What is Account Take Over (ATO)? It’s when hackers use real credentials to log in to an account and then proceed to make unauthorized transactions. If it’s a financial institution, this could mean withdrawing or transferring large sums of money from the account. If it’s a company, then it could mean stealing intellectual property or trade secrets.
What makes ATO really dangerous is that the bad actors use legitimate credentials and so you won’t receive any alerts about a suspicious login. They will then proceed to change your contact details allowing them to continue using the account without any flags being raised.
And when their activities are finally discovered it can lead to false accusations. All evidence will point towards the real account owner.
How do these fraudsters get access to the real login details in the first place?
The Role of Data Breaches in Facilitating Account Takeover
Every year there are thousands of data breaching incidences in which millions of user data are exposed. Have you ever wondered what happens to this data and why it is considered so valuable? Well, the hackers have the ability to extract useful information such as usernames and passwords from the leaked data which they then sell on the dark web.
Mostly they will target extremely wealthy people or high-profile individuals and use a technique called credential stuffing to try and take over their accounts. This is an automated process that involves running the acquired credentials against multiple accounts owned by the target.
And as you know, people have a tendency to use the same password on multiple sites. You are probably guilty too. And that is how the fraudsters are able to access accounts after which they proceed to drain it of any valuable data including credit card numbers and other personally identifiable information.
That one account could end up being the gateway to all the other accounts of the victim.
Now to the big question. What are you doing about it?
Steps You Can Take to Prevent Account Take Over
There are many implications of an account take over but none as severe as lost trust in your business. You will never hear anybody blame the account owner for reusing their passwords but you will always remain the company that got hacked.
Fortunately, there are measures you can take to prevent these attacks. None is sufficient on its own and so I recommend using multiple methods. Hackers are getting smarter every day and are always coming up with new ways to infiltrate your system.
The first step is simple. User education. Emphasize that account owners use unique passwords and enforce password requirements on your site to weed out weak passwords. Alternatively, you could recommend that they use a password manager.
Other steps you can take to prevent ATO include password rotation, using multifactor authentication, and scanning the web to find exposed data that may compromise your customer’s account. I find that last measure the most effective.
In this post, I am going to recommend 5 tools that use at least one of the above techniques. You can then choose one that suits you the most.
1. SolarWinds Identity Monitor
Identity Monitor is yet another invaluable addition to SolarWind’s amazing portfolio of security solutions. It’s a collaborative effort between SolarWinds and Spycloud, a big data company that is well known for its expansive and up-to-date database of exposed data.
And as you may have already deduced, this solution works by scanning the web and trying to determine whether your monitored data has been part of a data breach.
The database is constantly being updated and since Identity Monitor works in real-time you can be assured that you will be notified immediately your credentials have been exposed. Alerts are sent via email.
This tool can be used to monitor whole domains or specific email addresses. But what I love most about it is that once you add a domain, you will also be able to monitor all the email addresses associated with it.
Identity Monitor highlights all data breach occurrences in a chronological list on the main dashboard. If you find this hard to follow, then they also have a graphical representation of the breach timeline. Click on a specific incident on the graph and it will give you additional information like the source of the leak.
I also love how well this tool’s user interface has been organized. Everything is well labeled and all you need is your intuition to navigate through it.
SolarWinds Identity Monitor is available as a web application and comes in 5 premium plans. The most basic plan starts at $1795 and can monitor two domains and 25 non-work emails. You can also test the product for free but you will only be limited to monitoring one email.
Iovation is also a great solution to prevent ATO but uses different techniques from Identity Monitor. Even better, it continues to monitor the user after login. This means that if, somehow, the fraudsters manage to evade detection during login they can still be flagged down if the tool detects suspicious activity in the account.
Iovation is able to help prevent ATO is by allowing you to seamlessly add multifactor authentication to all your business applications.
And there are three ways you can authenticate the user. Verifying something they know (knowledge), something they have (possession), or something they are (inherence). The methods you can use to verify this information include fingerprint scan, facial scan, pin code, geofencing, among others.
Great news. You can define the severity of the authentication based on the account’s risk factor to your business. So, the riskier a login is the stronger the authentication required.
Another way that Iovation prevents Account Take Over is through device recognition. For a user to access their account they need a device. It could be a mobile phone, computer, tablet, or even a gaming console. Each of these devices has an IP address, personally identifiable information (PII), and other attributes that Iovation collates and uses to form a unique identifying fingerprint.
The tool can, therefore, detect when a new device is used to access an account and based on the attributes it collects, it can determine if the device is a risk to the account.
On the downside, this technique could be problematic if say the real account owner is using a VPN software. Trying to spoof your IP address is one of the risk signals used by Iovation. Other signals include using tor network, geolocation anomalies, and data inconsistencies.
Our third recommendation, NETACEA helps prevent the ATO by using behavioral and machine learning algorithms to detect non-human login activity.
You may already be using Web Application Firewall (WAF) for this purpose but current bots have become more sophisticated and are able to mimic genuine human behavior and bypass your firewall.
This tool intently analyzes millions of data points to establish when bots are being used to login to one of your business accounts. Once it detects a rogue login then it can either block it, redirect it or notify you so that you can take necessary measures.
On the downside, the tool may not notice when a fraud uses a real device to take over an account although that is highly unlikely because ATO is a numbers game. The hackers want to log in to a maximum number of accounts in the least time possible.
But on the upside, Netacea can also detect when a hacker is trying to brute force their way into an account. Credential stuffing and Brute force attacks are the two main ways that hackers use to gain access to systems.
NETACEA works across all platforms, whether it’s a website, an app, or an API and it does not require further configuration or programming.
Also, it can be implemented using three methods. That is through CDN, via reverse proxy or through API-based integration.
ENZOIC ATO prevention solution is a solid tool that works similar to Identity Monitor. It runs your monitored data against its database to check if it has been compromised in a data breach.
Once it identifies that the data has been exposed then it allows you to execute various threat mitigation procedures such as resetting the exposed passwords or maybe restricting access to these accounts.
Again, what’s reassuring is that your monitored data will be run against a database containing billions of breached data collected through a combination of automation and human intelligence.
ENZOIC is available as a web service and uses REST technology which makes it simpler to integrate with your website. It also comes with easy to use Software Development Kits to further ease the integration process.
Note that this process will require some programming knowledge, unlike other products like Identity Monitor which only need you to log in and start monitoring your accounts immediately.
To ensure that the information in their database does not leak, it is encrypted and stored in a salted and strongly hashed format. Not even Enzoic employees can decrypt it.
ENZOIC is hosted on Amazon Web Services which allows it to produce the best response time of about 200ms.
They offer a 45-day free trial but you will first be required to fill in your details. After that, you can purchase a license depending on the services you need.
Imperva ATO solution uses the same technique as NETACEA. It analyzes the interaction between the user and your website or application and determines whether the login attempt is automated.
They have an algorithm that intently studies the traffic and identifies malicious logins.
The rules are continuously updated based on global intelligence. Imperva leverages global networks to find out new ways being used to execute account takeovers and through machine learning their tool is able to offer protection against these attempts.
For simplified management and protection, Imperva gives you full visibility into the login activities. This way you can tell when your site is under attack and which user accounts are being targeted allowing you to react promptly.
The tool does not have a free trial but you can request a free demo.