Account Takeover (ATO) is a form of identity theft where a fraudster illegally uses bots to get access to a victim’s bank, e-commerce site, or other types of accounts. A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account
Fraudsters most commonly use two methods to take over accounts:
Credential stuffing (OWASP OAT - 008) ─ Credential stuffing exploits users’ propensity to use the same username and password at multiple websites. Hackers use bots to test lists of credentials obtained as a result of data dumps of breached credentials (or purchased from the dark web) against a range of websites, in the hope that a victim has used the same combination of credentials on multiple sites. Unlike credential cracking, credential stuffing doesn’t involve brute force or guessing of any values; instead, mass login attempts are used to verify the stolen username and password pairs. Credential stuffing symptoms include consecutive login attempts with different credentials from the same HTTP client.
Credential cracking (OWASP OAT - 007) ─ Also known as ‘brute forcing,’ credential cracking is a way to identify valid credentials by trying different values for usernames and passwords (usually from lists of breached account credentials that were made public by malicious parties and hackers). Hackers deploy bots to hack into customers’ accounts using the brute force approach, dictionary attacks (inputting large numbers of words), and guessing attacks to identify valid login credentials. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.
There can be several intentions behind account takeovers. However, in most cases, the reason is related to monetary gain. The direct cost of account takeover is evident, which includes fraudulent transactions, transfer of funds from a bank account, and purchase of goods via a compromised e-commerce account. However, direct costs are not the last thing online businesses must be wary of. Account takeover attacks cause major damage to a brand’s reputation, undermining customer confidence and trust.
Many approaches are used by online businesses to eliminate bot traffic and prevent account takeover attempts. The list includes time-worn practices such as limiting login attempts, a robust authentication process, IP blacklisting, configuring rules in a WAF, and CAPTCHAs. However, in recent years, dedicated bot detection and mitigation solutions have emerged as off-the-shelf tools to eliminate account takeover attempts. These bot management solutions save businesses millions of dollars while protecting them from automated threats. ShieldSquare’s bot mitigation solution uses a non-intrusive API-based approach to mitigate bad bots such as AuthBot that try to take over accounts.
SHIELDSQUARE PREVENTS ACCOUNT TAKEOVER ATTACKS