Identifying & Mitigating Account Takeover Attacks

In this 10-Minute Take, learn more about account takeover (ATO) fraud, how common attacks occur, and how Akamai helps businesses protect their customers from fraud.

Retail, e-commerce, and financial institutions have high fraud costs, with every fraudulent transaction costing between 3.51 and 3.87 times as much as the actual transaction value. In many fraud cases, attackers use social engineering or other methods to acquire credentials and access victims’ accounts to gain sensitive information or make unauthorized purchases. This type of fraud not only causes businesses to lose money in lost transactions, but they also lose customer trust, resulting in churn.

As online fraud grows, organizations are looking for ways to protect their customers from account takeover (ATO) attacks. Akamai’s Account Takeover Protection solution can reduce friction for verified users while also making it more difficult for fraudsters to access accounts.

What Is an Account Takeover Attack?

During an account takeover (ATO), criminals use stolen credentials to impersonate a legitimate account owner and take control of the account. The goal of these attacks is typically to steal sensitive information and digital assets, such as gift cards, loyalty points, airline miles, and cryptocurrencies. ATO attacks affect every industry, including retail, travel, finance, and even gaming.

The ATO Kill Chain

To understand how to prevent an account takeover, you first have to understand the attacker’s chain of events, also known as the kill chain.

Acquire Credentials

First, the attacker has to acquire the credentials of the accounts they want to take over. Sometimes, they’ll use phishing attempts to trick the user into providing credentials or information that could help them reset the password. Alternatively, they could inject malicious code into a website to scrape usernames and passwords from the login screen. Fraudsters may also be able to buy credentials on the dark web .

Some web and API protections can keep attackers from stealing your customers’ credentials from your website. However, because attackers can acquire them without ever visiting your site, you’ll also have to set up protections further down the kill chain.

Validate Credentials Using Bots

Once an attacker has a list of credentials, they’ll often feed those account details into a bot to automatically validate them. Credential stuffing attacks could cost businesses up to $28.5 million a year . If the attacker can validate the credentials, they can then move on to the next phase of their plan. Otherwise, they’ll continue to acquire credentials using the methods we shared earlier.

In order to block these bot attempts, you need some kind of bot management in place. Captcha is an option, but it typically adds friction for legitimate users and isn’t nearly as effective. Instead, consider options like Akamai’s Bot Manager , which uses behavioral clues to determine whether an action was performed by a bot or a human and can differentiate good bots from bad bots.

Manual Attacks

If the attacker is able to verify the stolen credentials, they’ll then log into the account using those credentials and begin performing fraudulent activities. The type of website will determine the types of actions they’re able to take. For example, on a retail website, the attacker may make fraudulent purchases using gift cards or credit card information that the legitimate account owner has saved to their account.

To protect against this, you’ll need to add cybersecurity tools that include behavioral analysis, which helps you differentiate between a valid user and a fraudster. You may also choose to implement additional security measures, like a PIN number or multi-factor authentication to protect your users.

How Akamai Identifies Fraudulent Attempts

Akamai creates user and population profiles and provides intelligent risk scores to identify potential fraud while reducing friction for legitimate users.

User & Population Profiles

Using a variety of information, including physical location, session behavior, and device information, Akamai can build user profiles and then block, allow, or verify sessions based on that data. Behavioral analysis is a big part of this. Humans are creatures of habit, and therefore, their online activity typically follows normal patterns.

For example, if a user typically accesses their account from their mobile device in New York between 3 and 5 PM, a login attempt from a tablet in Arizona at 1 AM will have a relatively higher score. And it will complement this with other signals from that device, including the IP address and network, to see what other actions have been taken from that device in the past. Intelligence from hundreds of similar signals is computed in real-time, and organizations are empowered to take action against suspicious activities.

If Akamai doesn’t yet have enough information about a user to build a profile, it can then default to the population profiles to identify anomalies. It examines activities to see if they’d fall outside the norm for typical users of the site. It can also analyze the source reputation (i.e. is this a brand-new browser?) to differentiate legitimate users from fraudsters.

Risk Response Strategy

Akamai also assigns users a risk score from 1-100 to tell organizations how likely it is that the access attempt is fraudulent. You can then customize your risk response strategy based on your business’s risk tolerance.

Financial institutions, for example, may have a very low risk tolerance due to their regulatory requirements, so they’ll challenge all or most access attempts with multi-factor authentication. Retailers, on the other hand, may have higher risk tolerances and allow access to users with higher risk scores while adding an extra verification layer to checkout or change account details.

Using Account Protector to Secure Customer Accounts

Customer trust is a major part of customer loyalty, and preventing ATO is one of the best ways to keep that trust. Akamai’s Account Protector can fight both manual and bot-driven attacks, protecting your customers’ accounts without adding friction for your customers or employees. The platform is automatically updated to improve protections as new threats emerge.

To learn more about how Akamai’s Account Protector can keep your customers safe, contact Akamai today.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Software

The best human resources payroll software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

For managed services providers, deploying new PCs and performing desktop and laptop migrations are common but perilous tasks. The adage “you’re only as good as your last performance” certainly applies. An MSP and its technicians can get everything right, complete a client’s complex cloud migrations, and perform remote work initiatives and proprietary business application upgrades, ...

Successful IT departments are defined not only by the technology they deploy and manage, but by the skills and capabilities of their people. IT workers must keep up to date with the latest technology trends and evolutions, as well as developing soft skills like project management, presentation and persuasion, and general management. Due to the ...

Identifying & Mitigating Account Takeover Attacks

Identifying & Mitigating Account Takeover Attacks

What Is an Account Takeover Attack?