Preventing Account Takeover (ATO)

Hackers are dedicated criminals. They will work hard to exploit any vulnerabilities in your website and network — because there is a lot of money in it for them when it works. One popular way of breaking into a system is to take over the account of a validated user. 

Hackers typically use the following methods to steal your users’ credentials:

• Reusing passwords from credentials leaked on another site
• Brute force (aka, taking advantage of weak passwords)
• Phishing and social engineering
• Sessions stealing allowed by code vulnerability or lack of encryption

It’s an arms race: Hackers get more sophisticated and continue to perpetrate large and small-scale data breaches on companies of all sizes and forms. IT security teams fight back by creating layers and levels of security for their assets.

Preventing Account Takeover

For hackers, the only value in an account takeover (ATO) comes from volume—getting as many hundreds of millions of potentially active credentials as they can. Then testing them as fast as they can. That’s where bots come in. A fact that enables IT security teams to create a clear line of defense.

Recognizing Bots

There are three general approaches to identifying bots: basic defense, threat intelligence, and client-side profiling.

Basic Defense

The basic level of defense is to analyze details of the request coming into your system. There are three things to be on the lookout for: headers, timing, and number of requests.

• HTTP headers: Information in the header identifies the requester. A common clue comes from the User-Agent header, which identifies the software making the request, such as browser name, version, and operating system. Bots send a value to make it look like they are coming from a real browser, but they do make mistakes. And these mistakes are easy to spot.
• Timing: Bots have a constant rate of requests that is much faster than humans can possibly move. Recognizing the speed of requests, even when bots incorporate randomness to appear more human, is a way to identify that the user is not a legitimate human user.
• Number of requests: Sophisticated bots use appropriate headers and spread out requests to a more human speed. However, a large number of login attempts from a single IP address is a key indicator of a bot. Setting thresholds on login attempts identifies and blocks these bots.

State of the art hacking comes from botnets—a large number of requests from a vast, and often global, collection of infected computers. Because the requests have the right headers and look like real browsers, come from different IP addresses, and may only try to access the system once or twice each day, securing the system against these intruders requires more advanced techniques of threat intelligence and client side profiling.

Threat Intelligence

This is based on the idea that botnets will be used more than once. Threat intelligence providers collect and aggregate data about attacks and IP addresses known to be compromised. Companies use this information to spot bots—when a request comes from known-bad IP address, the system assumes it’s a bot and shows the CAPTCHA challenge.

Client-Side Profiling

If a botnet isn’t part of a threat intelligence feed, you may not be able to identify it. The most advanced way to protect against an unknown botnet gaining access to your system is to profile the client itself. This means using the known behavior of a real browser (how they handle cookies or execute javascript, for example) to identify behavior from a suspect request and block the user or show a CAPTCHA challenge.

Learn more about what makes your system vulnerable and how to protect it, download the e-book Account Takeover: How Hacking Happens in 2016.