How to fight account takeover attacks in 2021?

ATO (Account Takeover) attacks have been on the rise this year, and we expect them to continue to grow without proper mitigations. A multi-lateral approach should be taken to stop these threats effectively. There are plenty of low-cost mitigations that can be implemented to prevent these attacks, which we will go into further. Combining these methods, we have seen our clients significantly reduce the threat of account takeovers.

Why should we care about ATOs?

For some businesses, every dollar counts, and each account has a value associated with it. Another factor many don’t consider is the long-term effects of ATOs. Allowing some fraud in could be similar to termites while they may be small and insignificant at the moment. They tell others to join the party, eventually taking out a critical support beam of your business. A quick check on marketplaces, you will find big brand accounts for a dollar or less. The ideas discussed below see a greater return on investment when considering all the financial and reputational costs account takeovers are causing.

How are fraudsters bypassing my X solution?

Some companies think their machine learning tool is a one-stop solution to ATO. Do a simple search on Telegram and Discord, and you will find all the top brand accounts for sale. Fraudsters are buying them because they have value. Any fraud team should once spend at least 1 day of their time searching on fraud hangouts. You can get more insight than buying a dark web monitoring service where they don’t know the ins and outs of fraud to your business. Many useful tips are not from indexable chat items but through voice or image chats between fraudsters. You will find many also have eCommerce sites, making buying accounts as easy as shopping on Amazon. In Telegram, search “Fraud” followed by any alphabet letter, and you will find enough chats about their trends. (Some tips as these places can be dangerous. Don’t click links. Use a dedicated phone/emulator just for this. Make a legit-looking profile. Brush up on Google translating. Be prepared to respond since many places interrogate anyone visiting. They use bots to identify suspicious visitors.) Even if you don’t learn anything from the research it will give you an appreciation of the breadth of fraudsters and understanding what you are up against. Some strategies learned from fraudsters using open searches:

• Use a company’s mobile app vs. website as many times it leads to more “hits” (successful fraud). Sometimes a mobile app might not have a fraud tool protection or more lenient on new logins.

• Buy a burner smartphone from Walmart use a sim card to get new IP by simply rebooting to commit fraud. Return it when done. (Fraudsters know about device id tracking)

• Use an emulator or rooted phone to change device information easily. (Many solutions claim to detect these bypasses. However, there are solutions for Android that make it very simple to hide the fact that it is rooted and change all device information. It is possible to spoof geolocation too. Google is making it harder to do this but using an older app/device allows workarounds.)

• Using aged emails from hacked mail accounts. Fraudsters know email age is essential and therefore use stolen yahoo accounts without 2FA if they update to a new email.

• Do everyday size purchases and browsing patterns. (Fraudsters know abnormal buys and account actions will trigger blocks. Instead, they are okay with small wins, even $10 dollar purchases are good enough when done in volume. They know they need to spend a 5-10 minutes fake shopping on the site instead of a fast checkout. They know using/mimicking device id and cookies as the original account owner helps. They know the search refer helps from Google.).

• Do not change the password and other critical information. (Fraudsters know each change of data can lead to lockouts. Instead, they have started email bombing (spamming) to prevent the owner from seeing notifications. For food delivery fraud and Walmart pickups, this is a trend that has many chats about.)

• Commit fraud at the times when the greatest usage is in place. (Fraudsters know they have a better chance at getting by if they blend in with the rest of orders and users)

• Use virtual credit cards and new addresses. (Fraudsters know cards can be tracked as well as addresses. They find close by locations and create cards for each order if needed. Even modifying a portion of an address can bypass some systems.)

As seen, these are just some basic methods low-level fraudsters are sharing. The more complex schemes and methods are held tighter and difficult to find through searches. Behavioral analysis and machine learning work to a point, but fraudsters are quickly learning which levers to pull for successful logins.

Methods to Stop Account Takeovers

Using all these methods is difficult, but having a few can put a dent into fraudster’s ATO plans. Having some configurable settings at least gives the customer the option to enable additional security.

1. Adaptive Verifications – Using machine learning or rules should trigger verifications adaptively. We have detailed the pros and cons of some of these methods in the past. 

