Online accounts are like onions: they have layers. And in order to secure them, you have to protect every layer — or you’ll end up crying. So put on your goggles and let’s dive in.
Main threat: Account Takeover
Your login page is the front door to your accounts. And cybercriminals are ready to break it down. They launch automated credential stuffing and brute force attacks to execute large-scale account takeovers with speed and stealth.
Although you likely have some kind of credential verification, web application firewall (WAF), CAPTCHA, and/or multifactor authentication (MFA), these tools are no match for today’s advanced bots. Sophisticated security techniques—such as volumetric detection and analysis, reverse proxying, rate limiting, intelligent fingerprinting, behavioral analysis, advanced machine learning algorithms, and real-time sensors—are needed to fully protect against unauthorized account access.
Main threat: Account Fraud
Once users log into an account, there are a number of pages they can access that contain their PII (name, email address, physical address, etc.), order history, payment information, and account balance. Determined attackers have many tools in their belts to get past login forms; they can enter stolen credentials acquired from data breaches, phishing schemes, or malware, and use session hijacking techniques that bypass MFA.
If a fraudster successfully logs into an account, they effectively have free rein to take actions therein. These include:
Savvy attackers can bypass login security to compromise an account, and this is when continuous authentication is necessary. By continuously evaluating users' post-login activity, you can assess and identify risk as users navigate within accounts. If a certain risk threshold is reached, automatic mitigation actions are taken to recover the account.
Instead of determining bot-or-not, this is the time to focus on user legitimacy. For example:
Main threat: Transaction Abuse
Your transaction page is where money changes hands. Today, most transactions occur after a user is logged into an account. Cybercriminals can use bots to hoard inventory and make fraudulent purchases with stolen credit card information (known as carding). Additionally, human fraudsters can manually commit payment fraud and warranty fraud. Either way, you’re left to issue chargebacks to unhappy customers.
At the point of transaction, organizations must determine whether a payment is legitimate or fraudulent and then issue an ‘allow/decline’ decision. As bots are a major threat vector, implementing bot detection techniques (volumetric detection and analysis, reverse proxying, rate limiting, intelligent fingerprinting, behavioral analysis, and advanced machine learning algorithms) is best practice.
No single layer of protection is the silver bullet for preventing account fraud. A defense-in-depth approach is needed to secure accounts from every angle. By combatting the sophisticated TTPs used by cybercriminals throughout the lifecycle of an account takeover, these three layers of security offer holistic protection to safeguard a users’ entire journey on your website or app.