SlideShare a Scribd company logo

Protecting the Front Door

We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API. This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/

1 of 23
Download to read offline
Protecting the Front Door
Detecting and responding
to login anomalies
What’s this talk about?
The problem
A solution, using ThisData (show and tell!🎉)
Your users are
insecure
Post-it notes
Password reuse
Phishing
They probably
won’t change,
but YOU can!
Attackers are smart
If the data is valuable to your customer,
it’s valuable to an attacker.
They have patience, skill, and financial
motivation
What can you do?
Add 2FA?
Don’t use passwords at all?
Monitor logins / activity for anomalous
behaviour
What can you do?
Add 2FA?
Don’t use passwords at all?
Monitor logins / activity for anomalous
behaviour

Recommended

Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Make it Fixable, Living with Risk (Paranoia 2017)
Make it Fixable, Living with Risk (Paranoia 2017)Patricia Aas
 
SPI Dynamics web application security 101
SPI Dynamics web application security 101 SPI Dynamics web application security 101
SPI Dynamics web application security 101 Wade Malone
 
Encrypting SMS with PGP
Encrypting SMS with PGPEncrypting SMS with PGP
Encrypting SMS with PGPAngel Parrales
 
Liran Tal - StrangerDanger - Finding Security Vulnerabilities Before They Fin...
Liran Tal - StrangerDanger - Finding Security Vulnerabilities Before They Fin...Liran Tal - StrangerDanger - Finding Security Vulnerabilities Before They Fin...
Liran Tal - StrangerDanger - Finding Security Vulnerabilities Before They Fin...Liran Tal
 
Code Review: How And When
Code Review: How And WhenCode Review: How And When
Code Review: How And WhenPaul Gower
 
All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!All aboard the Cyber Security Rollercoaster!
All aboard the Cyber Security Rollercoaster!Nick Malcolm
 
Timing Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsTiming Attacks and Ruby on Rails
Timing Attacks and Ruby on RailsNick Malcolm
 

More Related Content

Similar to Protecting the Front Door

Security Opportunities A Silicon Valley VC Perspective
Security Opportunities  A Silicon Valley VC PerspectiveSecurity Opportunities  A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
Marjan.nikolovski down the rabbit hole error handling examined-v01
Marjan.nikolovski down the rabbit hole   error handling examined-v01Marjan.nikolovski down the rabbit hole   error handling examined-v01
Marjan.nikolovski down the rabbit hole error handling examined-v01Marjan Nikolovski
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScaleAntónio Alegria
 
Transform Banking with Big Data and Automated Machine Learning 9.12.17
Transform Banking with Big Data and Automated Machine Learning 9.12.17Transform Banking with Big Data and Automated Machine Learning 9.12.17
Transform Banking with Big Data and Automated Machine Learning 9.12.17Cloudera, Inc.
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Designing for Data Security by Karen Lopez
Designing for Data Security by Karen LopezDesigning for Data Security by Karen Lopez
Designing for Data Security by Karen LopezKaren Lopez
 
Simple SAP Security Breach !!
Simple SAP Security Breach !!Simple SAP Security Breach !!
Simple SAP Security Breach !!SAPYard
 
How to code securely: a crash course for non-coders
How to code securely: a crash course for non-codersHow to code securely: a crash course for non-coders
How to code securely: a crash course for non-codersJaap Karan Singh
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Tomek Cejner
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber SecurityChris Watts
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activityTranscendent Group
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSecAPIsecure_ Official
 

Similar to Protecting the Front Door (20)

Security Opportunities A Silicon Valley VC Perspective
Security Opportunities  A Silicon Valley VC PerspectiveSecurity Opportunities  A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
Marjan.nikolovski down the rabbit hole error handling examined-v01
Marjan.nikolovski down the rabbit hole   error handling examined-v01Marjan.nikolovski down the rabbit hole   error handling examined-v01
Marjan.nikolovski down the rabbit hole error handling examined-v01
 
Pixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at ScalePixels.camp - Machine Learning: Building Successful Products at Scale
Pixels.camp - Machine Learning: Building Successful Products at Scale
 
Transform Banking with Big Data and Automated Machine Learning 9.12.17
Transform Banking with Big Data and Automated Machine Learning 9.12.17Transform Banking with Big Data and Automated Machine Learning 9.12.17
Transform Banking with Big Data and Automated Machine Learning 9.12.17
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Designing for Data Security by Karen Lopez
Designing for Data Security by Karen LopezDesigning for Data Security by Karen Lopez
Designing for Data Security by Karen Lopez
 
Simple SAP Security Breach !!
Simple SAP Security Breach !!Simple SAP Security Breach !!
Simple SAP Security Breach !!
 
How to code securely: a crash course for non-coders
How to code securely: a crash course for non-codersHow to code securely: a crash course for non-coders
How to code securely: a crash course for non-coders
 
Security engineering 101 when good design & security work together
Security engineering 101  when good design & security work togetherSecurity engineering 101  when good design & security work together
Security engineering 101 when good design & security work together
 
Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.Security Checklist: how iOS can help protecting your data.
Security Checklist: how iOS can help protecting your data.
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdf
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
2022 APIsecure_API Security Testing: The Next Step in Modernizing AppSec
 

Recently uploaded

My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...BookNet Canada
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarThousandEyes
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriSafe Software
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubShapeBlue
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfTejal81
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxNeo4j
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024BookNet Canada
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionNeo4j
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emNho Vĩnh
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIVijayananda Mohire
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfRodneyThomas28
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...James Anderson
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfMostafa Higazy
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...MichaelBenis1
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfIES VE
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 

Recently uploaded (20)

My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...Transcript: Trending now: Book subjects on the move in the Canadian market - ...
Transcript: Trending now: Book subjects on the move in the Canadian market - ...
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes Webinar
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
Geospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & EsriGeospatial Synergy: Amplifying Efficiency with FME & Esri
Geospatial Synergy: Amplifying Efficiency with FME & Esri
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
 
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdfQ4 2023 Quarterly Investor Presentation - FINAL.pdf
Q4 2023 Quarterly Investor Presentation - FINAL.pdf
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
 
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...In sharing we trust. Taking advantage of a diverse consortium to build a tran...
In sharing we trust. Taking advantage of a diverse consortium to build a tran...
 
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
Trending now: Book subjects on the move in the Canadian market - Tech Forum 2024
 
KUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ionKUBRICK Graphs: A journey from in vogue to success-ion
KUBRICK Graphs: A journey from in vogue to success-ion
 
Python For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ emPython For Kids - Sách Lập trình cho trẻ em
Python For Kids - Sách Lập trình cho trẻ em
 
Key projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AIKey projects in AI, ML and Generative AI
Key projects in AI, ML and Generative AI
 
AGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdfAGFM - Toyota Coaster 1HZ Install Guide.pdf
AGFM - Toyota Coaster 1HZ Install Guide.pdf
 
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
GDG Cloud Southlake 30 Brian Demers Breeding 10x Developers with Developer Pr...
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...National Institute of Standards and Technology (NIST) Cybersecurity Framework...
National Institute of Standards and Technology (NIST) Cybersecurity Framework...
 
Achieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdfAchieving Excellence IESVE for HVAC Simulation.pdf
Achieving Excellence IESVE for HVAC Simulation.pdf
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 

