Cloudflare Introduces Account Abuse Protection: Preventing Fraudulent Attacks from Bots and Humans

Cloudflare has launched a new suite of fraud prevention capabilities designed to stop account abuse before it starts. The new features, available in Early Access, aim to address the complex security challenge posed by industrialized hybrid automated-and-human abuse. Key components of Account Abuse Protection include:

• Disposable email check: helps identify users who sign up with throwaway email addresses, a common tactic for fake account creation and promotion abuse.
• Email risk: assesses the risk of email addresses based on email patterns and infrastructure.
• Hashed User IDs: per-domain identifiers generated by cryptographically hashing usernames, providing better insight into suspicious account activity and greater ability to mitigate potentially fraudulent traffic.

Technical Details and Practical Implications

The new capabilities are designed to go beyond automation, identifying abusive behavior and risky identities among human users and bots. Cloudflare's leaked credential check is a free feature that checks whether a password has been leaked in a known data breach of another service or application on the Internet. This is a privacy-preserving credential checking service that helps protect users from compromised credentials.

Developers can benefit from these features by:

• Enabling leaked credential check to protect their users from easy hacks.
• Using disposable email check and email risk to enforce security preferences for users who sign up with throwaway email addresses.
• Utilizing Hashed User IDs to gain better insight into suspicious account activity and mitigate potentially fraudulent traffic.

Availability and Timeline

Account Abuse Protection is available in Early Access, and any Bot Management Enterprise customer can use these features at no additional cost for a limited period, until the general availability of Cloudflare Fraud Prevention later this year.