In 2019, Americans were swindled over $1.9 billion in fraudulent transactions. This was an increase of $300 million from the year before. The Federal Trade Commission attributed many of these losses to account takeover fraud. Other sectors in the economy suffer credential stuffing and ATO attacks. They may choose to suffer in silence or disclose such information while taking active measures to prevent the occurrences again.
An effective mechanism to stop account takeover relies upon its effectiveness in detecting the causative agent for the attack, the bot. Therefore, before looking at the ways to stop account takeover, let us consider the techniques that you can use to detect it.
How to detect account takeover
As seen above, to effectively stop an account takeover, you need to identify it correctly first. Below are some indicators of an account takeover attack.
Multiple IP addresses countries linked with an account
A good indicator of an account takeover is the many countries’ IP addresses that an account is using. The attackers do not know which country their victim belongs to when they do credential stuffing because, in most instances, they use data dumps from various data breaches as their source of credentials. These customers are distributed around the world. Because the data dump was accessible to many fraudsters, criminals may log into the same account from multiple continents in the same timeframe.
Many customer details changing at once
A fraudster does nothing right immediately after accessing an account in an account takeover. When merchants detect the possibility, they send out warnings to their clients. To keep access to the account, they change the details of the victim’s accounts, like emails and phone numbers.
Different accounts changing to have shared details suddenly
Sometimes, the attackers do not want to seize control of the victim’s account of someone else. It may be because it has better insurance deductibles or a high purchasing ability. Therefore, they change the details in some fields on the victim’s account profile. They may change the phone number or email alone. Because an attacker has multiple accounts, they use the same changes throughout the profile, like having the same email or phone number over many accounts. This indicates an account takeover.
New delivery address, account details, and a new device
Have you identified the scenarios below? Then most likely, a customer has been targeted by an account takeover attack. They include;
- Updates to customer details like names, email and mobile phone number,
- A customer logging into their account within 24 hours after changing or updating their profile, and
- Placing an order with a new delivery address by a customer after performing both (I) and (II) above.
Other indicators for an ATO include multiple accounts linked to the same MAC address and an increase in the ratio of unknown to known models.
How can you stop account takeover?
After correctly identifying the attack, taking measures to stop it is a necessity. ATOs have a devastating effect on a business, like tarnishing the brand reputation and substantial financial losses. Below are methods of preventing an account takeover.
Using a bot detection and mitigation solution
Bot solutions automatically monitor your application, website, or APIs for analogous login behavior, success, and failure in the login attempts. In addition, they look for suspicious account activities such as the creation of fraudulent accounts, multiple IP address countries accessing an account. They automatically correlate that data with high-risk account behaviors like changes in address, authorizations of credit cards, password changes, and gift card usage. Using AI and Machine Learning, bot mitigation solutions can analyze HTTP request and response data, request anomalies, application behavior, and traffic sources in real-time. They also automatically alert the customers and block an account takeover or credential stuffing.
Multi-Factor Authentication (MFA) to prevent credential stuffing
The days that usernames, passwords, secret questions, and answers were used to prevent fraudulent activities are long gone. Therefore, it has caused new ways of securing user data from malicious actors, key among them being multi-factor authentication protocols. MFA requires a user to have something, like biometric, and knows something, for instance, a PIN. There are several techniques under multi-factor authentication that you can use to stop account takeover attacks. Below are some techniques:
Phone Authenticators
Many phone Authenticator protocols are easily compatible with FIDO (First Identity Online) protocol. These applications can authenticate you with no password from your android, iPhone, or windows device. It also works in azure and Microsoft AD to quickly reorganize a user through either facial recognition, fingerprint, or a mobile device.
Security keys
With Near Field Communication (NFC), there have been shifts in methods of authentication. One such change is the introduction of a security key. These are USB-enabled devices that can be plugged into a computer and used to access a website using the NFC technology, thus providing a strong authentication solution and preventing credential stuffing. Security keys are multi-platform compatible with various operating systems. They are effective because they can come in 2FA (the key and a PIN) or 3FA (the fingerprint, the key, and a pin).
Smart Badge Authenticators
They enable password-less authentication by leveraging multi-factor authentication too. By using something you know (PIN) and something you have (smart card), they provide a better level of security than the traditional username and password that were hacked easily. An attacker can have access to your PIN but not the card, and vice versa. It effectively thwarts any effort by the bot to conduct an account takeover through credential stuffing.
Early intervention
When a data breach occurs, cybercriminals jump right in and begin credential stuffing to establish the valid ones that they can use to conduct an account takeover. Alerting your customers immediately after a data breach has happened can help avert a financial and information catastrophe. You can advise them to change their passwords immediately. But what if the attacker has already validated the credentials? Wouldn’t this provide a “legitimate” way for account takeover? Always ensure that you have instituted measures for unique, strong, and never compromised passwords. This will automatically make account takeover unlikely. Ensure that you proactively protect the user data and be abreast with incidences of data breaches to identify compromised accounts.
Conclusion
With account takeover affecting various sectors of the economy, no one is truly safe. It will require the effort of both the users to stop it from happening. As a user, select a fortified password that has never been compromised and does not repeat the same credentials on multiple sites. As a business, install a bot protection solution to protect customer data and business information from ATO that can cause huge losses and privacy concerns.