Account takeover (ATO) is a serious problem for online businesses across all industries, with record levels. In the U.S. alone, 24.6 billion stolen credentials are available for sale and can be used to take over accounts of unsuspecting individuals.
ATO attacks are made possible by credential stuffing, an approach that leverages bots to automate logging in to user accounts at scale.
Once the bot is successful, the credentials can be reused to access accounts from other companies. The approach takes advantage of the fact that many people reuse the same username/email and password combination across various websites and applications.
These credentials are often bought and sold illicitly in digital marketplaces and used in ATOs to obtain personal identifiable information, credit card details, or other valuable data from the compromised accounts.
Bots and automated tools fly under the radar, making it extremely difficult to identify an account takeover attack while it’s happening.
Fraudsters can gain access to accounts without the account owner realizing it. This can make it difficult to take action and prevent further damage.
Another reason ATO is so difficult to protect against is that it only takes one successful attack to compromise an account.
Once an attacker has access to an account, they can easily exploit it to their advantage—they can change the account password or contact information (such as phone number or address), make unauthorized purchases, or access sensitive customer data.
But why aren’t organizations able to stop ATO attacks before they happen?
Why it’s difficult for organizations to protect themselves from account takeover
Here are the main reasons why account takeover is so difficult to protect against:
1. Inability to detect automation
As technology becomes more sophisticated every year, organizations face new challenges with bot automation. Advanced attacks make bots difficult to detect.
IP addresses used to be the main factor that distinguished bots from humans. However, it has become easy for bots to fake IP addresses and pass security checks.
To identify and stop malicious automation, organizations need cutting-edge bot detection software like Kasada.
2. Lack of visibility into account activity
Many businesses don’t have visibility into what’s happening inside customer accounts. This makes it difficult to detect suspicious activity that could be indicative of an ATO attack.
But why don’t businesses have adequate visibility into customer accounts? Here are a few reasons:
Businesses rely on customer self-reporting
Most businesses rely on customers to report suspicious activity. This is not an effective way to detect ATO attacks because customers may not notice the unusual activity until it’s too late.
Insufficient data
Many businesses don’t have the data they need to detect ATO attacks. This data includes information about customer account activity, such as login attempts, password changes, and purchase history.
Lack of robust tools
Businesses may not have the right tools to accurately detect ATO attacks. For example, they may not have a bot mitigation system that can identify the presence of automation in customer accounts.
3. Lack of strong authentication
In many cases, customers can access their accounts with weak credentials (Ex. a password that says “password.”) This makes it easy for attackers to gain access if they manage to obtain these credentials.
Additionally, many businesses don’t have the proper authentication systems in place to prevent fraudsters from accessing accounts after easily guessing the weak credentials.
Even when 2FA or MFA is employed or encouraged across an organization, smart bots can circumvent these defenses by stealing SMS codes or intercepting one-time passcodes (OTP) during the login process.
Today, many bad bots can bypass weak authentication systems and compromise accounts. Attackers can deploy these bots and gain access to sensitive information in just a few clicks.
4. Lack of security controls
Many businesses don’t have the in-depth defense required to protect customer accounts.
But why do so many businesses fail to implement security controls? Here are a few reasons:
Complexity
Security controls can be complex to configure and maintain. This is especially true for legacy bot detection systems.
5. Human error
People can inadvertently allow attackers to take over accounts by falling for phishing scams or other social engineering techniques.
Many business owners mistakenly assume that stakeholders can identify the signs of an ATO attack, but this is not always the case.
So, how do people get tricked by social engineering tactics and phishing schemes? Here are a few ways:
Lack of awareness
Many people are not aware of the methods that attackers use to take over accounts. They may not know, for example, that phishing is a common tactic used in ATO attacks.
Limited training
Team members and other stakeholders may not receive thorough training on how to identify and prevent ATO attacks. As a result, they may not know what to look for or how to respond if they suspect an attack is taking place.
Inattention
People may simply be too busy to pay attention to the warning signs of an ATO attack. They may overlook them because they’re focused on their work tasks.
6. Malicious insiders
Sometimes, the attackers are already inside the company. They may have stolen credentials from another employee or gained access to the company’s systems through a malicious insider.
This can make it very difficult for businesses to protect themselves against ATO attacks because the attackers already have legitimate credentials.
Here’s how a bad actor can complete an account takeover from within a company:
Stolen credentials
Malicious insiders may steal credentials from another employee in order to gain access to the company’s systems.
Compromised accounts
Attackers may already have access to the company’s systems through a compromised account. This can happen if an employee’s account is hacked or if an attacker gains access to the company’s network.
