Account takeover, or ATO, is a type of cybercriminal that occurs when a cybercriminal gains access to a genuine user/customer account. When the said cybercriminal uses these stolen accounts to perform other attacks like phishing, data leaks, and many others, then we can call these account takeover attacks.
Although detecting and stopping ATO attacks can be a huge challenge since, after all, they are using genuine accounts to launch these attacks, there are actually some effective account takeover detection and prevention methods we can implement to protect our system and network.
Before we begin, however, let us learn how account takeover works to really understand the right detection and prevention methods.
How Account Takeover Works
Account Takeover or Account Compromise, simply put, happens when other parties get access to a legitimate user’s account.
Any online account can technically be a target of account takeover: eCommerce accounts, banking accounts, email addresses, accounts with paid subscriptions, and so on. The attacker can also use these accounts for various different means.
Thus, a typical account takeover would undergo the following steps:
- The attacker uses various methods to access a user account
- Typically the attacker will change the account details so the original owner will no longer be able to access the account
- Use the account for the attacker’s benefits:
- Order products if it’s an eCommerce account
- Steal any valuable data in the account and sell it elsewhere
- Send messages and emails to the account’s contacts to launch phishing attacks
- Use any available credits or points in the account
Effective Account Takeover Detection Methods
Account takeover is essentially possible because so many of us make the same mistakes over and over again:
- Using a weak password or generic password containing birthday, address, family member’s name, pet’s name, and so on
- Using the same password over and over again on all our different accounts, even if it’s a sufficiently complex password
This is why account takeover is very difficult to completely stop because there’s always a new user who makes these mistakes.
Once the account is compromised, account takeover attacks launched from this account can be very challenging to detect. An attacker posing as a real user or customer with a good account history will make it more difficult for any security measures to prevent the attack.
With that being said, here are some effective account takeover detection methods to protect your user account, your system, and prevent further damages:
1. Check for Changes In Account Details
While legitimate users can certainly change their account details, for example when they just move to another property and change their delivery address, there is some common pattern to look for:
- The account’s name, telephone number, and/or email address are updated
- Within a 24-hour period of this change, the account is accessed by a brand new device
- After these two events, the user will make a purchase and/or perform a suspicious action.
2. Monitor Account Access From Different Locations
When an account is accessed from IP addresses from different countries, it is one of the most obvious indicators of account takeover. This is especially true if the attacker is performing mass logins (i.e. brute force or credential stuffing attacks) where they might not know the exact location of each user and may not use the right IP address every time.
When the account has an access attempt from countries different from the original user’s then you may send a notification email to the user so they can take the necessary action (change their password).
3. Bot Detection and Management
Many forms of account takeover attacks are performed with the help of automated scripts or bots. In a credential stuffing attack, for example, the cybercriminal may use a bot to inject known/stolen credentials in hundreds if not thousands of different online services per minute.
Thus, in theory, by detecting bot traffic and stopping it, we can effectively detect and prevent account takeover attacks.
However, the reality is not that simple.
Not only are today’s malicious bots getting better at impersonating humanlike behaviors like nonlinear mouse movements, but we have to also consider the presence of good bots. We wouldn’t want to accidentally block beneficial bots like Googlebot, and we wouldn’t want to block valuable, legitimate users.
Thus, an advanced account takeover protection solution that can effectively differentiate between a good bot and bad bots on autopilot is a necessity if you really want to detect sophisticated account takeover attacks.
4. Limiting Login Attempts
Not exactly an account takeover detection method, but an effective way to stop account takeover attempts is to provide a limited number of login attempts to block brute force and account takeover attacks, among other password-based attacks.
For example, you can block the same IP address from making another login attempt after 2 or 3 failures.
Hopefully, by slowing the bots enough, the attacker will give up and move on to another target.
5. Signature-Based Prevention
In this method, we’ll attempt to detect signs of account takeover attempts by analyzing the traffic for various known signatures: IP address, signs of headless browser usage, inconsistent OS/browser claims, and so on.
An adequately strong web application firewall (WAF) can be configured to detect account takeover attempts via signature-based filters, for example by blacklisting IPs and tracking geographic locations of different requests.
While detecting account takeover attempts and account takeover attacks can be quite challenging, by using the methods above, we can effectively check for signs of an account takeover so we can investigate as soon as possible.