Stop Account Takeovers with the Data You Already Have

BY PATRICK CHEN

Almost every merchant and fraud vendor talks about account takeover attacks (ATO’s), in which a bot or a fraudster gets access to valid customer accounts. We thought we’d join the party because ATO’s are still happening every day and because, yes, SpecTrust can in fact do something different about them. 

We can stop them when they’re happening. 

We can help maintain high levels of customer trust.

One of SpecTrust’s customers faced an ATO attack that ran through distributed IP addresses and tested hundreds of thousands of email/password login combinations. The sheer volume and real-time nature makes detecting and stopping an attack near impossible. Security teams try to put in stopgap measures, such as rate-limiting endpoints, but attackers will eventually figure out their way around these constraints.

SpecTrust detects ATO attempts by seeing between checkpoints

Login events are high volume compared to other events along the customer journey for any given eCommerce platform. Good users are expected to regularly fat finger their logins and try multiple times before being successful, blurring the lines between a good user and an attacker. 

Traditional fraud prevention systems attempt to track good vs. bad users by calling out to 3rd party vendors to assess the risk with each successful login. These calls are made through JavaScript (JS) snippets on their web pages, but these are easily bypassed by an attacker. Side note: I’m using an ad blocker right now and suppressing JS calls like this – I’m pretty sure I’m one of the good guys, though.

As for our SpecTrust customer, 99.98% of the login attempts went unnoticed by the traditional risk solution. SpecTrust’s capability to natively see an interaction in the customer journey makes detecting an ATO attack incredibly simple. Attackers literally have no place to hide as SpecTrust’s platform invisibly logs every attempt to load (or bypass) the login page, every set of credentials used, and the final outcome of the login itself. The graphic below shows a subset of the attack and illustrates its distributed nature.

This credential stuffing attempt was rather unsophisticated. It was incredibly easy for SpecTrust to identify the abnormal behavior, as our session analysis showed that the attack was not loading the login web page at all. The attack cycled through hundreds of IP addresses and utilized only the “login submit” API endpoint. The customer’s traditional risk solution only saw a dozen or so successful logins. Without the full context of hundreds of thousands of login failures and the abnormal upstream behavior, the traditional solution scored the login as low/medium risk based on the IP address and geolocation.

SpecTrust combines the rich, contextual data of an attacker’s overall behavior, making it easy to isolate and detect attacks in real-time. Our platform instantly identified the dozen accounts that the attacker successfully logged in to as “taken over” because of our ability to watch for abnormal behavior along the entire customer journey.

SpecTrust can stop ATO attempts while they’re happening

By nature, logins are expected to be a real-time event. The few tools available to slow down an attack introduce unnecessary friction for good customers and definitely do not give enough time for manual review of suspicious activity. In this case, the traditional fraud solution incorrectly marked the compromised accounts as low or medium risk and only provided that signal after the accounts were breached.Taking action in a real-time flow requires a real-time response to prevent an ATO. By sitting on top of the website with on average sub-millisecond response times, SpecTrust can identify the attack and even alter the login experience for the attacker. 

In a typical attack, the attacker uses automation tools to log the email/password from a successful login and grabbing a cookie to be used later. SpecTrust ROAM’s unique platform capabilities can intercede on behalf of our customers to change that successful login response to an invalid login response. The attackers never even know that they were close to breaching the system.

The SpecTrust ROAM platform can even take relevant data such as IP addresses and pass it upstream to the web application firewall so they can be blocked automatically. The contextual data SpecTrust collects about the attacker’s session is also passed downstream to the customer’s internal and third-party fraud management solutions without requiring a single line of code.