The Fraud/Friction Tightrope: Account Takeover

In an earlier post, we explored the balancing act of reducing fraud in your applications without increasing friction for human users. In this post, I’d like to dig into how that balancing act is reflected in the tools in place to prevent account takeover (ATO) attacks, one of the most common vectors for fraud in web applications.

ATO attacks generally cost little to carry out, have a high success rate (due to generally poor password hygiene practices), and can be especially detrimental to both company reputation and the bottom line. 

Options for preventing ATO attacks include deploying multi-factor authentication (MFA), using CAPTCHAs, and improving your bot defenses. But first, let’s define what these attacks look like and how they happen.

How does ATO happen?

The two largest types of account takeover attacks are credential stuffing and credential cracking. Both of these rely in large part on an attacker having some or all of the information needed to break into an account before beginning the attack. Attackers often harvest these lists of partial or full credentials from data breaches elsewhere on the internet, and each breach starts a new wave of ATO attacks on other platforms.

Credential stuffing attacks occur when the attacker has a username/email and a password. The attacker takes this combination and plugs it into any web app they can find, searching for whichever logins shared login info with the breached platform.

Credential cracking attacks occur when the attacker has only some of the login info. Often referred to as “brute force attacks”, the attacker takes the information they do have and tries to guess at the other half of the information to get into the account.

Attackers typically use three main methods to carry out account takeover attacks:

• Automation & web testing tools: The vast majority of ATO attacks rely on automation; after all, it’s not very efficient for an attacker to manually enter credentials one-by-one. It’s far more efficient to use a tool that punches in credentials by the bucketful.
  
  There are many tools that allow attackers to automate login requests, ranging from Selenium—an open source automation and testing tool—to tools for sale on the dark web, including Sentry MBA, SNIPR, Vertex, STORM, and Black Bullet.
  
  
• CAPTCHA bypass tools: CAPTCHA was developed as a bot mitigation tool, forcing a user to solve a simple cognitive challenge that (presumably) a bot couldn’t. They’re intended to stop the automation mentioned above, and limit login attempts to humans alone.
  
  CAPTCHAs are seemingly everywhere now. Despite—or perhaps because of—their ubiquity, there are numerous CAPTCHA bypass tools available on the web, some of which are free and most of which are relatively inexpensive. Some of these services actually employ humans to solve the CAPTCHA on behalf of the user, while others use algorithms to populate the answer automatically. Many of these CAPTCHA bypass tools have become very effective, enabling criminals to skip past this line of defense.
  
  
• Sophisticated botnets & compromised devices: Anything worth doing once or twice might just be worth doing one or two million times. And scaling up an ATO operation requires more than just one device, because many bot mitigation tools would recognize millions of login attempts coming from the same place.
  
  Today, botnets operate like software-as-a-service (SaaS) that can be rented on demand. This means attackers can gain access to millions of machines in order to scale up their efforts and attempt to log into websites and applications from many different IP addresses around the globe. This makes it hard for fraud and security teams to pinpoint any single transaction as fraudulent.
  
  

What are the options to mitigate account takeover risks?

Fraud and security teams have a number of tools and tactics at their disposal to fight back against the attackers. Approaching ATO with a defense-in-depth mindset is the safest way to go, as the most sophisticated attackers have developed mechanisms to bypass simpler protections:

• CAPTCHA: While CAPTCHAs have evolved and have become effective at identifying simple bots, they often cannot identify sophisticated bots that are built specifically to exploit your apps. Although many websites and applications still rely on CAPTCHA as the primary layer of defense against bots, CAPTCHA bypass tools have become very effective, enabling criminals to easily skip past this  line of defense.
• Multi factor authentication (MFA): Many product teams see MFA as friction that reduces user engagement but it can reduce the likelihood and impact of account takeover attacks. Still, MFA can still be vulnerable to SIM-swapping and man-in-the-browser type of attacks.
• Look for anomalous behavior: Do your customer logins only come from certain regions or countries? Do they tend to happen at certain times? Are there certain actions customers take to tend after logging in? Many companies have built internal models to score logins for anomalous behavior. However, since bots can mimic human behavior and attributes, anomaly analysis alone cannot identify account takeover attacks, but can certainly help.
• Detect bot and automated traffic: Adding bot detection capabilities is the crucial measure to mitigate the impact of account takeover attacks. Since these attacks happen so quickly because of automation, protecting against them manually is almost impossible. Having capabilities to detect and enforce policies against bot traffic in real time will help businesses drastically reduce the risk of account takeover attacks. 
  
  

How, then, do you reduce fraud and friction in preventing ATO?

CAPTCHA’s effectiveness in reducing fraud is limited and they certainly add friction. Undoubtedly, adding MFA to your application also introduces friction but it remains an important option in your defense against account takeovers. Anomaly analysis has its place, but fails when sophisticated bots mimic human behavior successfully.

Real-time bot management is essential in providing the ability to detect and enforce policies to stop bot traffic and reduce the risk of account takeover attacks. MFA is still valuable with effective bot detection. If automation is detected, enforcing MFA is one policy option you can use together with your bot management product. If you do plan to use MFA, the key to minimizing real user friction is to choose a bot management solution with the best detection effectiveness. By choosing the right bot management solution you can be sure that you’re only applying MFA friction to malicious bots not to real users. This means you preserve your engaging website and application experience - ensuring that it retains actual customers rather than irritating them with MFA.

So how do you choose the most effective solution? Remember those sophisticated bots running on compromised devices that we mentioned earlier?  Apart from hosting malicious bots, the one thing that those residential machines will have in common, is that every device has been served advertisements at some point as its owner browses the web. If a device has been served an advertisement, HUMAN has  already determined whether or not that device is running an ad fraud bot. 

This is what makes HUMAN's BotGuard for Applications different. BotGuard collects and sends over 2,500 client-side signals indicative of bot activity to the Human Verification Platform for processing by more than 350 technical, statistical and machine learning  algorithms. HUMAN verifies the humanity of more than two trillion interactions every day, harnessing internet-scale visibility and a decade’s worth of data to deliver continuously adaptive protection to customers that include the largest internet platforms. The Human Verification Engine enables BotGuard to detect fraud with unmatched effectiveness to ensure that only real humans interact with your applications. 

BotGuard’s accuracy helps you minimize the use of MFA friction on real users, preserving your website and application experience and ensuring that it continues to engage and retain your customers. By filtering fraud before it reaches your site, BotGuard dramatically reduces your fraud team caseload and makes certain that your infrastructure runs efficiently and remains free of bot abuse.

With HUMAN Bot Defender you have the solution to reduce fraud and minimize friction. If you do decide to implement MFA, Bot Defender will ensure you’re only applying friction to malicious bots - not legitimate application users ensuring that only real humans interact with your applications.