How to prevent account takeover with a layered security approach

When it comes to defending your site against bot attacks, an automated bot detection solution is no longer enough. Bots are one of a few automated tools used to commit online fraud and their sophistication has increased exponentially over the last few years, making it more and more difficult to detect them at login.

The first stage of ATO is at the login, usually credential stuffing – which is the method used to verify which credentials are valid for this particular site. Companies are busy trying to protect the login by securing it with identity/authentication tools but, with valid credentials, fraudsters easily bypass this hurdle. This is why focusing on the login in order to protect against ATO is failing. It's a siloed approach.

Did you know that account takeover increased by 282% from 2019 to 2020 and is now considered the ‘fraudster’s weapon of choice’? 

That being said, it pays, literally, to invest in layered security to detect bot activity before account takeover takes place. By locking your door with maybe a bolt lock to assist the one on your doorknob, you can be doubly assured in your efforts against account takeover, which will help retain customers and reduce fraud losses. 

Is an automated bot solution your only defense?

Credential stuffing and bots are not the only way to get access to an account. Google has registered 2,145,013 phishing sites as of 17 January 2021, which is up from 1,690,000 on 19 January 2020 (up 27% over 12 months).

Phishing and social engineering are on the rise, meaning you need more layers of security to defend your site. 

And now as account takeover is illuminating the fraud scene, extra precaution should be a proactive forethought instead of an expensive reaction. A bot management system isn't enough to stop all the bots, let alone account takeover. By using layered security measures, it's more difficult for fraudsters to commit their crime.

A layered security approach

Account takeover is theft, and it needs to be treated as such. Think of a fraudster like a thief in the house example we mentioned above. When you know your neighborhood has a theft problem, you probably invest in locking your points of entry. Perhaps you invest in a bolt lock, install a security system, or in severe cases, hire a security guard. If theft is a real issue, you will protect what’s inside your house at all costs. 

Image 1:  Examples of tactics used in the fraud flow of account takeover

The same should be applied to your customers' accounts. By utilising a layered security approach to your fraud detection and prevention strategy, you’re proactively protecting what’s inside your ‘house’. Early bot detection is essential to preventing account takeover and can be achieved at the login and during the user session through behavioural monitoring.

At the login

Your solution needs to be able to detect fraud at multiple stages of the user journey, starting at the login. It's the first phase of account protection, the first lock to your site, and something you may already work to protect. However, if you do this using traditional automated bot detection tools, you may get frustrated when a single solution can’t keep up with the fraud advancements your intruders are making and bots start to slip through the cracks. 

If you enhance your login or account takeover detection tool with behavioural data it allows for much more accurate detection, less need for abundant sessions in manual review, and fewer bots on your site. For example, if a session shows copied and pasted usernames and passwords into your login page for an extended period of time, it’s flagged as non-human behaviour. If non-human behaviour is detected, it triggers a fraud alert. This takes the burden off manual review and leaves them open to dig into the cases with true ‘grey area’.

But what if the fraudster is sophisticated enough to know how to pick the first lock by imitating human processes? That’s when it becomes vital to have a second line of defense or layered security to monitor users during the session.

During the session 

Sophisticated bot attacks can bypass login authentication, and without another layer of security, they are free to commit fraud on your site with ease. In short, fraud detection and prevention is a complicated process. However, if you’re monitoring the digital user journey during the session, you can see how your users behave, whether human or non-human.

Even though you won't be able to detect manual methods of fraud with your detection tool, fraud detection at multiple stages of the user journey will increase your chances of catching fraud in the act. For example, although you may not be able to detect phishing, a bot may use automated fraud methods during the session. By tracking user data continuously, you have fewer and fewer bots making it through to transaction completion.

Behavioural data can help your system identify and flag suspicious behavioural patterns throughout the journey, raising red flags when non-human behaviour occurs and stopping fraud before it starts. 

A proactive approach to the sophisticated, ever-changing landscape of fraud and account takeover will free up your manual reviewer’s time on menial tasks, protect your site from intruders and give you and your customers added insurance in their account protection.

Account takeover is here to stay and will probably become a bigger and bigger problem with more businesses moving to the online realm. Dig deeper into how behavioural data can help detect and prevent fraudsters in our blog: An eCommerce Showdown: Account Takeover VS Behavioral Biometrics.  

SecuredTouch has been acquired by Ping Identity. Read the press release for further information: https://bit.ly/2UHH2o0 

About Mark Freeman

A veteran sales professional, Mark leads an international team of fraud experts to deliver solutions to customers worldwide. He is also responsible for developing new and existing business initiatives. Mark holds a BSc in Optometry from Glasgow Caledonian University and a MSc in Disaster Management from Tel Aviv University.

About SecuredTouch

SecuredTouch provides real-time, adaptive fraud detection throughout the customer journey to detect fraud early, with proven ROI from day 1. Solutions ensure accurate risk-based prevention for multiple use cases including account takeover, bots, credit card fraud, and no-transaction fraud such as loyalty programme and referral fraud. SecuredTouch customers benefit from reduced overall fraud losses while maintaining a smooth customer experience.