Account Takeover & Login Fraud
Detect Account Compromise Attacks with Advanced Fraud Analytics
Threat actors ceaselessly pursue methods to breach, phish and trick their way into getting a customer’s usernames and passwords. A successful account takeover means that a hacker has used a tactic like credential stuffing or brute forcing to gain access to the victim’s accounts: bank, e-commerce, healthcare, etc. Account takeovers occur in business situations as well. Attackers obtain and use the credentials of – for example – bank employees who have legitimate authority to initiate and approve payment transfer transactions. To the banking systems such as SWIFT, the transfer instructions appear to be normal because, for all intents and purposes, they came from authorized user accounts. But they didn’t. Account takeover fraud is menacing and widespread, affecting consumers and businesses alike. The common theme among these attacks is the lack or failure of measures that can detect account takeovers.
Gurucul Looks for Behavioral Indicators of Account Compromise
An advanced fraud analytics product with user and entity behavior analytics (UEBA) capabilities can detect and prevent such fraud. For example, it might not seem possible to detect that the aforementioned payment instructions weren’t being directed by the authorized employee, but this is where behavioral analytics come into play.
Behavioral analytics look at everything about a specific user identity, including what his network and application permissions are, when and where he typically performs his work activities, what device he commonly uses, and so on. While it’s possible for a hacker to gain access to a user’s login credentials – and thus assume his permissions and privileges – it’s not possible to mimic everything else about the user’s behavior. A hacker wouldn’t use the user’s computer and his IP address, or have the same work schedule and the same geolocation. Those variations in behavior would raise an alert. In the case of the illicit bank transfer, the bank could activate an immediate mitigation such as dropping the person’s access to the payment transfer system.
Stopping malicious actors before an account takeover breach requires advanced fraud analytics capabilities including:
- Detection of suspicious / unseen web and mobile devices
- Identification of logins from high-risk unusual locations and networks
- ID reconnaissance
- Unusual password resets or potential brute-force attacks, etc.
Gurucul fraud detection measures are completely unobtrusive to workers performing their legitimate duties. Yet the speed and accuracy of identifying, prioritizing and alerting on high-risk activity can drive corrective or response actions in other systems based on the value of the risk score. Such actions can be automated to take place in real time or near real time; for example, to put a hold on a SWIFT funds transfer until the alert details can be investigated.
In the consumer space, lots of people use the “login with Facebook” feature for easy access to a wide variety of applications. In this scenario, if a user’s Facebook account gets compromised, then all of those integrated logins are also compromised. The hacker now has access to all of those applications and can login as that user, taking whatever actions desired. Gurucul would leverage compromised account credential threat intelligence feeds to understand if that user’s account is at risk, and corroborate that information with real-time changes in login patterns: time of day, usage spikes, geolocation, etc.
Gurucul Fraud Analytics provides 2000+ out-of-the-box threat, fraud and behavior models to enable organizations to detect customer account compromise attacks. It also provides resident and real-time risk scores based on historic and current behavior respectively. Organizations can leverage the risk scores generated by Fraud Analytics to enforce risk-based access control such as elevating the authentication level by enforcing out-of-band authentication for high risk users as oppose to simple ID/password based authentication for low risk users.