Guide To Effective Account Takeover Protection Methods
Account Takeover (ATO) attacks are a form of cybersecurity threat that can be categorized as a subtype of identity theft performed over the internet. In an ATO attack, the hacker or cybercriminal gains access to a user’s online account credentials, and thus can now pose as the legitimate owner of the account. This cybercriminal can then use the account to gain unauthorized access to confidential data, send out phishing emails to the account owner’s contact, and use the stolen information to launch other forms of attacks.
Account takeover attacks are very serious threats for many businesses and individuals, and throughout 2020, there has been a 20% increase of successful ATO attacks compared to the same period in 2019.
With that being said, here will discuss effective account takeover protection techniques you can implement to protect your system and network from this type of attack. Let us begin, however, by discussing how ATO attacks actually work.
How Does Account Takeover Happen?
Username-password pair remains the most common type of credential to authenticate online accounts and most account takeover attack techniques are targeting the very common mistakes performed by many people:
We tend to use weak, generic passwords, and/or we tend to use the same password over and over again for all our accounts. Cybercriminals can use various techniques to exploit these vulnerabilities, but here are the most common ones:
- Brute force attack
Also known as credential cracking, as defined by OWASP’s OAT-007 threat guidelines, here the cybercriminal uses automated scripts (bots) to test various possible password combinations hoping to hit the mark. Since these bots can try thousands if not millions of password possibilities very quickly, in theory, brute force attacks will always be successful when the bot is given an unlimited attempt and an infinite amount of time to try.
- Social engineering
In this type of attack, the cybercriminal will spend some time researching a target victim, for example across social media conversations and open databases. The cybercriminal typically looks for information like name, birthday, location, names of family members, and so on that are typically used as a password or might assist in guessing a password (i.e. answer for a security question).
- Phishing
In this technique, cybercriminals impersonate other individuals or legitimate companies that are known by the target victim and will attempt to trick users into revealing their account credentials. For example, the cybercriminal may send a link to a website that resembles Gmail’s login page. When the victim enters their Gmail credential, it’s now compromised.
- Credential stuffing
Credential stuffing attacks also make use of automated scripts or bots, and in principle are similar to brute force attacks. However, in a credential stuffing attack, the attacker already possesses a working credential stolen or leaked from various websites, and they will test this credential against multiple websites. This is to exploit the fact that we tend to use the same credentials for different accounts.
Account Takeover Protection Methods
As we can see, cybercriminals can use various techniques and methods to launch their account takeover (ATO) attacks, and thus we will also need a wide range of protection methods to protect the user accounts in our system (or if you are an individual looking for ways to protect your account). Below, we will discuss some of the most effective protection measures available to protect yourself against account takeover attacks:
Use Strong and Unique Credentials
Above everything else, the most effective account takeover protection approach is to encourage the use of strong and unique passwords in your network, and if necessary, make the practice mandatory.
The password should be at least 10 characters long and include the combination of uppercase letters, lowercase letters, symbols, and numbers. It shouldn’t include sequential letters and numbers (i.e. “abcd”, “1234”), and not using generic information like birthday, family member’s name, pet’s name, and so on.
Also, make sure only to use one password for a single account. To simplify this, we can use various password manager tools to easily generate and “remember” complex and unique passwords.
2-Factor Authentication
2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) is essentially asking for a second piece of information (second factor) besides the password before someone can access the account. This second factor can be an additional PIN, USB dongle, or iris/fingerprint scan, and face ID, among others.
Account Takeover Protection Methods: Bot Management Solution
Since account takeover attacks, especially credential stuffing and brute force attacks, performed by automated bots, we can effectively prevent these attacks by detecting and managing bot activities. AI-based, automated bot management solutions can effectively stop bot-based ATO attacks without requiring any human intervention.
Limiting Login Attempts
A fairly basic, but still effective method to stop account takeover is to provide only a limited amount of login attempts. This is especially effective to slow down brute force and credential stuffing attacks, and the hope is that by slowing down these bots enough, the cybercriminal will give up and switch to another target.
Web Application Firewall
A strong enough web application firewall (WAF) can be configured to detect and manage account takeover attacks, for example via IP block listing and tracking request locations. This method requires us to properly configure the WAF via targeted policies to detect known signatures of account takeover bots.
Sandboxing
Sandboxing is considered a last-resort technique to mitigate the damages when accounts have been compromised. By sandboxing accounts that are suspected to be compromised, we can track all activities and stop confirmed malicious activities.
Account takeover protection methods: conclusion
While account takeover (ATO) attacks can be quite difficult to detect and stop, by employing the right account takeover protection techniques, we can effectively prevent these attacks and mitigate or even reverse the damages in the event of a successful attack. It’s important for all businesses and individuals to be proactive in their account takeover protection efforts in order to prevent serious data leaks and other issues.