Top 5 steps to prevent account takeover attacks

After a successful account takeover attack, fraudsters commit CNP (card-not-present) fraud, redeem reward points, launder money, and seek loans. That said, they do not limit themselves to just swooping out all the money from the account. They also use account takeover as a means to control a compromised account remotely and abuse it for many other criminal activities.

How account takeover attacks cause regulatory, financial, and reputational losses

Apart from financial losses, ATO poses reputational risks for businesses. This is because consumers place a lot of trust in businesses when it comes to ensuring secure transactions. An account takeover attack is construed as the business’ failure in maintaining adequate security, and hence consumer trust. This can deal a big blow to the relationship-building efforts and cause unforgiving customers to switch over to competitors. Furthermore, non-compliance with the regulations can attract hefty penalties, causing an additional burden.

How fraudsters use bots and sweatshops to achieve scale

Account takeover attacks are on a steady rise. Data from Arkose Labs reveals that 5% of all digital traffic is an ATO attack. This can be attributed to large-scale and frequent incidents of data breaches that fuel these attacks. Fraudsters harvest the invaluable personal information of millions of consumers from these data mining activities and use them for account takeover attacks.

Automated bots are the most popular method fraudsters use for account takeover because automation helps them achieve scale and maximise returns on investment. Further, many bots are so advanced that they can accurately mimic human behaviour online. Using the advancements in machine vision technology, these bots can bypass fraud prevention solutions.

Apart from malicious bots and scripts, fraudsters also ‘hire’ human fraud farm workers to launch large-scale account takeover attacks. These malicious humans can easily circumvent fraud prevention solutions that are specifically designed to protect against bots. Also, they can quickly clear the legacy challenge-response mechanisms that require more nuanced human interactions.

Why commonly used authentication cannot fight account takeover attacks

Massively corrupted digital identities and advanced tactics used by fraudsters make it even more difficult for businesses to fight the menace of account takeover. Unfortunately, a lot of commonly used authentication methods fail to stop ATO fraud and end up annoying customers. Authentication methods such as two-factor authentication (2FA) are not completely reliable, as the SMS may get delayed or intercepted by fraudsters. Knowledge-driven authentication fails as often customers forget the answers. 

Data-driven authentication methods rely on clear ‘good’ or ‘bad’ signals from user data. Since fraudsters can accurately mimic true users, they succeed in transmitting ‘good’ data signals. A true user, on the other hand, may be tagged ‘bad’ due to a change in online behaviour. Further, businesses are increasingly facing traffic that does not transmit clear ‘good’ or ‘bad’ signals. These signals fall in a gray area, which data-driven solutions cannot decipher. Businesses, therefore, need a robust solution that can fend off account takeover attacks without disturbing the user experience.

Five steps to robust account takeover protection

Arkose Labs platform provides businesses with a solution that can effectively deal with the traffic in gray areas. It makes the attack long-drawn and eats into the returns to make the attack financially unattractive. The Arkose Labs solution uses the following five steps to provide protection against account takeover attempts:

1. Shift the attack surface – Arkose Labs platform shields the customer touchpoints by diverting the attackers to targeted step-up challenges. This disrupts the attackers’ plans and relieves the burden from in-house fraud prevention teams.

2. Targeted friction – Keeping user experience front and centre, Arkose Labs targets high-risk users with higher friction. Continuous intelligence assigns each user with a risk score and provides minimal friction to good users.

3. Stepped-up attack remediation – For high-risk users, the platform presents 3D challenges that are dynamically tailored according to the risk profile. These include specific challenges for bots, advanced bots, sweatshops, and lone human attackers.

4. Future-proof protection – Continuous feedback between risk analysis and the challenge-response mechanism enables enforcement challenges to adapt to the evolving risk profile of the traffic. This ensures the enforcement challenges always stay ahead of the changing threats.

5. Easy integration – The Arkose Labs solution seamlessly integrates with the existing technology stack of the business and requires minimal IT work.

Arkose Labs erodes the financial incentives that fraudsters associate with account takeover attacks so that digital businesses have robust, long-term protection.

This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Lizzie Clitheroe  

Lizzie Clitheroe is a fraud and identity thought leader. As VP of Product Marketing for hypergrowth anti-fraud vendor, Arkose Labs, she delivers data-driven insights into security and authentication trends. Lizzie has 10+ years’ experience working for cybersecurity vendors spanning fraud prevention, network security, and application security.

About Arkose Labs

Arkose Labs analyses traffic against telltale signs of malicious intent to distinguish automated and human attackers from good users, providing long-term protection against fraud and abuse by sabotaging attacker’s ROI.