A CISO’s Guide To Stopping ATO Against The Digital Storefront

A woman holds a cellphone in one hand, and a credit card in the other.

For any major online storefront, account takeover (ATO) attacks are a growing threat. ATO fraud attempts to steal from consumers and eCommerce merchants rose 282% between Q2 2019 to Q2 2020, according to recent research. ATO attempts should be on the radar of CISOs as a top potential business and compliance risk for 2021. Recovering from a successful ATO attack can cost a business millions of dollars in hard costs (repaying customers, chargebacks) and soft costs (brand damage, time spent on remediation and customer support). As an area of rapid growth, ATOs are also on the forefront of a revolution of professionalized cybercrime. Cybercriminals today are more sophisticated, relying on specialized tools to mount attacks that are larger and more persistent, yet harder to detect. This article provides a guide for CISOs and other security leaders to stop ATOs through a combination of better application of technology and a better understanding of the latest tactics cybercriminals use.

What is an ATO attack?

Account takeover (ATO) is an attack in which cybercriminals take over online accounts using stolen usernames and passwords, leading to online identity theft. Typically, criminals purchase a list of credentials on the dark web. Most people reuse username and password combinations multiple times for different accounts. So once attackers have a combination that works on one site, they then go and try to use the same password and username combination on other popular sites in hopes of finding an account owned by the same person. With billions of personal records leaked during data breaches in the past decade, the dark web is awash in username and password combinations. Combinations that are validated can be worth $20 or higher on the dark web. Cybercriminals also use brute force methods to guess passwords that match known email addresses. This type of attack has lower success rates but can do more damage to your application infrastructure, by overwhelming your application with a flood of bad traffic. ATOs can cause a lot of harm to your business. They can cost a business millions of dollars in chargebacks or lost merchandise and negatively impact your customers. This may damage your brand reputation and potentially make your business a target for negative media coverage.

How Do You Spot An ATO?

The first and most critical step is knowing how to spot an ATO attack. Your security and revenue teams should watch for the following signs as potential indicators that an attack is either underway or has already succeeded in taking over your customers’ accounts.

  • Unusually high numbers of chargeback requests: This can indicate someone is buying with an unauthorized account. The chargeback fees can add up.
  • Hundreds or thousands of login attempts on accounts: This can indicate that a brute-force attack is taking or has taken place. Brute force attacks are used to guess the passwords for a large set of known usernames or email addresses.
  • Inhuman user behaviors: Sophisticated ATO attacks use bots to navigate login pages or perform actions like purchasing merchandise. Bots scroll sites more quickly and precisely than humans do.
  • Spikes in password reset requests: After fraudsters take over an account, they immediately change the password.
  • Spikes in shipping address changes: This can indicate an account takeover accompanied by shipping fraud, where criminals use drop shippers or mules to forward illegal purchases.
  • Spikes in average purchase item price: Criminals often buy expensive items to make more money with fewer purchases and reduce risk.
  • Multiple, rapid fire changes to accounts: This is a big red flag. Users rarely need to change their payment info, address and password at the same time.
  • Spikes in reward points activities: Fraudsters either redeem bonuses for merchandise or services, drain them to sell on the dark web or add them to their own accounts.
  • Odd IP behaviors: If you see an increase in IPs associated with multiple devices, multiple accounts, or pointing into untraceable ranges (like you might see with a TOR client), this can indicate a fraudster making an ATO attack by manipulating IPs.
  • Slow application response time: Some ATOs unleash large numbers of requests – enough to overwhelm your application and even your CDN.

These are all the basic warning signs. That said, more sophisticated ATO attackers can better hide their actions. These attacks rarely display the signs listed above. Called “low-and-slow” attacks, these attacks are designed to spread more broadly across IP addresses and to limit attempts per second to a threshold, to avoid tripping volumetric limits or trigger alerts. Low-and-slow attacks often leverage botnets piggybacked on real browsers that are compromised by malware, but associated with legitimate IP addresses and human users. Low-and-slow attacks show up at the 10,000-foot level in log files – by the time they are noticed, the attack has been going on for some time.

