Security and Arc XP Identity
Arc XP Identity enables clients to deliver frictionless and secure identity management customer experiences.
Behind the scenes, Arc XP employs a host of policies and procedures aimed at keeping your data safe. Arc XP’s commitment to best practices and constantly strengthening our security position have resulted in our continued ISO 27001 certification.
This document does not cover the areas owned exclusively by Arc XP and instead focuses on the areas of shared responsibility, where the coding and configuration choices that you make as a client impact your security posture. The goal of this document is to give you the information to make informed decisions to protect your customers and your business.
The following sections are a non-exhaustive list of attack vectors that bad actors can exploit if you choose not to leverage the available preventive measures.
Threat: Credential Stuffing
Credential stuffing is when bad actors enter large numbers of stolen credentials into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
Solution: reCaptcha
reCaptcha is an effective means of thwarting many automated attacks. Google provides either a binary judgment (v2) or bot score (v3), which is verified server-side by Arc Subscriptions and determines if the request is processed. For more information on implementing reCaptcha within Arc Subscriptions, see Secure your site against attacks: CORS domains, blocked email domains and reCAPTCHA.
Leveraging the Bot protection services offered by Arc XP’s CDN partner also make executing this attack more challenging.
Threat: Brute Force Credential Attack
A brute force credential attack is when a bad actor repeatedly attempts to guess credentials in the hopes of getting one that works. This is generally not a totally random approach, but instead by some combination of common passwords or side-channel information to reduce the search space.
Solution: Account Lockout
Arc Identity offers the ability to configure the number of incorrect username and password attempts before the account is locked and login attempts are automatically blocked until the configured lockout period passes (or a customer service agent unlocks the account).
Solution: Password Strength
Arc Identity allows you to configure the length and complexity of user passwords.
Threat: Bulk Account Creation
Creating bulk accounts is when a bad actor creates hundreds or even thousands of junk accounts, impacting the quality of your customer database and potentially impacting downstream services.
Solution: reCaptcha
reCaptcha is the most effective means of preventing programmatic account creation.
Leveraging the Bot protection services offered by Arc XP’s CDN partner also make executing this attack more challenging.
Leveraging reCaptcha can also help thwart programmatic guessing.
The available preventive and reactionary tools available are outlined in the following paragraphs, but it’s important to understand that Arc XP has finite obligations governing the response to the attack, such as providing notice and offering mitigation recommendations. In some instances, failure to leverage the available preventive measures results in an undesirable outcome that Arc XP is not able to remedy. For example, if an attacker creates a large set of fake accounts, you are responsible for handling those accounts as you see fit (including deleting the accounts).
Preventive Measures
When leveraging Arc XP’s Identity service for user authentication, there are two key defensive offerings to carefully consider: bot protection service and reCaptcha. These offerings are distinct and complementary. Taken together, your customers’ data and your business’ reputation are on much firmer ground against the swap of hostile and creative bad actors that permeate the internet.
Arc XP has a strategic CDN partner that provides a Bot protection service. This service is a streamlined solution for intelligently detecting bad bots and pro-actively preventing malicious actors. Bot protection solution provides the following capabilities:
- Auto detect and mitigate low-and-slow attacks through a dynamically updated list of malicious IPs/UAs/Bots, compiled through leveraging AI algorithms over a high volume of internet traffic daily
- Provide enhanced threat detection of suspicious traffic and with a proactive interception of an attack in progress
- Provide our customers with the most accurate and self-tuning assessment of overall traffic so that they can effectively differentiate between malicious vs normal end-user requests
- Provide tiered responses to stop bots — without tipping off the bad guys
- Drastically reduce the need to create ACS tickets, thus mitigating contingencies expeditiously and without manual intervention.
Arc XP Subscriptions offers an integration with Google’s reCaptcha v2, which you can configure to protect the APIs most susceptible to attack, such as user sign-in and account creation APIs.
A CAPTCHA (an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart) is a security measure designed to differentiate bots from humans, typically with an image or audio challenge. CAPTCHAs are widely used on the internet to prevent bots from signing up for accounts, spamming comments, and buying products.
reCAPTCHA is Google’s CAPTCHA system. It was released in 2007 and is currently used by more than 13 million websites. It is the most used CAPTCHA system to date as it provides a decent level of protection against the most common types of bot threats.
Google’s invisible reCAPTCHA (v3) works by having a challenge bound to a button. After the challenge is completed the front end will receive a token from Google. The front end will send this token as part of the request to the backend APIs. The backend prior to performing the requested action will make a request to Google to validate the token. If the token is valid then the API action is performed as normal otherwise a 401 unauthorized will be returned.
Site visitors without a long browsing history, and those whose browser is set to reject third-party cookies, are most likely to be required to solve a challenge before proceeding. This countermeasure injects some friction into the login (and checkout) experiences but is the most effective approach to countering programmatic attacks.