Retail, e-commerce, and financial institutions have high fraud costs, with every fraudulent transaction costing between 3.51 and 3.87 times as much as the actual transaction value. In many fraud cases, attackers use social engineering or other methods to acquire credentials and access victims’ accounts to gain sensitive information or make unauthorized purchases. This type of fraud not only causes businesses to lose money in lost transactions, but they also lose customer trust, resulting in churn.
As online fraud grows, organizations are looking for ways to protect their customers from account takeover (ATO) attacks. Akamai’s Account Takeover Protection solution can reduce friction for verified users while also making it more difficult for fraudsters to access accounts.
What Is an Account Takeover Attack?
During an account takeover (ATO), criminals use stolen credentials to impersonate a legitimate account owner and take control of the account. The goal of these attacks is typically to steal sensitive information and digital assets, such as gift cards, loyalty points, airline miles, and cryptocurrencies. ATO attacks affect every industry, including retail, travel, finance, and even gaming.
The ATO Kill Chain
To understand how to prevent an account takeover, you first have to understand the attacker’s chain of events, also known as the kill chain.
Acquire Credentials
First, the attacker has to acquire the credentials of the accounts they want to take over. Sometimes, they’ll use phishing attempts to trick the user into providing credentials or information that could help them reset the password. Alternatively, they could inject malicious code into a website to scrape usernames and passwords from the login screen. Fraudsters may also be able to buy credentials on the dark web.
Some web and API protections can keep attackers from stealing your customers’ credentials from your website. However, because attackers can acquire them without ever visiting your site, you’ll also have to set up protections further down the kill chain.
Validate Credentials Using Bots
Once an attacker has a list of credentials, they’ll often feed those account details into a bot to automatically validate them. Credential stuffing attacks could cost businesses up to $28.5 million a year. If the attacker can validate the credentials, they can then move on to the next phase of their plan. Otherwise, they’ll continue to acquire credentials using the methods we shared earlier.
In order to block these bot attempts, you need some kind of bot management in place. Captcha is an option, but it typically adds friction for legitimate users and isn’t nearly as effective. Instead, consider options like Akamai’s Bot Manager, which uses behavioral clues to determine whether an action was performed by a bot or a human and can differentiate good bots from bad bots.
Manual Attacks
If the attacker is able to verify the stolen credentials, they’ll then log into the account using those credentials and begin performing fraudulent activities. The type of website will determine the types of actions they’re able to take. For example, on a retail website, the attacker may make fraudulent purchases using gift cards or credit card information that the legitimate account owner has saved to their account.
To protect against this, you’ll need to add cybersecurity tools that include behavioral analysis, which helps you differentiate between a valid user and a fraudster. You may also choose to implement additional security measures, like a PIN number or multi-factor authentication to protect your users.
How Akamai Identifies Fraudulent Attempts
Akamai creates user and population profiles and provides intelligent risk scores to identify potential fraud while reducing friction for legitimate users.
User & Population Profiles
Using a variety of information, including physical location, session behavior, and device information, Akamai can build user profiles and then block, allow, or verify sessions based on that data. Behavioral analysis is a big part of this. Humans are creatures of habit, and therefore, their online activity typically follows normal patterns.
For example, if a user typically accesses their account from their mobile device in New York between 3 and 5 PM, a login attempt from a tablet in Arizona at 1 AM will have a relatively higher score. And it will complement this with other signals from that device, including the IP address and network, to see what other actions have been taken from that device in the past. Intelligence from hundreds of similar signals is computed in real-time, and organizations are empowered to take action against suspicious activities.
If Akamai doesn’t yet have enough information about a user to build a profile, it can then default to the population profiles to identify anomalies. It examines activities to see if they’d fall outside the norm for typical users of the site. It can also analyze the source reputation (i.e. is this a brand-new browser?) to differentiate legitimate users from fraudsters.
Risk Response Strategy
Akamai also assigns users a risk score from 1-100 to tell organizations how likely it is that the access attempt is fraudulent. You can then customize your risk response strategy based on your business’s risk tolerance.
Financial institutions, for example, may have a very low risk tolerance due to their regulatory requirements, so they’ll challenge all or most access attempts with multi-factor authentication. Retailers, on the other hand, may have higher risk tolerances and allow access to users with higher risk scores while adding an extra verification layer to checkout or change account details.
Using Account Protector to Secure Customer Accounts
Customer trust is a major part of customer loyalty, and preventing ATO is one of the best ways to keep that trust. Akamai’s Account Protector can fight both manual and bot-driven attacks, protecting your customers’ accounts without adding friction for your customers or employees. The platform is automatically updated to improve protections as new threats emerge.
To learn more about how Akamai’s Account Protector can keep your customers safe, contact Akamai today.