How Do You Stop ATO Attacks?

The good news is that there are a number of steps that you can take to spot and block ATO attacks. Let’s break them down into a few areas.

Recognize You Are At Risk

First, it’s important to recognize that if you have anything of value passing through your  applications — money, personal information, loyalty points, stocks and bonds — you are a target for these attacks. Cybercriminal groups use automated tools to identify targets to attack. Just like Google crawls everything, ATO attackers can find everything that is on the public Internet (and many private or hidden APIs, as well).

Deploy Firewalls (WAFs or ADCs)

Firewalls are commonly used to protect applications. Firewalls will enable you to both block incoming traffic on specific ports and also likely allow you to add signatures for specific types of attacks or exploits. Putting a Web Application Firewall (WAF) in front of your application is table stakes. Oftentimes, WAFs are included in Application Delivery Controllers (ADCs). All major cloud providers offer WAFs and ADCs as a service.

Threat Intelligence Platform and Subscription

Using a firewall alone is not enough. Because attacks are so dynamic and tactics and techniques are constantly morphing, it is critical to have an active feed of threat intelligence information. This will help your team keep up with the latest research on attacks. Higher-end threat intelligence platforms have automated feeds or policy engines that tune firewall rules to block ATO attacks.

Volumetric Traffic Detection and Analysis

Traffic and usage anomalies signal ATO attacks. Your threat intelligence or analysis team can analyze hourly traffic patterns to login pages to identify usage spikes or anomalous patterns. If usage increases during what are normally off-hours, this could be a signal indicating an ATO attack. Likewise, abrupt changes in purchasing behavior, movement of loyalty points, or mass password resets all are triggers that should kick off deeper forensics and stricter challenges for questionable queries and users.

Machine-Learning Pattern Recognition and Behavioral Analysis

The most sophisticated level of defense is to deploy machine learning systems to closely study all user behaviors and compare bot behaviors with those of legitimate users. This approach spots small anomalies in user patterns including on page behavior, network signature and client and browser versions, to name a few. By studying hundreds of variables, machine learning systems can identify even the most sophisticated attacks which would be invisible to human inspection. The ideal system will use machine learning as a constant feedback and learning tool, continuously updating a dataset of attack patterns, based on hundreds of billions of interactions with web, mobile applications and APIs. Ideally, you want these systems to easily integrate with any part of your stack (CDN, web server, middleware) and to function out-of-band, so as not to impact application performance. When a query registers a high confidence value as an automated ATO bot attack, the system can redirect the user to a human challenge to validate identity.

Conclusion: Every CISO Can Stop ATO

ATOs are one of the fastest growing threats facing retailers, especially for companies that collect, store and process customer information. ATOs present a big risk to the business, one that can cost millions of dollars, force unpleasant public disclosures, damage a brand and upset investors. It’s important that CISOs understand the impact from ATOs and stay proactive in protecting their web and mobile applications. Following this guide will provide a solid start to prevent ATOs, allowing you to safeguard your revenues, customer PII and your brand reputation.

eCommerce Campaign Series: eComm Pinnacle
The digital sales environment is of critical and increasing importance to the retail, hospitality, and travel industry. To support RH-ISAC Member’s interests in reaching their pinnacle in the security, efficiency, and customer privacy of their digital retail environment, the RH-ISAC, PerimeterX, Payment Card Industry Security Standards Council (PCI SSC), Tala Security, The Media Trust, and SecurityScorecard are partnering together in an eCommerce campaign called eComm Pinnacle. Each partner will host a session between March and July of 2021, with an RH-ISAC Member, to explore and outline how organizations can reach the pinnacle in their eCommerce environments in 2021. RH-ISAC will end the series with a capstone event to highlight the top concerns identified for those within retail, hospitality, and travel and enable them to evaluate their organizations against them and to improve their eCommerce game. 

This series is open to those within the retail, hospitality, and travel sector that are looking to increase eCommerce efficiency, security, and overall compliance. For more information about each session in this series, contact [email protected].

More Recent Blog Posts