Can Accounts Only be Compromised at Login?
Ask anyone where account takeover happens, and they’ll point to the login page. And yes, technically that’s where it all goes down, but to only focus on login could lead you vulnerable to compromised account fraud. Why? Because sometimes cybercriminals take over accounts without attacking your login page.
There are many ways for bad actors to get their hands on valid login credentials and accounts, including phishing, malware, brute forcing, session hijacking, or just buying a list of usernames/passwords off the dark web. This means that bad actors can bypass traditional security measures—such as CAPTCHA, multi-factor authentication (MFA), security questions, or other verification techniques—to take over an account on your site.
In addition, fraudsters can also create ‘fake accounts’ that are intended to abuse and steal value from websites and applications. Because fake accounts are created by the fraudsters themselves, login checks and password resets aren’t effective at stopping them.
What Happens After Login?
Well, quite often, nothing… At least until it’s time to make a purchase. In many cases, bad actors who successfully log in are free to navigate throughout the account, engage with content, and take any action available to them.
Although most online businesses have another security check at the point of transaction, this leaves a gap where bad actors can commit numerous types of account fraud and abuse post-login, but pre-purchase.
What kinds of abuse, you ask? Here are some examples:
- Changing the shipping address, email, or password associated with an account
- Disabling MFA and updating the password to maintain control of the account
- Reviewing past orders to commit warranty or return fraud
- Capturing stored personally identifiable information (PII)
- Posting positive/negative reviews to influence real users
- Spamming unwanted or malicious content to devalue the experience for real users
- Sharing malware in an attempt to compromise real users’ devices
- Sending phishing emails from compromised accounts
- Taking advantage of free trials
- Scraping gated content
Furthermore, because accounts hold stored value other than traditional currency (loyalty points, digital credits, discount codes/coupons, airline miles, and gift card balances, etc.), there are opportunities to convert or transfer assets without going through a traditional payment path and setting off alarms. And cybercriminals are taking advantage of this.
Solutions focused primarily on login or purchase often miss these creative fraud attempts. This calls for a deeper look at the post-login user’s journey as another line of defense to better detect and neutralize compromised and fake accounts.
Post-login Security Gap
Addressing this security challenge requires a shift of focus, one in which credential verification is no longer a proxy for identity. Traditional solutions focus on blocking bots at login and determining payment validity at checkout, by asking questions such as these:
- Are you a human or a bot?
- Do you have the right credentials?
- Is this credit card number valid?
- Are you trying to rip us off?
While these are good starting questions, they don’t actually get at the root of the problem. Instead, they are being used as proxies to answer two more fundamental questions that sit at the heart of account fraud: “Are you who you say you are?” and “Should you be doing what you’re doing?”
Just because a user is human doesn’t mean they’re the human they say they are. Just because a card number is valid doesn’t mean that the purchase is valid. Only by establishing user legitimacy can businesses stop account fraud — and simply asking for credentials and serving traditional challenges is no longer enough.
Continuous Monitoring and Assessment
The key to addressing post-login security is applying continuous monitoring and assessment. By continuously evaluating users’ post-login activities against behavioral signals, organizations can quickly identify any anomalies that represent instances of account abuse and take action. For instance, if a user accesses account data immediately after login from a new device, this may suggest PII harvesting.
Continuous evaluation can also be used to get a holistic view of activities across all the accounts on a site. For example, website owners might identify a spike in redemptions of free trials across accounts and decide to enforce additional detections in the redemption process to prevent resale of free trials.
By applying a framework of continuous authentication, online businesses can get to the root of the problem of account fraud. This means establishing ongoing attribution and verification of identity and legitimacy across all behaviors.
HUMAN Account Fraud Defense
Did we mention that HUMAN can address the post-login security gap? Meet Account Fraud Defense. The solution safeguards online accounts by detecting and neutralizing compromised and fake accounts being used for fraud post-login.
Account Fraud Defense uses behavioral analysis to continuously monitor accounts post-login for suspicious behavior. It generates an evolving risk score based on all activity in an account rather than relying on a single point-in-time check, such as only at login or at the point of transaction.
When a risk threshold is passed, automated customizable responses are triggered. These include calling customer APIs, introducing hard blocks, redirecting to a challenge or to a page that works with an organization’s business flow or CIAM. The intuitive management console makes it easy to understand key details of an incident and quickly share data.
The result? A reduction in account fraud and abuse (and the time you spend investigating and remediating account fraud and abuse).
Related Articles
What is Fake Account Creation? | How to Prevent It
What is Account Takeover? | How to Detect & Stop It
What is Credential Stuffing? | Definition, Attack Types, & Solutions
What is a Brute Force Attack? | Definition, Types, & Prevention