DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Preventing Account Takeover (ATO)

Preventing Account Takeover (ATO)

Some ways that hackers can use very common methods to take over your account, and some ways to recognize bots trying to steal your information.

Mike Milner user avatar by
Mike Milner
·
Jan. 21, 17 · Security Zone · Opinion
Like (2)
Save
Tweet
3.75K Views

Join the DZone community and get the full member experience.

Join For Free

Hackers are dedicated criminals. They will work hard to exploit any vulnerabilities in your website and network — because there is a lot of money in it for them when it works. One popular way of breaking into a system is to take over the account of a validated user. 

Hackers typically use the following methods to steal your users’ credentials:

  • Reusing passwords from credentials leaked on another site
  • Brute force (aka, taking advantage of weak passwords)
  • Phishing and social engineering
  • Sessions stealing allowed by code vulnerability or lack of encryption

It’s an arms race: Hackers get more sophisticated and continue to perpetrate large and small-scale data breaches on companies of all sizes and forms. IT security teams fight back by creating layers and levels of security for their assets.

Preventing Account Takeover

For hackers, the only value in an account takeover (ATO) comes from volume—getting as many hundreds of millions of potentially active credentials as they can. Then testing them as fast as they can. That’s where bots come in. A fact that enables IT security teams to create a clear line of defense.

Recognizing Bots

There are three general approaches to identifying bots: basic defense, threat intelligence, and client-side profiling.

Basic Defense

The basic level of defense is to analyze details of the request coming into your system. There are three things to be on the lookout for: headers, timing, and number of requests.

  • HTTP headers: Information in the header identifies the requester. A common clue comes from the User-Agent header, which identifies the software making the request, such as browser name, version, and operating system. Bots send a value to make it look like they are coming from a real browser, but they do make mistakes. And these mistakes are easy to spot.
  • Timing: Bots have a constant rate of requests that is much faster than humans can possibly move. Recognizing the speed of requests, even when bots incorporate randomness to appear more human, is a way to identify that the user is not a legitimate human user.
  • Number of requests: Sophisticated bots use appropriate headers and spread out requests to a more human speed. However, a large number of login attempts from a single IP address is a key indicator of a bot. Setting thresholds on login attempts identifies and blocks these bots.

State of the art hacking comes from botnets—a large number of requests from a vast, and often global, collection of infected computers. Because the requests have the right headers and look like real browsers, come from different IP addresses, and may only try to access the system once or twice each day, securing the system against these intruders requires more advanced techniques of threat intelligence and client side profiling.

Threat Intelligence

This is based on the idea that botnets will be used more than once. Threat intelligence providers collect and aggregate data about attacks and IP addresses known to be compromised. Companies use this information to spot bots—when a request comes from known-bad IP address, the system assumes it’s a bot and shows the CAPTCHA challenge.

Client-Side Profiling

If a botnet isn’t part of a threat intelligence feed, you may not be able to identify it. The most advanced way to protect against an unknown botnet gaining access to your system is to profile the client itself. This means using the known behavior of a real browser (how they handle cookies or execute javascript, for example) to identify behavior from a suspect request and block the user or show a CAPTCHA challenge.

Learn more about what makes your system vulnerable and how to protect it, download the e-book Account Takeover: How Hacking Happens in 2016.

Requests

Published at DZone with permission of Mike Milner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Testing Your Infrastructure as Code Using Terratest
  • What Is Data Analytics? Understanding Data Analytics Techniques
  • Implementing Microservices Architectures
  • When Disaster Strikes: Production Troubleshooting

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo