Online accounts are like onions: they have layers. And in order to secure them, you have to protect every layer — or you’ll end up crying. So put on your goggles and let’s dive in.
Layer 1 - Login
Main threat: Account Takeover
Your login page is the front door to your accounts. And cybercriminals are ready to break it down. They launch automated credential stuffing and brute force attacks to execute large-scale account takeovers with speed and stealth.
How to secure your login
Although you likely have some kind of credential verification, web application firewall (WAF), CAPTCHA, and/or multifactor authentication (MFA), these tools are no match for today’s advanced bots. Sophisticated security techniques—such as volumetric detection and analysis, reverse proxying, rate limiting, intelligent fingerprinting, behavioral analysis, advanced machine learning algorithms, and real-time sensors—are needed to fully protect against unauthorized account access.
Layer 2 - Post-login
Main threat: Account Fraud
Once users log into an account, there are a number of pages they can access that contain their PII (name, email address, physical address, etc.), order history, payment information, and account balance. Determined attackers have many tools in their belts to get past login forms; they can enter stolen credentials acquired from data breaches, phishing schemes, or malware, and use session hijacking techniques that bypass MFA.
If a fraudster successfully logs into an account, they effectively have free rein to take actions therein. These include:
- Spending or transferring stored value, such as gift card balances, loyalty points, airline miles, or digital currency
- Changing the shipping address, email, or password associated with an account
- Disabling MFA
- Reviewing past orders to commit warranty or return fraud
- Capturing stored personally identifiable information (PII)
- Posting positive/negative reviews to influence real users
- Spamming unwanted or malicious content to devalue the experience for real users
- Sharing malware in an attempt to compromise real users’ devices
- Sending phishing emails from compromised accounts
How to secure accounts post-login
Savvy attackers can bypass login security to compromise an account, and this is when continuous authentication is necessary. By continuously evaluating users' post-login activity, you can assess and identify risk as users navigate within accounts. If a certain risk threshold is reached, automatic mitigation actions are taken to recover the account.
Instead of determining bot-or-not, this is the time to focus on user legitimacy. For example:
- Is a user that is normally based in the US suddenly logging in from France?
- Are they using a completely different device?
- Is that device also logged into 10 other accounts on your app?
- Is a newly seen user deactivating MFA and changing shipping details?
- Are they attempting a large transaction when they haven’t done so before?
Layer 3 - Transaction
Main threat: Transaction Abuse
Your transaction page is where money changes hands. Today, most transactions occur after a user is logged into an account. Cybercriminals can use bots to hoard inventory and make fraudulent purchases with stolen credit card information (known as carding). Additionally, human fraudsters can manually commit payment fraud and warranty fraud. Either way, you’re left to issue chargebacks to unhappy customers.
How to secure transactions
At the point of transaction, organizations must determine whether a payment is legitimate or fraudulent and then issue an ‘allow/decline’ decision. As bots are a major threat vector, implementing bot detection techniques (volumetric detection and analysis, reverse proxying, rate limiting, intelligent fingerprinting, behavioral analysis, and advanced machine learning algorithms) is best practice.
Protect All Three Layers
No single layer of protection is the silver bullet for preventing account fraud. A defense-in-depth approach is needed to secure accounts from every angle. By combatting the sophisticated TTPs used by cybercriminals throughout the lifecycle of an account takeover, these three layers of security offer holistic protection to safeguard a users’ entire journey on your website or app.