How to prevent coordinated, automated, big data-scale ATO
Account takeover (ATO) is not only one of the most dangerous forms of online fraud; it is increasingly one of the most common. The prevalence of readily accessible user data—the result of ongoing massive data breaches—makes this uniquely hard-to-spot attack type particularly appealing to fraudsters, and increasingly powerful automation capabilities are giving rise to an especially damaging breed of ATO. It’s called credential stuffing, and seemingly no organization is immune—in recent months, companies ranging from Dunkin’ Donuts and DailyMotion to OkCupid and Reddit have suffered massive credential stuffing ATO attacks.
Big data-scale ATO
In its simplest form, ATO is precisely what it sounds like—a legitimate user account gets taken over by a fraud actor who has obtained the necessary credentials to enter the account. What makes credential stuffing unique—and uniquely concerning—is the scale. In a credential stuffing attack, fraudsters leverage massive troves of leaked legitimate user credential data to begin firing pairs of names and passwords at other sites in hopes of getting a “hit”—an instance in which a combination works, and a hacker gets into an account. Once in, the fraudster is free to eke as much value from the account as possible.
The high value of your personal and financial data
ATO attacks of any type are dangerous because they involve real accounts created by real users. When a fraudster gets into a legitimate account, they get unrestricted access to that users’ personal and financial data. They can use that information for their own fraudulent activity, or they can sell the information on the underground market. The latter can be extremely lucrative, as can be seen from some of the numbers recently provided by Grove Technologies, in an article titled What is Your Personal Information Worth on the Dark Web:
- Social Security number: $1
- Driver’s license: $20
- Online payment services login info (e.g., Paypal): $20-$200
- Diplomas: $100-$400
- Passports (US): $1000-$2000
Hacked accounts are not only used for harvesting existing financial credentials or personal data. In a large-scale credential stuffing attack we recently observed at a Fortune 500 e-commerce site, the attackers mainly used the compromised accounts to validate stolen credit card numbers. If a credit card is invalid or known to be compromised or stolen, the site will reject the “add card” action and display a warning message. In this way, fraudsters can easily determine which cards are viable for future fraudulent activity.
The Dunkin’ Donuts Hack
Another way fraudsters accrue value from hacked accounts is through the accumulation of “virtual” currency such as rewards points that can be converted into merchandise and benefits. A recent high-profile example is the Dunkin’ Donuts hack, announced on February 12, 2019, and described in an article from ZDNet. In the attack:
“Hackers used user credentials leaked at other sites to gain entry to DD Perks rewards accounts, which provide repeat customers with a way to earn points and use them to get free beverages or discounts for other Dunkin’ Donuts products. The type of information typically stored inside a DD Perks account includes a user’s first and last names, email address (also used as username), a 16-digit DD Perks account number, and a DD Perks QR code. But hackers weren’t after users’ personal information stored in Dunkin’ Donuts rewards accounts. Instead, they were after the account itself, which they are selling on Dark Web forums.”
Preventing credential stuffing ATO attacks
One of the biggest challenges in preventing credential stuffing attacks is that users continue to reuse passwords across sites. This fact, combined with the overwhelming magnitude of data breaches in recent years—according to the Breach Level Index, more than 6 million records are lost or stolen every day—means virtually no site is immune.
Another significant challenge to prevention is that attacks are automated and executed at scale. Attackers often employ massive botnets—a connected network of compromised machines—to do their bidding. By scripting these “bots” to perform login attempts, the attack is scaled out across hundreds of thousands to millions of IP addresses, with each IP only generating a small number of events. DataVisor estimates that 50% to 80% of account takeover attacks on financial services are conducted via coordinated attacks like this, and this number can be up to 95% on social or gaming platforms.
Blocking individual IPs may slow the attackers down at first, but fraudsters are quick to pivot and bypass static blacklists by using a different botnet, or other proxies and anonymous routing services. Blacklists also need to be updated frequently, and, by definition, are reacting after the fact.
There are solutions of course, but the best defense—multi-factor authentication—brings with it high user friction and high deployment costs.
This is one reason why advanced detection tools are so important, though detection itself has its own challenges when it comes to preventing credential stuffing attacks, because these attacks harness legitimate user accounts. It’s one thing for fraud management systems to detect fake accounts, but it’s another thing altogether to detect fraud when it appears in the form of real users.
Effective ATO prevention strategies must be proactive
Credential stuffing attacks are coordinated, automated, and massive in scale. It will be critical to review users and events holistically in order to reveal the clandestine correlations and patterns that signify fraudulent attacks. Attempted ATO that is the result of credential stuffing must be stopped at the point of login, but this is extremely difficult because accounts are compromised using legitimate credentials. Accordingly, it is the method of attack that must be spotted. Only in this way can credential stuffing fraudsters be disarmed before they do real damage.