Stop Account Takeover in its Tracks

It seems that everyday we see headlines announcing a data breach that resulted in theft of information for hundreds of thousands, millions, or even billions of users. These are clearly brand damaging headlines, and the numbers are certainly daunting, but internalizing a list of user credentials numbered in the billions can feel abstract. What real harm could a list of usernames do, and why would anyone care enough to take them? Change your password and move on. Of course, if it were that simple these wouldn’t be headlines at all.

When user credentials are stolen, or a simple password is guessed, hackers leverage that information and use it to access more accounts, banking on consumers using the same password on multiple sites. Typically financially motivated, they aim to gain access to financial accounts, or sensitive information that can be sold to other hackers. Known as an Account Takeover (ATO), tactics include phishing, credential stuffing, brute force of weak passwords, and session farming. The cumulative effects of these attacks can be extremely detrimental for individual users as well as the compromised organization.

With these kinds of attacks becoming regular, it is important to adopt a strategy to prevent and mitigate these threats, without deterring customers with an overly complicated security protocol.

These attacks happen fast. During an ATO attack, hackers use bots to input user information making it a rapid and scaled operation. If there is not a security protocol in place prior to the attack, it is nearly impossible to stop. By the time you are aware of the attack, identify the vulnerability, and remediate it, it’s over and the user data is used or sold.

This is why a real time solution to ATO attacks is integral to a comprehensive security structure, but this is where many solutions fail. While more traditional methods such as SAST and DAST can identify potential vulnerabilities to fix during a development cycle, they don’t tell you what security defenses you’re missing to defend against runtime attacks like ATO. Code test tools are helpful during the development cycle, but in the midst of a live attack they are of little help. If you were choking, you wouldn’t want someone to tell you you were choking, and get help when they can fit it into their schedule. You would want someone to call an EMT or perform the Heimlich Maneuver. You want action in the moment, as the threat is occurring.

The real time security found in RASP is constantly at work within your app, learning user behavior and monitoring for suspicious activity. When strange behavior occurs, it not only informs you, but will actively protect your site in the moment. For example, in the case of bots attempting to access your site with stolen credentials, RASP can dynamically administer a Captcha, thwarting a bot, but allowing users to easily pass through. RASP creates a business friendly solution, adept at differentiating human users and bots, fully halting an attack without disrupting user experience.

The adoption of real time security will, at the very least, mean reading fewer headlines about data breaches, and at most could stop you or your organization being subject to financial or reputational damage at the hands of an ATO breach.