DataDome

ATO Detection: 5 Strategies for Business Protection

Table of contents
Account Takeover
Kira Lempereur, Sr. Technical Writer
10 Apr, 2023
|
min

Imagine you receive an email that says your LinkedIn login information has changed. When you try to log in to your LinkedIn account, you learn you’ve been locked out. Then you receive an email from a stranger who asks for a ransom fee if you want your account back. If you don’t pay, your account will be deleted. This is called account takeover fraud, and it’s not an imaginary scenario—it happened to many LinkedIn users in 2023.

Account takeovers (ATO) are among the most common forms of online fraud. They affect both businesses and individuals alike, and recognizing the early signs of an ATO attack can mean the difference between a minor inconvenience and permanent financial and reputational damage to your business. In this article, we dive into the account takeover detection and prevention methods that you can use to stop ATOs from threatening your business.

5 ATO Detection Methods:

  1. Behavioral Biometrics
  2. Account Takeover Detection Software
  3. Multi-Factor Authentication (MFA)
  4. Device Fingerprinting
  5. Darknet Monitoring

Business Indicators of an Account Takeover Attack

Although account takeover attacks can be subtle, they don’t come unannounced. The following are key business indicators that an account takeover attack is taking place:

  • Unusual account activity. Any significant changes in activity patterns or transactions originating from unfamiliar locations can be a sign of someone unauthorized accessing an account. Large quantities of data downloads, logins from foreign countries, massive purchases, or sudden actions that move away from the regular pattern are red flags. Recognizing these changes is a critical first step in identifying a potential breach and taking appropriate action.
  • Failed login attempts. Multiple failed attempts to log in can suggest an unauthorized person is trying to access an account. Repeated failed login attempts in a short period, especially from various or unusual locations, can signal an ATO attack. Your security team should consider taking protective measures.
  • Change in user behavior. Examples include logging in at odd hours that don’t align with the user’s typical login hours or accessing parts of the system/application that the user doesn’t typically use. These changes can suggest that someone other than the authorized user is accessing the account.
  • Account modifications. Unauthorized changes to critical account details are often dead giveaways of possible ATO. Changes to email addresses, passwords, security questions, or new links to unknown devices should be treated with extreme caution for any account. Changes like these often precede or accompany ATOs and can lead to further unauthorized access or identity theft.
  • Unexpected emails. Receiving emails for password resets or confirmations of actions that the user didn’t initiate is another clear warning sign of ATO attacks. Someone is attempting to modify or has already accessed the account, and immediate action may be required to protect your business against ATO.

5 Methods for Detecting Account Takeovers

1. Behavioral Biometrics

Good account takeover detection software uses behavioral biometrics that evaluates the unique ways in which a user interacts on your websites and mobile apps, from their keystroke dynamics, to mouse movements, to touchscreen interactions. These behavioral biometric scans usually work continuously and in real-time, which means you can receive immediate alerts for suspicious ATO behavior. It’s also user-friendly because your users won’t ever notice it’s there.

But behavioral biometrics have notable limitations too. For one, it’s not because a user acts differently that it’s immediately suspicious. They may have a physical ailment, be tired, or simply use a different device, all of which can lead to false positives. The constant monitoring involved in behavioral biometrics might also raise data privacy concerns or go against data privacy frameworks like GDPR if you don’t inform your users. Balancing the benefits of this security measure with these limitations is a crucial consideration for anyone looking to implement this technology.

2. Account Takeover Detection Software

Account takeover detection software is an effective way to stop ATO attacks, as it’s designed to recognize various indicators of an account breach by continuously monitoring and analyzing user activity for anomalies. Because it can monitor many accounts simultaneously, it’s a scalable solution that works well for both small and large businesses.

This being said, such software may be a significant investment for small businesses. It may also be difficult to implement and maintain, although that can vary depending on the software. Finally, just as with behavioral biometrics, there’s the risk of flagging legitimate users as malicious actors.

3. Multi-Factor Authentication (MFA)

MFA is an added security step that asks users to provide another form of identification before accessing their account. This could be something they know, like a password, or something they have, like a smartphone or fingerprint. MFA dramatically improves the security of any account and is a must-have for any corporate account.

But many users see MFA as an inconvenience and won’t enable it. It also complicates the login process, as a user may lose their MFA device or forget their MFA password. And MFA isn’t foolproof, particularly when it’s based on SMSes, which hackers can intercept if they put in the effort. A rising threat in this area is SMS pumping, where attackers exploit MFA systems by triggering massive volumes of one-time passcode requests to generate revenue through premium SMS routing.

4. Device Fingerprinting

Device fingerprinting is a security technique that identifies the unique characteristics of a user’s device—such as browser type, screen resolution, and operating system—to detect unfamiliar devices trying to gain access to an account. It’s a user-friendly option, because it operates in the background, and can significantly reduce fraud by preventing access from unrecognized devices.

Still, sophisticated ATO attacks can bypass the protection by spoofing device fingerprints. It also raises privacy concerns if you don’t properly inform users, and may increase overhead costs, as device fingerprinting requires the storage and analysis of large amounts of data.

5. Darknet Monitoring

Darknet monitoring means scanning the deep web for leaked credentials and providing businesses with alerts if their user data appears in unauthorized locations. It’s a proactive approach to security that lets businesses act before anyone even initiates an ATO attack. It can also improve user trust, as it demonstrates a strong commitment to the security and protection of their data.

But credentials have to be leaked first before they can be detected—so it’s not preventative. It also requires significant resources and attention, as the darknet is fluid and constantly evolving. Don’t rely exclusively on darknet monitoring for ATO detection and prevention.

Start Detecting ATO with DataDome

Here’s the deal with ATO attacks: They’re not done manually. It’s too much work, and too difficult, to do manually. Hackers create and deploy increasingly advanced bots and scripts to target the businesses of their choice. Block the bots and you’ll block the ATO attacks.

DataDome stands at the forefront of ATO detection and prevention because it specializes in stopping all malicious bots and scripts that want to request access to your websites, mobile apps, and APIs. It does so in real-time for both simple and sophisticated bots.

This makes DataDome not just great account takeover prevention software, but fraud prevention software as well. After all, it’s not just ATO attacks that are automated—DDoS attacks, credential stuffing attacks, scraping attacks, and almost all other online threats are as well.

DataDome uses AI to constantly monitor incoming threats, updating its global threat database immediately every time it encounters a new threat. The software integrates easily in your existing tech architecture and takes only minutes to install. Our Vulnerability Scan can give you a peek into the basic bots reaching your websites, apps, and/or APIs. To spot more sophisticated threats, start a free 30-day trial.

FAQs

What is the primary cause of account takeover?

There are many ways a hacker can take over an account, but common causes are user credentials taken from data breaches, malware installed on a device, or brute-force attacks that succeed because of a weak or commonly used password.

How can I prevent ATO in my business?

Adopt a multi-layered approach. Use ATO detection software, enable MFA for all corporate accounts, try to convince users to enable MFA, educate your employees of the indicators and risks of ATO attacks, and regularly revisit and update your security measures.

Is MFA enough to prevent ATO?

MFA adds a significant security layer, but it’s not foolproof. Hackers can gain access to your MFA device, know your MFA password, or intercept an MFA SMS. It’s best to use MFA together with other ATO prevention methods to properly prevent ATO attacks.

DataDome
Kira Lempereur
Sr. Technical Writer
Kira Lempereur is the Sr Technical Writer for DataDome and the leader of the company’s LGBTQ+ pod. She collaborates with the threat research, marketing, and product teams to build content for thought leadership in bot and online fraud mitigation. Kira has more than 6 years of experience in the cybersecurity industry, from enterprise antivirus software to bot mitigation.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo