Fighting Account Takeover Fraud
What is account takeover fraud?
Account takeover (ATO), or account compromise, is an attempt to access an account by an unauthorized party, often with the intention of making fraudulent purchases or theft of sensitive data such as personally identifiable information (PII). These types of attacks may result in significant financial losses to the victim with some studies indicating an average of over $10,000 per incident. Businesses incur broader penalties in the form of chargeback fees, damage to reputation, and the administrative burdens on customer service staff and potentially legal teams. This article is intended for businesses and lists ways to minimize the risk of ATO.
In the US, attorneys general are known to file lawsuits against businesses that do not adequately comply with consumer protection laws by failing to prevent account takeover fraud.
How does account takeover happen?
- Credential stuffing attacks involve the use of usernames and passwords obtained from data breaches of other websites. An attacker may obtain lists of stolen credentials from darknet markets and attempt to use the same credentials to access the accounts of users on your website.
- Brute-force attacks leverage scripts to repeatedly attempt arbitrary username and password combinations.
- Phishing concerns the use of websites that impersonate legitimate ones in order to harvest user credentials.
How can I prevent account takeover fraud?
- Prompt users to configure multi-factor authentication (MFA) settings or passkeys.
- Remind users (perhaps with a tip on your registration form) to use a password that is not used across other services.
- Prevent automated requests to login forms by relying on Turing tests such as CAPTCHAs. These solutions are employed by placing a script on your web pages (particularly those that accept user input) and may occasionally require user interaction to determine whether the user is a human or a script controlled by an attacker.
- Limit authentication attempts by enforcing the number of times that a user may supply an incorrect password and ensure that there is an account lockout policy in your application's authentication system (eg, a user may need to contact your support team to unlock their account after several failed login attempts).
- If your site is intended for use by users in a specific list of countries, consider restricting your login pages to IP addresses in those countries. Alternatively, your application can record the countries (and individual IP addresses) from which each user interacts with your site, and force them to enter another authentication factor (such as an MFA token or a one-time PIN sent to the user's email address or phone number) if the user logs in from an unexpected IP address or country.
- Regularly assess the security of your site with RedYote!