

I'm somehow not paranoid enough to believe the same would happen with BeWelcome anytime soon ... but anyway we should be prepared for it.

The solution (as I see it) is velocity tests:

1) If we have more than, say, 3 failed logins towards the same user account, make a temporary login block (i.e. for 5 minutes) on this user account.

2) If we have more than, say, 20 failed logins from the same IP during one hour, this IP address should be temporary blocked. I think it's important to keep such a block invisible - the attacker should get error message about "wrong user name or login" all the time.

Change History (10)

comment:1 Changed 9 years ago by tobixen

  • Type changed from bug to new feature

comment:2 Changed 9 years ago by feuerdaemon

  • freq_reported set to 1
  • Milestone changed from unassigned to BigPicture
  • Priority changed from minor to major
  • show_on_bw set to 0
  • version set to all

comment:3 Changed 9 years ago by philipp

  • Milestone changed from BigPicture to unassigned

Milestone BigPicture? deleted

comment:4 Changed 5 years ago by TimLoal

  • Component changed from BW General to BW Profile

comment:5 Changed 5 years ago by tobixen

I still think this is relevant, though not a priority. Many people have accounts on multiple hosting sites (i.e. CS, HC) and it's easy to assume that people tend to use the same password several places, and we should also assume that at least sysadmins on CS and HC may collect username/password combos if they want to.

Now the abuse potential isn't as high here as at my former work place - at my former work place people had accounts with a money balance, so there was a high incentive for fraudsters to break into as many accounts as possible and transfer out the balances.

comment:6 Changed 5 years ago by TimLoal

I agree, that it is lower priority. I left it at major, because I feel it should have some emphasis over other really minor issues.

The scenario in the original comment, I feel was 'an' example, and not a bad one. I feel that this issue and other login related issues, should be looked at, collectivly, as a higher priority. A competent login with good member protection, is a first impression for most members and deserves some overall attention.

LnP

comment:7 Changed 5 years ago by jsfan

  • Milestone Future deleted

Milestone Future deleted

comment:8 Changed 5 years ago by shevek

  • Milestone set to unassigned

Given the fact that BW tells you after a failed login that you typed the wrong password for a given user this is clear a major issue and should be fixed.

comment:9 Changed 5 years ago by shevek

  • Milestone changed from unassigned to 1.3
  • Owner set to shevek
  • Status changed from new to assigned

The first step would be to always take the same time to repsond regardless if the user exists or not. Other things can be added later on I'd say.

comment:10 Changed 4 years ago by shevek

  • Milestone changed from 1.3 to unassigned

Unassigned from 1.3.

Note: See TracTickets for help on using tickets.