When you protect your video download or streaming links with AutoGraph watermarking, you can optionally enable also further advanced fraud prevention features via the "anti_fraud=true" query parameter. When anti_fraud is enabled, a set of additional fraud checks based on advanced machine learning will be performed every time a user accesses the AutoGraph video link. With these advanced fraud checks, user accounts that were fraudulently created in your site (e.g. using stolen credit cards) can be detected (and blocked) in realtime. Also, account take-over attacks where hackers make use of compromised passwords to gain unauthorized access into the accounts of unsuspecting users in your website can be detected and effectively prevented.
1) Anti-Fraud Callback. In order to use any of the AI-based realtime fraud detection features, you'll need to set up a webhook in your website first that will be called by our system to query additional information about the user that was identified by the "autograph_tag" parameter in an AutoGraph video link. The data is used to perform an automatic fraud check via advanced machine learning in order to decide whether to allow the download or block/quarantine it.
The webhook URL may be called with either a GET
or a POST
request always appending the value of the "autograph_tag" parameter taken from the video link (in the following example, we assume that you use the username of accounts in your site as the "autograph_tag" but it could be also any other user identifier like a member id or a purchase id, etc.). The request URL is HMAC-signed with the same client_id and client_secret you originally used to sign your AutoGraph video link. The GET
request is used to obtain info about the specified user in JSON format from the callback. The POST
request may be called to send events/notifications to your callback that you can hook onto to perform automatic actions, for example to enforce an automatic password reset on user accounts that have been detected as possibly compromised.
Here's an example how a typical GET
request looks like with its expected response:
curl "https://yourdomain.com/member_info.php?username=happyuser&autograph_tag=happyuser×tamp=1546859760&client_id=552cae3514ea10cb4d3ac69e&signature=7643e3e94d998978d9116034e08beceac55a7fab" { "firstname":"Martin", "username":"happyuser", "email":"martin123@gmail.com", "address":"", "city":"Seoul", "zip":"100-141", "country":"KR", "join_ip":"211.195.13.4", // IP address by which the user originally subscribed to your website (or purchased the video) "joined":"1565396069", // Unix timestamp of the time when the user originally subscribed to your website (or purchased the video) "sale_amount":"29.95" }
And here's an example of a POST
request to the callback that reports a suspected account takeover for multiple autograph_tags ('hacked_user' and 'eviluser') in just a single call:
curl -X POST -H "application/json" -d '{ "payload_type": "autograph_tags", "fraud_type": "account_takeover", "autograph_tags": ["hackeduser", "eviluser"] }' "https://yourdomain.com/member_info.php?username=happyuser&autograph_tag=hackeduser×tamp=1546859760&fraud_type=account_takeover&payload_type=autograph_tags&payload_size=623&payload_hmac=83a6c109cd24c7a910d863178c4bf4f4c9d35015&client_id=552cae3514ea10cb4d3ac69e&signature=16034e08beceac55a7fab09cd24c7a910d863178"
Implementation: We provide an example implementation of the webhook, which you can download here.
This particular example uses the NATS REST API to fetch the member details internally (see: xvid_make_nats_api_call() function) and then parses out the necessary info to return as response of the webhook. If you don't use NATS to manage your users, you can also easily implement any other user lookup method instead (like e.g. doing a direct MySQL lookup into your user database, etc.).
If you manage more than one site (and so have a different set of users per site), use one separate webhook for each site.
When you create your own web hook, do not skip verifying the "signature" parameter, which must be present in all requests to the webhook. Only when the signature is correct and has not already been used before (use the "timestamp" parameter as a helper here) must the request be handled and a response served. Signature verification works the same than for the ping callbacks that can be configured for the pipelines resource. GET requests carry only a "signature" parameter, which is a HMAC-SHA1 over the URL path (excluding protocol and domain name). POST requests carry an additional parameter "payload_hmac", which is a HMAC-SHA1 signature over the request body.
For further enhanced security, you should also only allow requests originating from IPs associated with our domain api.xvid.com (please also see our example webhook implementation on how to do that).
NATS REST API
If you use Too Much Media's NATS software, you can use our webhook example just as is, without modification. You only need to create a NATS API user and fill the API user and key credentials into the config section of our webhook example script.
You will need to enable the NATS REST API first (if you don't have it already enabled anyway). Also, when creating a new NATS API user, please make sure that the user has GET permissions on the "member" collection and "details" resource.
You'll also need to allow the IP address of your web server running our webhook script access to your NATS API (the IP must be whitelisted in the NATS security settings under ADMIN_API_ALLOWED_IPS).
2) Set up CNAMEs. To ensure smooth functioning of the anti-fraud features, you must set up a CNAME in your domain for the application you use to sign the AutoGaph video links.
You will find step by step explanations how to set up CNAMEs in your own domain here.
