Account Takeover, Web Application Security

Surfacing Key Indicators of Account Takeovers

Brendon Macaraeg

Brendon Macaraeg is Director of Product Marketing at Signal Sciences. Previously with CrowdStrike and Symantec, he focused on evangelizing and marketing security offerings. Outside of work, Brendon keeps busy with his wife and kids enjoying outdoor activities.

 chunlea-468174-unsplash

Account takeover (ATO) is a threat to any organization that conducts financial or e-commerce transactions via web applications. In fact, business losses attributed to ATO are projected to be over $5 billion in 20181!

So how exactly does this happen? Well, account takeovers are made possible by leaked credentials that attackers find on the Internet and the Dark Web. It’s these stolen credentials that remain a primary means attackers use to access personally identifiable information (PII): of the 2,216 breaches Verizon examined for their 2018 breach report2, the use of stolen credentials was the number one action attackers took to commit fraud.

This post, the first in a series, focuses on the key authentication events that financial services organizations should monitor to defend against account takeovers. We’ll also illustrate how utilizing a threshold-based approach enables organizations to identify irregular request patterns to spot fraudulent authentication and account activity. Future blog entries will look at use cases specific to other verticals, including e-commerce and travel and hospitality.

 

Instrument Normal Account Actions

Account-Takeover-SigSci

To stop account takeovers, you need visibility into where they start: at the point of account creation and login. Visibility requires monitoring the success and failure rates for specific event types:

  • Account login
  • Account creation
  • Password reset  

Identifying malicious activity requires your organization to define an expected baseline level of activity for each of these key events over a defined timeframe: you know your business best and the patterns of your customers’ actions. For example, you would expect an increase in account creation if your financial institution ran a promotion waiving new account fees. During non-promotional periods, you would expect to see a different account creation volume.

An increase in malicious activity causes requests to spike above your defined baseline. To be alerted of such spikes, you should monitor two key traffic trends:

  • An unexpected increase in login attempts is a primary indicator of account takeovers, especially if the increase follows an unusual number of account creation attempts.  

  • A higher than normal amount of password resets signifies that customers are locked out of their accounts, or malicious actors are attempting to reset passwords in an attempt to commandeer legitimate customer accounts.

Authentication-Login-failures-SigSciA sudden increase in login failures can indicate customers being locked out of their accounts or attackers testing credentials unsuccessfully.

 

A Threshold Approach to Identify Malicious Activity

Account takeover attempts can be blocked using a threshold-based approach: using your defined baseline for the amount of activity your organization expects for key authentication events, you’ll know when potentially malicious traffic occurs when the volume of those authentication events spike above expected thresholds.

Traffic-Source-Anomalies-SigSciAn increase in requests originating from data center or Tor exit nodes are indicators of malicious requests.

Signal Sciences customers use our out-of-the-box coverage to stop bots and scrapers. Power Rules utilize authoritative sources like SANS Malicious IP database and Signal Sciences Network Learning Exchange (NLX) to determine the reputation of source IP addresses.  Aside from being an accurate IP reputation feed based on confirmed malicious activity collected from Signal Sciences customers, NLX recognizes attack patterns across our customer network to proactively alert and defend web applications and APIs.

Power Rules can also examine a request and identify patterns in the headers of incoming HTTP requests. Bad actors frequently stage attacks from data centers, TOR exit nodes, known bad IP ranges, or bot signatures: unexpected traffic from these sources are signs of account takeover activity—so having a means to accurately determine the reputation of a request’s source IP is key to detecting and blocking malicious authentication activity.

 

Indicators of Successful Account Takeovers

Account Lockouts

A crucial issue for financial services providers, account lockouts not only increase customer service support costs as customers seek help accessing their accounts, but can result in reputation loss as customers question the security of their accounts.  

Using both your CRM system and Signal Sciences, you can correlate customer contact increases with abnormal spikes in key application account activity, like login failures or password resets. Both are indicators that customers are locked out of their accounts. An increase in login failures could be attributed to malicious actors resetting legitimate customers’ passwords. As those customers try and regain access, they’ll initiate password reset requests.

 Account Linking and Cashing Out

After successfully acquiring account credentials, attackers will link them to their own accounts and transfer funds. Signal Sciences monitors two key activities related to cashing out:

  • Account linking activity: an unexpected increase in account linking can indicate attackers are preparing to siphon funds to third-party accounts.
  • Funds transfer activity: following spikes in increased account linking, funds transfers represent the payoff for attackers. 

Fin-Serv-Abuse-SigSciSudden increases in funds transfers can indicate fraudulent activity.

API Misuse

APIs function as the backbone of modern web, cloud, and mobile applications. Just as attackers utilize bots to mimic legitimate users, they can also deploy bots to enable high-speed abuse and misuse of APIs to perpetrate various malicious activities including account takeover. Financial services companies expose APIs in order to serve both customers and third-parties who need access to customer-specific data. But detecting malicious requests is key to preventing attackers from abusing those same APIs and causing service disruption, data leakage, or account lockouts.

Defeating API abuse requires the same visibility that shows you where and how attackers are attempting to manipulate your application’s business logic, including authentication events. This requires instrumenting your application to monitor key application events in order to surface those real-time insights.  In addition to account takeover, account linking and fund transfers, other examples of automated API misuse include:

  • Fake account creation:  the attacker manipulates the API to create large numbers of bot-controlled accounts.
  • Data aggregation:  an organization’s source data is aggregated with that of others as part of a commercial enterprise without the source organization’s permission.
  • Data scraping: the automated harvesting of proprietary data via the API

The Real Picture of Account Takeover

Now that you know how to zero in on when and how account takeover can occur in your application, you need a solution that provides the actionable visibility necessary to easily and consistently block it.

Signal Sciences provides organizations the visibility not only into key events like login and account creation, but also the transactions attackers target for abuse and fraud — along with easy configuration and no performance overhead. This deep context and the ability to immediately block and mitigate attacker activity are key to active protection against ATO attacks. Moreover, an added benefit of using a threshold-based method to detect ATO-related activity is little to no false positives.

In contrast, other legacy WAF solutions are expensive to implement and maintain due to their reliance on regex-based rulesets while adding significant latency, impacting application performance and customer experience. And they are limited in their protection capabilities and can only protect certain transactions like login and account creation.

 

Conclusion

Stopping account takeovers requires a solution that is easy to implement and provides the necessary visibility into the actions attackers take to acquire account access. Legacy WAF implementations can take months and add significant latency to web requests. And as you ramp up a legacy WAF, you’re missing out on the visibility and detection capabilities necessary to stop application abuse.

Signal Sciences embeds into applications without adding latency to web and API requests and requires no application code changes. Once deployed, Signal Sciences out-of-the-box monitoring and detection capabilities enable your staff to monitor and stop ATO activity. In short, you’ll get more visibility, faster— when it counts— with Signal Sciences.

 Top Photo by Chunlea on Unsplash

2018 Identity Fraud Study - Javelin Strategy and Research

2 2018 Verizon Data Breach Investigations Report

 

RELATED ASSETS