Stopping Account Takeover - some practical steps

The use of stolen payment details remains the largest fraud cost to online businesses by some margin. Emerging quickly from its shadow however is the blight of account takeover. Some figures put losses at $5BN per year and growing. Whatever the true figures it’s large and unlike credit card fraud it is coupled with a reputational costs - read more about this here.

Customers that have their accounts hacked are very quick (understandably) to take to social media as due to the nature of the crime the route to compensation for a consumer is less clear than credit card theft. Ravelin has written a guide to this topic available for download here. I recommend you read. Here is a shorter summary of what to expect.

What is Account Takeover?

Account Takeover (ATO) is when a fraudster gains control of an account that belongs to a genuine customer. With account takeover Fraud, fraudsters use the customer’s good track record to make unauthorised transactions. This can be done with the good customer’s saved card details or with stolen card details purchased online.

The most common method used is credential stuffing.

Credential stuffing relies on ‘combo lists’ - lists of passwords and emails usually compiled from several data breaches. The combinations are then automatically run against a login with any successful attempts logged. This is usually referred to as account ‘cracking’.

Breached credentials can be used to ‘crack’ an account on another service because people often use the same password across multiple services. Credential stuffing can be scripted by more skilled fraudsters. However, automated tools like Sentry MBA make credential stuffing attacks very easy for anyone to do.

What you can do to stop it

There are a number of things merchants can do to mitigate against ATO. Targeting the tools and techniques that fraudsters use to commit ATO is a good place to start.

• Monitoring login activity and patterns in things like HTTP client, IP, user agent and device details is important. Maintaining a breached credentials database can also help to protect your customers from ATO.
• Targeting other tools that may indicate suspicious activity such as headless browsers, automated OCR tools (if you use captchas), TOR, VPN, proxies etc. is also advisable.
• Implementing 2FA if you have verified numbers associated with accounts can be helpful though may negatively impact conversion if applied to all customers.

What Ravelin does to stop ATO

Ravelin has introduced a number of different ways to combat ATO that we make available to clients.

Breached credentials database check

Ravelin maintains a breached credentials database. Knowing whether credentials have been compromised allows merchants to take proactive steps to prevent ATO attacks before they happen.

Rate limits

We have added customizable rate limits that specifically target ATO at login around device, username and IP. This can be useful for tackling high volume attacks.

Rules

Rules add another layer of protection for customer accounts. This allows you to use further challenges on only the most vulnerable accounts, protecting good customers and conversion.

Material account changes

We detect and inform you of key changes and suspicious account events. You can then decide to notify the user and request that the customer confirm the activity was legitimate.

Collecting and surfacing login activity data

We provide oversight of login activity within our dashboard through reporting and rich customer profiles.

Model behaviour

We can work with clients to develop machine learning models that target ATO. This approach has huge potential for anomaly alerts and uncovering hidden patterns in the fraudsters’ attack strategies.

You can read more about ATO and what Ravelin does to tackle it in our insights page here.