Dropbox’s Three-Pronged Defense Against Digital Fraud

Cloud hosting platforms are charged with storing and protecting vast troves of valuable personal and company information, making them tempting targets for fraudsters. Improper security measures can result in incalculable damage, which makes multi-layered defense systems a top priority. In this month’s Digital Fraud Tracker, Rajan Kapoor, director of security for Dropbox, discusses how the platform employs a three-pronged approach of automated tools, user and employee education, and threat response teams to fight digital fraud.

Cloud-based platforms are particularly juicy targets for digital fraud. Thousands of users trust these platforms to keep their files, data and other digital belongings safe, meaning they hold a treasure trove of data that fraudsters see as valuable. Such platforms are, thus, working overtime to keep users and their information safe.

File hosting service Dropbox is devoting substantial efforts to its fraud prevention measures, seeking to protect its more than 600 million users — who have 400 billon stored files, and upload 1.2 billion files each day. Security is a top priority for the company, which has invested considerable resources to keep such data safe.

“Some [efforts] are visible in the product, and are features that our users and customers can and [do] take advantage of, and then some of it is behind the scenes,” Rajan Kapoor, director of security at Dropbox, told PYMNTS in a recent interview. “This ensures our platform is safer, not just for our users and our customers, but also for the internet more broadly. We don’t want Dropbox being used as [a] platform [for fraudsters] to launch these attacks.”

Dropbox’s digital fraud defenses have three prongs: automated tools, extensive education efforts and dedicated response teams that combat any online threat — and the company has seen some creative attempts.

Dropbox Versus Hackers

Fraudsters target Dropbox for many reasons, according to Kapoor, who mentioned that criminals have attempted customer data theft, or used the service to host malware. Most use a variety of techniques to go after accounts directly, and obtain personally identifiable information (PII), bitcoin wallets or other digital valuables.

“The number-one thing that we see is compromised credentials from another service being used against us,” he explained. “That works when users reuse passwords across different services, and they don’t have two-factor authentication turned on. … I think what you see on Dropbox is not unique to us. We see this in cloud services providers more broadly.”

Stolen credentials are often purchased from dark web marketplaces, or gathered via phishing emails and brute force attacks on other websites. Other fraudsters try to weaponize Dropbox, rather than steal information from it.

“We see actors try to store malware on Dropbox and other services out there, and then use our service to distribute it,” Kapoor said. “But we’ve built a number of mitigations against that to make it less appealing.”

These mitigations have three distinct — but equally important — forms, each taking its own approach to eliminating fraud both against and from the platform.

Round One: Automated Tools

The first defense against digital fraud consists of automated tools that leverage knowledge about potential attacks to stop them before they hit Dropbox. The platform’s developers interact with the broader security community to understand the threats in the space, and develop counters — which can differ, depending on the attack.

“We have a system for when we hear about a massive breach of another service provider’s user tables, [so] we can get that [data] dump and load it into a system that we’ve built,” Kapoor said. “We’ll then encrypt the passwords so the hash [encrypted password] will match what we’re storing, and if we see a match between a username and a hashed password, [we] will assume that [those] credentials are compromised.”

Dropbox will then send notifications to compromised accounts’ owners, advising them to change their passwords. This simple move will keep them safe from hackers attempting to use their credentials on Dropbox. Best practices such as these are key to the company’s second security pillar: user education.

Round Two: Education

Dropbox has a number of help center articles and tutorials that its users can peruse to improve their security habits, but the company understands that such resources do not ensure customer best practices.

“We work with our larger customers by going in and providing training for their employees,” Kapoor said. “For those customers, we also offer single sign-in services so that they can bring their own identity management solution. [These services are] a great way to help protect your employees from attackers coming through with leaked credentials or passwords.”

Education is vital for Dropbox employees as well. Hackers looking to obtain information stored on the platform might attempt to dupe employees with phishing emails, for example, which could grant them access to company accounts that can view thousands of user files. Dropbox institutes extensive employee training on how to identify and flag potential phishing attacks, and even takes the process a step further.

“We launch phishing attacks against them ourselves, just to measure how well our training is working,” Kapoor said. “We also tailor our training [by department], because an email that someone [on] the finance team might receive will be very different [from] an email that someone on our people team receives.”

These tests are conducted by an in-house threat detection team. Other teams work with them to fight the various types of fraud the company faces, forming the third pillar of its fraud-fighting efforts.

Round Three: Threat Response Teams

Dropbox’s fraud response teams have various specializations, which can largely be divided into two types: The first protects the platform, products and services, while the second safeguards the company’s corporate assets, networks and employees.

“There is overlap between the teams because, very often, an attacker may try and target a Dropbox employee in an effort to try and get access to our production environment,” Kapoor said.

The platform reaches outside its employees to find and mitigate attempted security threats, too. Its Bug Bounty Program has been active since 2014, and invites developers and white-hat hackers from around the world to attempt to find holes in its defenses. The company gives cash prizes to those who find weaknesses, and has paid out over $1 million since the program’s implementation.

“One of the things you get with attackers is diversity,” he explained. “Attackers are coming at you from all over the world, and they think about problems very differently. The Bug Bounty Program gives us that same diversity that you’d see hackers bring.”

Dropbox tripled its bounty in 2017 because security flaws were getting so difficult to identify that the offered funds were not worth hackers’ time — a testament to the success of the company’s security measures, and how collaborative efforts can be effective when preventing digital fraud, Kapoor said. Combining the fraud prevention field’s collective brainpower across a range of specializations and industries could be key to reducing fraud across the entire online space.