It’s not new information: securing your login page is important for preventing account takeovers (ATOs). But nowadays, fraudsters have developed ways to bypass login defenses — including purchasing stolen credentials, brute forcing, phishing, malware, and session hijacking — to gain unauthorized access to your users’ accounts. And once bad actors successfully log into an account, they are often free to navigate throughout it, engage with content, and take any action available to them.
The result is a security gap where bad actors can commit numerous types of account fraud post-login, but pre-transaction. This is why post-login visibility of accounts is a critical component of a strong security posture.
In addition, fraudsters can also create fake accounts that are intended to abuse and steal value from websites and applications. As these accounts are created by the fraudsters themselves, login checks aren’t effective at stopping them.
The security gap between login and transaction
If you have accounts and process transactions, chances are you already have some kind of login security and transaction fraud solution. Login and transaction points were among the first to be exploited by cybercriminals, and the clearest places to enforce more aggressive fraud detections.
- At login, common checkpoints include username/password forms, CAPTCHAs, multifactor authentication (MFA), and/or more advanced bot mitigation.
- At the point of transaction, fraud solutions determine whether a payment is legitimate or fraudulent and then issue an ‘allow/decline’ decision.
But here's the rub: Determined attackers have many tools in their belts to bypass login defenses. They can login to users' accounts using stolen credentials acquired from data breaches, phishing schemes, and malware, and use session hijacking techniques to bypass MFA.
On the other end, transaction fraud solutions are an important last line of defense. But it is just that: a last line of defense. Transaction solutions don’t assess any pre-transaction signals of account takeover and thus can’t intervene proactively. If a bad actor even gets to the point of attempting payment fraud, that means the account has already been compromised.
Attackers take advantage of this blindspot
As cybercrime has evolved and become more sophisticated, attackers have found ways to beat traditional security measures. And if a fraudster successfully logs into an account, they effectively have free rein to take actions therein. These include:
- Spending or transferring stored value, such as gift card balances, loyalty points, airline miles, or digital currency
- Changing the shipping address, email, or password associated with an account
- Disabling MFA
- Reviewing past orders to commit warranty or return fraud
- Capturing stored personally identifiable information (PII)
- Posting positive/negative reviews to influence real users
- Spamming unwanted or malicious content to devalue the experience for real users
- Sharing malware in an attempt to compromise real users’ devices
- Sending phishing emails from compromised accounts
How to fill the post-login security gap
Login and transaction defenses are focused on their specific wheelhouses, at two specific points in time. Continuous evaluation of post-login account activity covers everything in between. This enables online organizations to establish user legitimacy beyond simply authenticating users at login, so they can neutralize fake and compromised accounts before fraud occurs.
This is where HUMAN Account Fraud Defense excels. Account Fraud Defense continuously evaluates users’ post-login activity. When suspicious or risky behavior is identified, the solution automatically takes actions to protect the account and user, without the need for manual intervention. Examples include forcing a password reset, triggering multi-factor authentication (MFA), or flagging the account for review.
