March 19, 2020
Identity theft has many faces and account takeover (ATO) is one of the fastest growing digital threats to consumers and businesses. In an ATO fraud attack, an individual with malicious intent attempts to gain unauthorized access to any type of genuine account where monetary value or personal identifier information (PII) is stored. Criminals can then use the value immediately, resell the PII, or use it to unlock more accounts.
Brute Force Attacks vs. Typical ATO Protection
One of the techniques used to attempt ATO is called a brute force attack. In this type of fraud attempt, a systematic process submits hundreds – sometimes thousands – of passwords or passphrases with a single user ID until the correct combination unlocks the account.
Today, almost all brute force attacks are performed by botnets or bots. A combination of the words “robot” and “network,” bots refer to a string of internet-connected devices that are coded to steal data and compromise other computers and systems. Bots can be programmed with lists of credentials obtained via security breaches sold on the dark web.
To prevent this type of attack, many solutions on the market today use “blunt” techniques to stop account takeovers, which means they immediately block suspicious logins. However, this approach is not always the optimal solution. By denying a good customer access to an account or applying additional layers of friction to confirm their identity, their resulting frustration can harm the brand. This practice can reduce revenue by blocking legitimate activity as fraud which can result in the loss of a returning customer.
How an Adaptive ATO Solution Upgrades Protection
An adaptive fraud prevention approach is one significant way businesses can help reduce the amount of friction delivered to customers while preventing malicious takeover attempts. Kount Control – Account Takeover Protection evaluates user behavior, device, and network anomalies to detect high-risk activity posed by bots, credential stuffing, and brute force attacks.
With an adaptive fraud protection solution, businesses can evaluate the level of identity trust behind a login. Kount Control has the ability to identify returning customers even if they are logging in from a new location or a new device. Rather than instantly blocking their access, businesses can give their customers an appropriate login response, such as step-up authentication or a frictionless experience.
In order to determine the level of identity trust for customer logins and prevent ATO, an effective fraud prevention solution must do more than simply block access.
Avoiding Blunt Tools: 3 Criteria for Effective ATO Protection:
- The solution must be able to detect and stop several threat vectors around login and account takeover. Attackers exploit password weakness by using multiple techniques and automated tools, such as bots, credential stuffing, password spraying, and brute force attacks. Being able to quickly analyze trust and risk signals, including user behavior, device and network information, and account intelligence, allows malicious activity to be blocked or trigger step-up authentication (an additional level of identity verification).
- Businesses need a flexible solution in order to protect the customer experience. Simply blocking access based on suspicious activity is not optimal and can lead to customer insults. For example, the exclusive use of blunt tools can cause a number of false positives. With this approach, a false positive may block a legitimate customer who logs in from a new device or a new location. Denying that transaction results in loss of revenue for the digital business.
- Businesses need to be able to customize experiences and protection levels for different types of customers. Some customers, like VIP users, may be easy to recognize but require additional authentication to protect the value in their accounts. Other customers, such as new or trial users, may need a seamless experience so that they enjoy a positive and smooth journey that results in increased spending and loyalty to your brand.
How Kount Control Provides Adaptive ATO Protection
In order to accomplish these three criteria, businesses need to have an accurate level of identity trust and a solution that makes accurate distinctions between necessary levels of friction.
Kount’s new solution – Kount Control – Account Takeover Protection gives businesses the capability to customize user experiences and reduce friction. It does this by identifying and segmenting users based on common characteristics, such as VIP users or trial users. Kount Control provides a rich set of essential data for delivering adaptive friction with precision. This dataset includes user type, device specifics, IP risk, geolocation, custom data, and more.
Some customers are high risk, some are no-risk, and some customers might require a special experience. Based on rich data from Kount’s Identity Trust Global Network, businesses can decide what type of experience to deliver to their customers, from low friction to additional step-up authentication. They can adapt the experience for their good customers while protecting the value contained within their accounts.