Arc XP Identity Security best practices

Note

This topic is closely tied to Arc XP Sales: Security best practices. It’s advisable to review this material for a better understanding of the security guidelines for Arc Subscriptions.

The Shared Responsibility Model

As an Arc XP customer who builds and configures digital experiences on the platform, you become partners with Arc XP, and we share responsibility for the security of your site, end users, and sensitive data.

To simplify how this shared responsibility works: You are responsible for the security of your site, while we are responsible for the security of the platform. What does that mean? Let’s dig in.

Arc XP is responsible for:

• Security of Arc XP platform code, configuration, and deployment
• Physical security of the infrastructure, including data centers and network infrastructure
• Host operating system security and patch management
• Management of network infrastructure and firewall configuration
• Application data backup and disaster recovery
• Compliance with relevant regulations and standards applicable to Arc XP

As an Arc XP customer, you are responsible for:

• Ensuring secure access to Arc XP accounts, including enforcing strong passwords.
• Ensuring secure configuration of Arc XP Identity features for end-user access to authenticated content
• Ensuring secure use of Arc XP platform tokens, including loss prevention and rotation
• Securing your application code and configuration, aligned with industry best practices and Arc XP recommendations. Such as enabling and using reCAPTCHA, configuring CORS domains, and blocking nefarious email domains.
• Responding to security incidents and fraudulent activities inherent to your business model, such as credit card or credential stuffing attacks
• Compliance with relevant regulations and standards applicable to you as a customer of Arc XP

As an Arc XP customer, you share responsibility for your sites’ security. It is important to fully understand your security responsibilities so that you can take appropriate measures to protect your website and data. A clear shared responsibility model helps ensure that we are aligned and working together to keep your websites and data secure.

Common Attacks

Credential Stuffing Attacks

Credential stuffing attacks are a type of cyberattack that involve using stolen login credentials from one system to attempt to access an unrelated system. These attacks work on the premise that people often use the same user ID and password across multiple accounts.

The attacker acquires stolen username and password pairs, often from a data breach or phishing attack, and then uses automated tools to test the stolen credentials against many websites. If the login is successful, the attacker knows they have a set of valid credentials and can access the account.

These types of attacks are most often detected by a large volume of failed login attempts during a short period of time.

Bulk Account Creation

The attacker creates hundreds or even thousands of junk account, impacting the quality of your customer database and potentially impacting downstream services.

Monitoring and Response

Monitoring for Credential Stuffing Attacks

The Arc XP team has monitoring and alerting in place to detect when a credential stuffing attack is occurring. Our Web Delivery team uses the Akamai platform to automate both the detection and response to these types of attacks and most attempts are thwarted before a human ever needs to be involved.

Responding to Credential Stuffing Attacks

A credential stuffing attack is successful for an attacker when they are able to log in to an end-user’s account and confirm that stolen credentials are valid on your site. When our team detects this, we will inform you so you can take action. The most common approach is to reset the passwords and sessions for all of your impacted users. The Arc XP team will provide you a list of the impacted accounts so that you can reset the accounts of your impacted users.

We recommend that you institute your own monitoring, in coordination with your payment processor. Common metrics to monitor and alert upon are:

• High ratios of failed payments
• High rates of payment declines
• Payment processor fraud detection alerts

Recommended Practices & Uses

Mitigation Techniques

We recommend that you harden your site to make these types of attacks less likely to succeed.

The most effective mitigations for credential stuffing and bulk account creation attacks include:

• Upgrading your service to include Akamai Bot Manager
• Placing reCAPTCHA into the login and account creation flows
• Hardening your password and account configuration, including password strength, account lockouts, session duration, and enforcing email verification

Customer Proxies and Wrappers

Do not wrap Arc XP API calls in a proxy or wrapper of your own code. In doing so, you lose many of the detection and response capabilities offered by the Arc XP platform. Because a proxy makes all of your end-user traffic appear to come from the IP ranges of your data center, the Arc XP team cannot as easily detect an attack, isolate malicious requests from non-malicious, or fingerprint and block malicious traffic.

Caution

If you do decide to proxy traffic to Arc XP, be aware that you will be taking on full responsibility for both security monitoring and response. Instead, use Arc XP developer APIs and IFX features to meet your business objectives.

Customer Responsibilities

It is important to understand that Arc XP has finite obligations governing the response to the attack, such as providing notice and offering mitigation recommendations. In some instances, failure to leverage the available preventive measures will result in an undesirable outcome that Arc XP is not able to remedy. For example, if an attacker creates a huge set of fake accounts, the client is responsible for handling those accounts as the client sees fit (including deleting the accounts).

Additional Resources

• OAT-001 Carding | OWASP Foundation
• What is Carding | Bots in Service of Online Fraud | Imperva
• Protect yourself from card testing
• Brute Force: Credential Stuffing, Sub-technique T1110.004 - Enterprise | MITRE ATT&CK®