How to prevent account takeover fraud

Account takeover attempts are a threat to all businesses. In the best situations, they are failed attempts from simple tactics, but, in the worst cases, they can conduct fraudulent payments and other forms of identity theft.

Knowing how to prevent account takeovers and the tools to stay ahead of the evolving landscape is essential for any effective fraud prevention strategy. In this article, we'll explore some of the most effective means of combating account takeovers, the impact of compromised accounts, and how to implement a viable solution.

As we explained previously, account takeover fraud happens when fraudsters gain access to the online accounts of other people. This can cause a number of consequences, such as:

• Increased transaction disputes
• Penalties stemming from data regulations
• Loss of customer trust

Fraud prevention leaders need to invest in fraud detection at the earliest stages. For the most effective ATO prevention, however, this means implementing measures at various steps along the path, both before and after the fraudster logs in.

Another key issue such security managers face is implementing solutions that don't disrupt the customer experience or otherwise get in the way of business. This is why companies don't simply add more layers of authentication, for example. As the process becomes too complicated, there is a risk of losing legitimate customers.

<Read: 10 common challenges with account takeover and how to deal with them>

To begin with, we will explore the most immediate defenses, such as setting rate limits on login attempts and implementing multi-factor authentication. Then we’ll move on to the more advanced means to prevent account takeovers, using historical data and real-time alerts to react before damage is done to the victim's accounts.

It's important to note that all of these options should be considered. Leaving your business exposed in any one area will create an opportunity for account takeover that fraudsters will exploit to gain unauthorized access. Fraudsters only need one avenue to compromise accounts.

Limit login attempts to  prevent brute force attacks

Brute force attacks work by attempting to log in over and over until access is granted. Credential stuffing attacks, which use known email and password combinations from other accounts, also follow a similar pattern.

The best way to combat this pre-account takeover stage is to limit the amount of times that users can attempt to log in. Following a certain number of unsuccessful login attempts, users will be required to either wait for a while or use multi-factor authentication to prove their identity.

On another note, this is also the same reason that CAPTCHAs and other 'robot beating' solutions are implemented. Brute force and other en masse strategies implement bots by sheer necessity of scale, so many companies turn to solutions that require a human touch.

Implement multi-factor authentication

Multi-factor authentication comes in many forms, and can often be used both during log in and during the payment process. Examples can include:

• Signing in on a companion app and confirming the action. This is common in the likes of online banking but less so for individual merchant stores.
• Asking users for security questions or other sensitive information that others shouldn't know.
• Asking users to confirm or click a link on an automatically sent email or SMS. 

It's worth noting that this also comes at the cost of customer friction. If poorly implemented, multi-factor authentication can disrupt the customer experience. As such, it's often better to implement this in a scaling fashion, automatically applying it when the risk level of an individual session is higher. For that, you'll need to set up alerts and a means of monitoring user behavior.

Use digital fingerprinting

This approach involves checking the device and browser against the last known used devices. If the new login comes from an unrecognized device, this can be flagged and acted on appropriately. It's important to note here that it's possible users have a new device, so it's worth implementing additional measures rather than outright blocking the user.

This can also be combined with other indicators of unusual behavior:

• Unrecognized IP addresses: An IP address in a distant location, or even another country, can often indicate potential ATO attacks. This is further increased when the IP address changes faster than is physically possible for the user.
• Unusual log in times. If login attempts occur at unusual hours, or are very consistent, this can be another sign of potential ATO fraud.
• High risk orders. You can also determine if orders of a certain value are unusually high, or a warrant extra consideration.

But these indicators can be spoofed by fraudsters that use tools such as VPNs, proxies, TOR networks or Remote Access Tools. For this reason, digital fingerprinting, as part of a fraud prevention system, should be powerful enough to detect data that is not made available by the user. 

Digital fingerprinting helps to greatly improve the reliability of your risk assessments. Unknown devices, for example, may simply represent a user buying a new phone, but combined with a distinctly different IP address and other differences, can represent a compromised account.

Implement real-time behavioral biometrics

At the most advanced level, we can detect account takeovers by comparing them to the historical data of the known user. Behavioral biometrics is a wide field ranging across digital and physical environments but, as far as preventing account takeover fraud goes, it works by checking a range of factors, such as:

• Keyboard and/or touchscreen behavior: how is the keyboard being used? This is a field known as keyboard dynamics and involves measuring the time taken to type each character or word.
• Device movement: is the phone held in portrait or landscape? How is the computer mouse being used?

In these areas, a smart anomaly detection system can find micro differences that can expose a potential fraudster. This also goes very well with digital fingerprinting and, together, these represent a range of digital signals that can alert your automated defenses. Of course, they both also require historical data, so they are at their most effective in protecting existing users who have multiple recorded sessions.

ATO is a type of fraud that can cause a snowball effect if not stopped in its tracks. For this reason, businesses need to employ methods that detect it in real time with the highest precision. Yet this real-time detection is not easy to achieve. 

Many fraud prevention companies depend on outdated information sources for their fraud intelligence. For instance, while we're able to detect when fraudsters use shady VPNs and proxies to hide or alter their tracks - thanks to our ability to analyze in-depth behavior and network data - other providers rely on lists of VPN and proxy servers that quickly become outdated as new devices join the network. As a result, their fraud prevention systems may not be up-to-date, allowing fraudsters to get away with fraud.

Nethone's AI-powered fraud prevention solutions use a range of risk signals and customizable risk levels. Our solution implements both digital fingerprinting and behavioral biometrics, as well as other continual monitoring solutions, into the background of user sessions. Doing so helps better determine ATO attacks from a legitimate account owner through small behavioral details that fraudsters can't replicate.

Our knowledge is powered not only via modern risk detection trends, but also knowledge gained directly from the darkweb, where fraudsters regularly discuss data breaches, new attack vectors, and means to gain access to accounts. This knowledge is then used to improve our solutions, further helping your business stay safe from account takeover attacks.