3) Configure your callback on an application. To make sure that your new callback will actually be called, you need to configure the callback URL for the same application that you also use to sign your AutoGraph video links. You can currently do this only via our REST API. First, get an OAuth API access token as described here. Then, run the following curl command to set the anti-fraud callback URL and enable the basic fraud detection:
curl -X PUT -H "application/json" -d '{ "application": { "antifraud_settings" : { "callback_url": "https://yourdomain.com/member_info.php?username=", "alert_threshold": 0.5 } } }' "https://api.xvid.com/v1/applications/YOUR_APPLICATION_CLIENT_ID?access_token=YOUR_AUTH_TOKEN&human=true"
4) Extended Auth smart step-up authentication. To protect your users from account take-over attacks, you can optionally implement also our smart Extended Auth step-up authentication.
When enabled, it will automatically detect unusual access patterns like download attempts from previously unseen locations or devices and require an extra verification via a confirmation code sent to the user by email. This happens only when suspicious activity was detected by our smart, AI-based fraud detection engine. In the vast majority of cases where "normal", unsuspicious users are accessing the download links, no step-up verification will be required.
In the unusual case where a download attempt was detected as suspicious, an overlay window will pop up with a step-up challenge (see example sceenshot below) and only when the user solves the challenge by correctly entering the confirmation code he received by email, the download will be granted. Any successfully solved step-up challenge will be remembered and the same user will not be bothered by further challenges anymore (provided he continues to use the same device).
In order to use the Extended Auth feature, you need to include our drop-in xvid_ex.js
script into every page of your site where you also offer AutoGraph video links (either download or streaming).
First, include the xvid_ex.js
script and xvid_ex.css
stylesheet as far up in your page as possible, for example in the "<head>" section:
<head> <link href="https://assets.xvid.com/assets/xvid/latest/xvid_ex.css" rel="stylesheet"> <script src="https://assets.xvid.com/assets/xvid/latest/xvid_ex.js"></script> </head>
Then, add a few lines of javascript code to initialize the Extended Auth script anywhere in your page's body section. In particular, you must pass the html template that will be shown inside the lightbox as a string parameter. You can fully customize the html, so you can have full control over the text and layout that will be shown in the overlay box (only you should not change the ids of html elements in the original template).
<body> <!-- Copy&Paste the following script section into the body of your page --> <script type="text/javascript"> var form_html = '<div class="text-center" style="background-color: white; text-align: center; padding: 20px;"><div class="row-fluid">' + '<div class="span12"><br/><h1 class="spBelow2"><strong>New Device or Location Detected!</strong></h1><h3>We haven\'t seen ' + 'you accessing the site with this device or from your current location before.</h3><h3>To protect your account, ' + 'we\'ve sent you an email with a verification code to the email address by which you joined.<br/>Please check your email, ' + 'then enter the code you received in the form below and press "Continue" to access your videos.</h3></div></div></br/><br/>' + '<div class="row-fluid"><div class="span6"><h3 class="center"><strong>Your Device: </strong>@@@DEVICE_DESC@@@</h3></div>' + '<div class="span6"><h3 class="center"><strong>Your IP: </strong>@@@IP_LOCATION@@@</h3></div><br/><br/><label for="xvid_code" ' + 'style="font-size: 1.5em;">Your Code: <button type="button" id="xvid_resend_button" class="btn btn-small btn-success" ' + 'onclick="xvid.onResendClick();"><i class="icon icon-ccw" style="color: white;"></i> Resend</button></label><textarea ' + 'name="xvid_textbox" id="xvid_code" cols="34" rows="2" class="center-block" style="font-size: 2em; padding-left: 5px; ' + 'max-width: 100%; padding-right: 5px;" autofocus></textarea><br/><br/><div class="row-fluid"><div class="span3 alert" style="' + 'visibility:hidden;"> </div><div id="xvid_error_alert" class="span6 alert alert-danger center" style="visibility:hidden; ' + 'display:none;"><h3></div><div id="xvid_success_alert" class="span6 alert alert-success center" style="visibility:hidden; ' + 'display:none;"></div><div class="span3"> </div></div><button type="button" id="xvid_submit_button" class="btn-large ' + 'btn btn-primary" onclick="xvid.onSubmitClick();">Continue</button><br/> </div>'; xvid.create({'template': form_html, 'cname': 'xvidcdn.yourdomain.com'}); <!-- cname you configured for your application --> </script> </body>
For a full example, see: https://mediahub.xvid.com/examples/auth_test.html
Finally, once you've integrated the xvid_ex.js
into your pages, you need to enable the Extended Auth feature for your application (so for the application that you also use to sign your AutoGraph video links). This can be currently done only via our REST API. First, get an OAuth API access token as described here. Then, run the following curl command to enable the Extended Auth feature:
curl -X PUT -H "application/json" -d '{ "application": { "antifraud_settings" : { "extended_auth": { "enabled": true, "passive_mode": false, "enabled_tags" : "testuser1, testuser2" } } } }' "https://api.xvid.com/v1/applications/YOUR_APPLICATION_CLIENT_ID?access_token=YOUR_AUTH_TOKEN&human=true"