Abstract: Disclosed are various embodiments for automated detection of multi-user computing devices such as kiosks, public terminals, and so on. Network resource requests are obtained from a client computing device. It is determined whether the client computing device is a multi-user system based at least in part on whether the network resource requests embody characteristics associated with multi-user systems. The resulting classification is stored and may be used to customize generation of requested network resources.

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, access policies define authorizations regarding which entities are able to resolve a token to access the actual sensitive data.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information. A service may send anonymized responses to requests for data from multiple requestors, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server may store entity identifiers that respectively represent entities associated with the content server. The content server may send anonymized responses to requests for data from multiple services, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. The requesting services may each receive a different anonymous identifier representing a single entity.

Abstract: Disclosed are various embodiments for discovery of public points of interest. Data identifying points of interest is obtained. Each point of interest is associated with a respective user and specifies a respective name and a respective geographic location. A public point of interest is determined based at least in part on a similarity of the respective names of a subset of the points of interest, a proximity of the respective geographic locations of the subset of the points of interest, and a number of different users associated with the subset of the points of interest.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. A request from a user is obtained, where the request pertains to an operation on a network site. An authentication duration for the user is determined, based on a risk to the user of performing the operation. A determination is made whether a current session associated with the user has expired, based on the authentication duration. The operation requested by the user is performed in response to the determination that the current session associated with the user has expired.

Abstract: A user account may be throttled to restrict access once aberrant behavior is detected. Upon receiving a request to access the user account, a determination of whether the user account is in a throttled state may be made. In some aspects, when the user account is not in a throttled state, user account access may be determined based at least in part on an access credential. Further, in some aspects, when the user account is in a throttled state, user account access may be determined based at least in part on an access credential and other client information associated with the user account.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server may store entity identifiers that respectively represent entities associated with the content server. The content server may send anonymized responses to requests for data from multiple services, the data being associated with entity identifiers. The anonymized responses may comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. The requesting services may each receive a different anonymous identifier representing a single entity.

Abstract: A user password is obfuscated using a first obfuscation algorithm and stored. A security module receives a password from a user a first time and, in response thereto, obfuscates the password using a second obfuscation algorithm and stores the obfuscated password. The security module subsequently receives the password from the user a second time. In response thereto, the security module obfuscates the password using the second algorithm a second time and compares the results of the obfuscation with the stored password obfuscated using the second algorithm. If the results of the obfuscation and the stored password obfuscated using the second algorithm match, the security module replaces the stored password obfuscated using the first algorithm with the password obfuscated using the second algorithm. The operations are performed transparently to the user associated with the password.

Abstract: Disclosed are various embodiments for facilitating the anonymization of unique entity information when transmitting data to services. A content server stores data in association with entity identifiers, each entity identifier represents an entity of the content server. The content server may send anonymized responses to requests for data from multiple services. The anonymized responses comprise the data requested in association with anonymous entity identifiers as opposed to the entity identifiers. Each anonymous identifier represents an entity associated with the data requested. The requesting services may each receive a different anonymous identifier representing a single entity.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. A request from a user is obtained, where the request pertains to an operation on a network site. An authentication duration for the user is determined, based on a risk to the user of performing the operation. A determination is made whether a current session associated with the user has expired, based on the authentication duration. The operation requested by the user is performed in response to the determination that the current session associated with the user has expired.

Abstract: Evidence of attempted malware attacks may be used to identify the location and nature of future attacks. A failed attack may cause a program to crash. Crash data may be sent to an analyzer for analysis. The analysis may reveal information such as the identity of the program that is being exploited, the specific way in which the program is being exploited, and the identity or location of the source of the attack. This information may be used to identify potential sources of attack and to identify the same type of attack from other sources. When the source and/or nature of an attempted attack is known, remedial action may be taken. Filters may warn users who are attempting to visit sites from which attacks have been attempted, and the makers of programs that are being exploited can be notified so that those program makers can release updates.

Abstract: Disclosed are various embodiments that perform confidence-based authentication of a user. An identification of a user account is obtained from a user, and a minimum confidence threshold is determined. Multiple authentication questions are presented to the user, where the authentication questions are determined based at least in part on stored transaction information associated with the user account. Answers are obtained from the user to a subset of the questions, with each answer having a corresponding authentication point value. A confidence score is generated for the user, where the confidence score is increased by the respective authentication point values of the correct answers. Access by the user to a resource associated with the user account is authorized in response to determining that the confidence score meets the minimum confidence threshold.

Abstract: Disclosed are various embodiments for discovery of public points of interest. Data identifying points of interest is obtained. Each point of interest is associated with a respective user and specifies a respective name and a respective geographic location. A public point of interest is determined based at least in part on a similarity of the respective names of a subset of the points of interest, a proximity of the respective geographic locations of the subset of the points of interest, and a number of different users associated with the subset of the points of interest.

Abstract: Validation data, such as an image selected by a merchant, is rendered on a mobile device of a customer to provide the merchant confirmation that payment for an item submitted through the mobile device of the customer was in fact received by the merchant. The merchant may establish an account on a network-accessible computing device (e.g., in the “cloud”) that includes the validation data. The customer authorizes payment to the merchant from the mobile device using the network connectivity of the mobile device. When the payment is received by the merchant, the network-accessible computing device sends the validation data to the customer's mobile device. The merchant may be confident that he or she has in fact received an electronic payment from the customer when the validation data is presented on the mobile device. Techniques to prevent reuse and copying of the validation data are also discussed.

Abstract: Evidence of attempted malware attacks may be used to identify the location and nature of future attacks. A failed attack may cause a program to crash. Crash data may be sent to an analyzer for analysis. The analysis may reveal information such as the identity of the program that is being exploited, the specific way in which the program is being exploited, and the identity or location of the source of the attack. This information may be used to identify potential sources of attack and to identify the same type of attack from other sources. When the source and/or nature of an attempted attack is known, remedial action may be taken. Filters may warn users who are attempting to visit sites from which attacks have been attempted, and the makers of programs that are being exploited can be notified so that those program makers can release updates.