Physical access
Malicious insiders may also have physical access to the company’s systems. They may be able to plug a USB drive into the system to download malicious software.
7. Third-party risks
Many businesses use third-party vendors to provide services or products. However, these third-party vendors may not have the same security controls in place as the business.
This can create a number of risks, such as:
Vendor access
Attackers may be able to gain access to the company’s systems through a third-party vendor. For example, an attacker may pose as a vendor to gain access to the company’s network.
Insider threats
Attackers may also be able to exploit insider threats at a third-party vendor. For example, an employee at a third-party vendor may have their credentials stolen, which could give the attacker access to the company’s systems.
ATO attacks are hard to protect against because they involve a combination of technical and human factors. Businesses need to address both of these areas in order to reduce the risk of account takeover.
7 steps businesses can take to protect against ATO attacks
Although there is no surefire way to prevent ATO attacks, there are a number of actions businesses can take to reduce their risk:
1. Implementing defense in depth
Like we mentioned earlier, two-factor authentication (2FA) is a type of authentication that requires two different factors to verify the user’s identity.
Common examples of 2FA include:
- A password and a security code that is sent to the user’s phone
- A password and a fingerprint scan
- A password and a Face ID
How do you know which 2FA method is right for your business?
The answer to this question depends on a number of factors, such as the sensitivity of the data being protected and the resources available to your business.
You should also keep in mind that 2FA is not foolproof. Attackers may be able to bypass 2FA if they have access to the user’s phone or if they’re able to spoof the user’s fingerprint.
Access control measures, such as least privilege and segregation of duties, can help to prevent ATO attacks.
Here’s a quick overview of these two concepts:
- Least privilege: when users only have the permissions they need to do their job. This reduces the risk of an attacker being able to misuse a user’s account.
- Segregation of duties: when different users have unique permissions. This makes it more difficult for an attacker to gain access to sensitive data because they would need to compromise multiple accounts.
2. Improving visibility into account activity
Organizations need to have visibility into account activity in order to detect and prevent ATO attempts.
User and entity behavior analytics help organizations detect unusual or suspicious activity by monitoring for changes in user behavior, such as anomalous login activity or unexpected file access. Security information and event management systems collect data from various security devices and applications, providing a centralized view of an organization’s security posture.
Organizations can use these tools to detect ATO attempts and take steps to prevent them—but what about the bots themselves?
At Kasada, our solution provides a dashboard with actionable insights into human, good bot, and bad bot traffic. We are different from other security tools because we provide an in-depth perspective on bot behavior, which is crucial in understanding how malicious bots interact with your site and existing security systems.
When it comes to bot mitigation, visibility is power. Kasada will offer you both the bird’s eye view and the magnifying glass in examining bot behavior.
3. Designing systems securely
For example, using secure coding practices and conducting audits can help to identify and fix security vulnerabilities.
4. Training employees
Employees are often the weakest link in an organization’s security. This is why it’s important to train them on security best practices, such as how to spot and report suspicious activity.
When is the right time to train employees on security?
You may want to provide training when new employees start or when there are changes to your security policy. You should also consider providing refresher courses on a regular basis.
6. Enhancing vendor management processes
You should have a process in place for vetting and onboarding vendors. This process should include an assessment to ensure that the vendor has adequate security controls.
How to mitigate risks posed by third-party vendors
- Perform a security assessment of the vendor before onboarding them.
- Set up alerts to notify you of changes in the vendor’s security posture.
- Have a plan for managing vendor risks.
- Train your employees on how to spot and report suspicious activity.
- Implement least privilege and segregation of duties principles.
7. Investing in a bot mitigation solution
Bots can be used to automate ATO attacks. For example, an attacker may use a bot to conduct credential stuffing.
Organizations should consider investing in a bot mitigation solution to protect themselves against ATO attacks. Bot mitigation solutions can help organizations detect and block automated attacks, as well as provide visibility into attack activity. Additionally, bot mitigation solutions can provide organizations with the ability to customize their defenses to better protect against ATO attacks.
Bot mitigation solutions are especially helpful for protecting against credential stuffing attacks, which are a common type of ATO attack. By investing in a bot mitigation solution, organizations can help to detect and block these attacks, as well as prevent attackers from gaining access to sensitive data.
Kasada’s bot mitigation solution uses a combination of advanced detection and strong obfuscation to stop ATO attacks.
By taking a comprehensive approach to security, businesses can reduce the risk of ATO attacks and keep their customer accounts safe.
If you want to protect your business from account takeover (ATO) risks, contact us today to schedule a demo.
