2.3 KiB
2.3 KiB
2020-07-17
- Tracking login attempts without CSRF tokens
- Add captcha to login attempts without customer cookie
- Sift Account Takeover product
Tracking login attempts without CSRF tokens
| 2020-07-16 17 | 6 |
| 2020-07-16 18 | 38 |
| 2020-07-16 19 | 48 |
| 2020-07-16 20 | 31 |
| 2020-07-16 21 | 27 |
| 2020-07-16 22 | 31 |
| 2020-07-16 23 | 24 |
| 2020-07-17 00 | 26 |
| 2020-07-17 01 | 20 |
| 2020-07-17 02 | 26 |
| 2020-07-17 03 | 27 |
| 2020-07-17 04 | 21 |
| 2020-07-17 05 | 26 |
| 2020-07-17 06 | 34 |
| 2020-07-17 07 | 34 |
| 2020-07-17 08 | 34 |
| 2020-07-17 09 | 36 |
| 2020-07-17 10 | 49 |
| 2020-07-17 11 | 34 |
| 2020-07-17 12 | 53 |
| 2020-07-17 13 | 36 |
Login attempts without CSRF tokens appear to be fairly stable, without much drop-off. Once we're comfortable with the frequency with which this occurs, we can apply this change to the Login Throttling code to mark login attempts without a token as invalid, rather than presenting the end-user with a CAPTCHA as we're doing now.