Feature Announcement: Compromised Credentials

    This feature has been designed to prioritize the security and protection of our customers whose username and password combination has been identified as compromised on hacker lists via Cloudflare WAF features. Upon detection of such a flag, we implement a stringent verification process to ensure the customer’s identity and safeguard their account. This involves sending an email to the customer, requesting them to click on a verification link, thereby confirming their authenticity (assuming the hacker does not have access to their email). As an additional security measure, we enforce a mandatory password change, effectively restoring the health and integrity of their credentials.

    During the sign-up process, we prioritize providing a seamless and user-friendly experience for customers, and therefore, we do not enforce the aforementioned process. Recognizing that the initial interaction with our website is crucial in creating a positive impression, we aim to keep the sign-up process simple and hassle-free.

    Level Of Impact

    Medium-High

    Affected Interfaces

    Admin and Users

    Affected Users

    All


    Solution

    We leverage Cloudflare’s WAF feature – exposed credentials check – to protect our customers. This tool enables us to detect instances where a customer attempts to log in using a username and password that have previously been compromised. As soon as such an attempt is identified we are able to intervene in these situations to prevent unauthorised access to our customers’ accounts and sensitive data.

    In the event that such compromised credentials are detected, a modal message pop-up will promptly appear, notifying you of the potential security breach. This pop-up serves as a trigger for a predefined workflow, which includes the immediate dispatch of a verification email. By clicking on the provided link within the email, you will be directed to a secure password reset page. This page facilitates the process of resetting your password, ensuring that your account remains protected against unauthorised access.

    image-9 (10).png

     

    image-10-1024x521 (1).png

    image-11-1024x480 (1).png

    A notification will be displayed on the bottom left of the page once the new password has been saved.

    image-17 (3).png


    Secondary Path:


    In order to cater to users who are unable to access their email, we have implemented a secondary path for password reset. Admin users have the ability to initiate a password reset process for such users. In this process, a unique verification code is generated, which can be shared with the user through an alternative communication channel. This allows the user to successfully log in using the verification code, granting them temporary access to their account.

     

    image-22-1024x405 (1).png

    image-21-1024x367 (1).png

     

    Mobile App:

    This feature is also applicable to users logging in via the app.

    image-19 (1).png

    Benefits:

    Convenience: Using your existing Google account or Apple ID to authenticate with Oz Lotteries eliminates the need to remember multiple passwordsAdditionally, we implemented a policy to prevent the reuse of previous passwordsImproved the error message that is displayed when a user clicks on an expired password reset link. The new error message will redirect the user to the login page, instead of being redirected to a non-productive page

    Requirements:

    Your DNS is required to be managed in Cloudflare.
    Your Cloudflare account needs access to the Web Application Firewall (WAF) features. These come at an additional cost.
    Was this article helpful?
    0 out of 0 found this helpful