   1. Card Scan – Require the customer to re-scan their saved credit card when they did prior actions that raised risk. (OfferUp does this)

   2. Email Verification – Require a link sent to the original email prior to updating to a new email. (Robinhood does this)

   3. Phone Verification – Require a code sent to the original phone prior to adding a new phone. (Google does this)

   4. Card Verification – Require a reenter of a 3ds verified credit card to use a saved payment method. (Steam does this)

   5. Voice Verification – Require a voice call to authorize a new login or account. (TD Bank does this)

   6. 2FA Verification – Require a 2fa code from a phone or physical device. (Coinbase does this)

   7. ID Verification – Require ID of the user. Usually reserved for a restoration process after the fact to ensure the owner is legitimate. A liveness check helps against some fake IDs. They are needed for high worth accounts such as PayPal.

 The key is adaptive verifications, as if you allow only one type, your customer support team will be overrun with requests about verifications not working. Similar to Google, they have multiple backup methods for 2FA login if you can’t receive a code through a primary method.

2. Adaptive Notifications – Do not rely on just one type of notification. Fraudsters are using spamming to hide existing ATO notifications. 

   1. Email Notification – Send email to user when email or password is changed randomly.

   2. SMS Notification – Send SMS to the user if multiple actions cause changes in an account. 

   3. Phone Notification – Send an automated call about a recent transaction or order similar to what many card issuers do. 

   4. Push Notification – If you have an app, send a notification to the old device when there is a new sign in. It is a lot harder to spam a device with notifications. 

3. Adaptive Firewalls – Having a robust firewall can be an excellent preventive measure for ATOs. Firewalls have been a traditional approach to stopping stuffing attacks as it’s similar to a DDoS attack. However, fraudsters are getting smarter. They aren’t going through an entire list of credentials since this triggers blocks. They are doing smaller batches. You can see this trend on the marketplaces where their supplies suddenly spike every so often for a particular brand’s accounts. Sometimes it’s even better to apply a challenge on all logins if it’s an extremely sophisticated attack with no trends except volume. Using Cloudflare’s Under Attack mode, the login endpoint is also extremely efficient as it doesn’t use Captchas. It can be turned off as soon as the attack subsides. Keeping in place friction for all is more costly, so this strategy works to improve customer experience.

   1. IP Blocking / Challenging- Blocking or challenging an IP to a captcha is an easy stop for low-level attacks. If you use Cloudflare and Nginx/Apache or another webserver, it is very simple to setup an automatic challenge system through the aggregation of logs.

   2. User Agent Blocking – Some attackers make the mistake of using the same agent that is malicious. There are some blocklists to use but usually, challenging them with a captcha is enough.

   3. ASN Blocking – Sometimes, an attack will all come from the same IP range. This is useful as you can temporarily challenge an entire ASN. This forces the attacker to pay for proxies or use a new hosting service.

   4. Rate Limiting – Challenging or blocking an IP/device after a certain number of login requests is also simple protection you should have in place.

4. General Settings

   1. Password complexity – Equal or greater than 8 characters. Forces the user to create a complex password that they hopefully don’t have breached already. Some services check the https://haveibeenpwned.com/API/v2 site or the users previous passwords. (Apple does this well, but it is a frustrating experience)

   2. Add magic login links. Allows users to create complex passwords and still login with their email. Password reuse is the main reason accounts are getting compromised. Email security is going to typically be higher than a food delivery app.

   3. Captcha – Either adaptively show captcha or trigger another verification method when a certain device or IP repeatedly fails logins. This raises the complexity of credential stuffing attacks.

   4. Rate limit user – Rate limit per user account that way new IPs and devices can’t attempt multiple logins for the same user.

   5. Disposable Emails- Many attackers will update to a disposable email. You can process the update but it can be a strong reason to lock the account or raise scoring.

   6. VOIP Numbers – Many fraudsters use apps like TextNow so they can communicate with the company about an order. They will attempt to have the address updated after the fact so it bypasses the fraud checks. It could be useful to put these accounts on a watch if the previous number was non VOIP.

   7. Geolocation – Some fraudsters will have the same fixed geolocation and not bother with spoofing. This can be useful for blocklists or triggers to require identity verification. Apps have much more data on geolocation they can capture.

Stopping account takeovers is not a simple task, and you need to bring together multiple tools and teams to address it. Each team can be a critical piece in the overall defense and aides in the adaptation of rapidly changing attacks. Even after implementing these suggestions, you should be ready for a fraudster counter-attack with a new method. Hopefully, with some of these ideas implemented, you will have a more effective plan for account takeovers.