Account Hijacking Prevention

Repository  Issues  License 

The purpose of this project is to provide website administrators with an open source piece of software to detect and prevent account hijacking.

Please note: This project is currently not quite ready for use on a production website. The system for adding new devices is not complete so users will have difficulty using it from multiple devices.

About

When I originally came up with this project I wanted to use a system of modules to score the user's legitimacy with a series of tests. After writing the overarching system used by the modules I switched to focusing on one specific module, the keystroke dynamics module. While my work has largely focused on using keystroke dynamics, the use of modules leaves room for the inclusion of other forms of authentication.

Design

My system is designed to preform authentication at any time and returns a trust score rather than a simple true/false reply. This comes with some drawbacks, it cannot be installed without configuration and improper setup can reduce the amount of security it confers. This design does allow for the creation of higher and lower security zones on a site, for sites to preform continuous authentication, and for more sensitive sites to require more trust.

The authentication is preformed using data collected from the user's browser with JavaScript. The scripts update the data collected about the user on each page load in order to help identify session hijacking.

The software consists of two parts a set of modules and server component.

Server

The server is the part of my project responsible for running module components, handling requests, and combining the results of the different modules. From a software perspective it handles all the things that are abstracted away so that modules do not have to do them.

When the server starts up it imports all of the modules and registers their functions and scripts. In ordinary use a protected page loads the scripts from the server and they collect data for processing by the server.

Modules

The modules are responsible for preforming the different kinds of authentication. Each module contains several parts: a JavaScript script that is sent to the web browser to collect data, two Python function for hashing the data before it is stored, and a function that compares the collected data against the stored data to assess how much to trust the user.

For a guide on module development please see the wiki page.

Methods of Verification

Keystroke Dynamics

The keystroke dynamics module collects data about how a user types and uses it to identify them. Because people have different typing patterns the software can identify when another person, potentially an attacker, is typing.

The current keystroke dynamics system collects the average amount of time needed to change between different keys. During processing these collected averages are then compared to previous averages and scored. Currently the comparison is done by finding all the overlapping keys and finding the difference between the averages. The differences between the times in the stored set and the collected data are then averaged and used to decide the final score of the user. If the average deviation between the collected times and the new ones is too high the person typing is probably not who they say they are.

Browser Fingerprinting

The fingerprinting module preforms very basic browser fingerprinting. It collects the screen resolution of users' computers and the number of processor cores they have.

IP Address Checking

This is a very simple module to check the IP address of the users.

Results

I started out the keystroke dynamics module with the hope that I could achieve a 60 percent reliability. Fortunately, I have been able to exceed this initial expectation and achieve a greater than 80 percent reliability. This still leaves considerable room for improvement.

In the course of writing this software I have realized that other methods may be needed to identify the individual typing in our increasingly phone based world. Phones have few identifiable traits compared to PCs and strive to eliminate typing making it hard to accurately confirm the identity of a user on a mobile phone.

Installing

Check out the installation guide on the project wiki.

Contributing

If you wish to help with this project you can suggest improvements project or to the documentation.

Pull requests to improve this project and its documentation are also welcome. A set of possible improvements for this project are available here and in the issue tracker.

Reporting Security Problems

When submitting a security issues to the bug tracker please use the following message format:

<description of problem>

[//]: # (START MITIGATION)

**Mitigation:**
<description of how to mitigate the problem>

[//]: # (END MITIGATION)

<Anything else you have to say>

This allows me to display the solution to the problem to everyone using the security bullitin.

Security Bulletin