Protecting the Front Door

Editor's Notes

  1. Most people are really bad at choosing strong passwords, keeping them safe, and not giving them up to attackers. Even if your website is super safe, if another website’s database is compromised, your users’ account on your site is probably in trouble too! 95% of data breaches start with a phishing attack Ultimately they don’t care why their data was compromised, they’ll just leave you for a competitor who promises better security. As an industry we need to take a proactive approach. The survey was conducted by mobile identity company TeleSign, which polled 2,000 consumers in the U.S. and the U.K. about their cybersecurity practices.
  2. If customers value the data stored in your app, an attacker will have the patience and skill to figure out how to get at it. If it takes them a month of dedicated work, and they end up making a few thousand bucks, that’s a lot of money to people in poorer countries. When it can be done at scale, the rewards multiply. And attackers will take the time to figure out how to do that
  3. Adding 2FA is a great first step, and will mitigate a few attacks. But just as easily as a password can be phished, so can a 2FA code. You just show a fake login screen, and a fake 2FA code screen, and use that behind the scenes to steal a session. It’s also hard to force adoption, because it adds friction to the process. There are a few ways to do no-password authentication, but that only works for a subset of use cases. (Keyboard cadence, biometrics, 1TP via email, etc).
  4. What I’d like to focus on is monitoring and alerting. It’s what we’ve built at ThisData.
  5. Just like the emails you get from Facebook or Google when you log in from a new device or location, we do the same thing. It’s a proactive and painless way to increase account security. Companies at Google-scale can afford to invest in this level of security, but not others. So we’re bringing it to you!
  6. It works by monitoring a bunch of metrics that you send us via an API. We build up an idea of what “normal” looks like for each of your users. When an account is logged in to and it looks weird, we kick in to gear. We send your end user an SMS or email asking if it was them. If they say “it wasn’t me”, we send you a webhook, and you can kill any active sessions and reset their password. We also post all of this to your Slack, and have a dashboard for monitoring. The rest of this talk is going to be a show and tell of implementing ThisData in a rails app, using the rubygem I made.
  7. First step is to install the gem, which is named as you’d expect!
  8. I built a rails generator which will add a config file to your project. You put your API key in there, and tweak any settings you like.
  9. In your sessions controller, you use the gem to send a bit of metadata about the login to ThisData. It’s asynchronous, it doesn’t slow down your log-in process, and your users don’t feel any pain. There’s no added friction. But we can do better than that! This is a Ruby on Rails project after all!
  10. I wrote a little module which you can include in ApplicationController which takes away all of that cruft. Include the module, and then call thisdata_track.
  11. The module does some fanciness to grab user details from the controller. By default it looks for a method called current_user, but you can configure that. It calls id and name and email on the current user model, and you can configure those methods too. It knows where to look for the user agent and the user’s IP address, so it handles that for you too. #proudparent
  12. I really like this piece of code. #proudparent If you have any other cool middleware gem tricks you think we should implement, or want to find out more about how I did this, talk to me afterwards.
  13. Anyway, so after you implement that, you start seeing events pop up on your dashboard. There’s a big map, and some graphs which start filling up.
  14. If there’s an alert you can spot it on the map, and drill in to it
  15. From the user’s perspective, they get an email like this
  16. And when they say “no it wasn’t me” they get sent to a page like this which helps them out. Having an account compromised is probably one of the most gut-wrenching interactions they’ll ever have with your service, so we want to make it as helpful and comforting as possible.
  17. On your end, you will have seen that their account has been compromised. You verify that the webhook is real, and that the account is compromised, and then reset their password, kill old sessions, and send them an email. You could also ping your support team to proactively reach out and phone them, and coach them through this.
  18. So that’s what we’ve been up to at ThisData! It’s a pretty simple concept, but powerful in terms of protecting your end users. There’s a lot of cool stuff on the roadmap too
  19. There’s lots of cool stuff we have lined up for our future: Continuous Authentication: monitoring every request checking that _for that particular action_ _they aren’t being weird_ I.e. internet banking, you don’t mind so much if someone can see your bank balance, but you definitely don’t want them to transfer money Javascript fingerprinting You can get a lot better data when acting directly within the browser. Even the lack of JS is a signal Big advancements in fingerprinting, particularly with HTML5 APIs Machine Learning Learning from feedback, learning from a global (anonymized) corpus of good and bad actors, good and bad requests
  20. I’d encourage you to give it a go in your own apps, and let me know what you think. We really want to make it a nice experience for developers and for your end-users. We have documentation to guide you through it all, but if something doesn’t make sense, reach out!