As a security owner, you need to protect your users against a wide variety of attacks. Many engineers spend a great deal of time focusing on big-picture attacks. They want to answer questions like whether someone has compromised millions of rows in your database, or whether malicious actors have root access to your servers.
To your users, smaller-picture threats are just as dangerous. It doesn’t matter to them if someone compromises every account in your database, or if just their own account is compromised. Both of those situations are equally bad to that user.
Attacks that allow a malicious actor to take over an account are called account takeover (ATO) attacks. Because ATO attacks are so damaging to customers, learning how they happen and how to protect against them is critical to keeping your customers’ trust. As an engineer, you’re not going to be able to protect every customer. Sometimes, customers will do silly things like keep their account credentials written on a Post-it note attached to their monitor. But you can make sure that your system is secure against the most common ATO attacks.
Why are ATO attacks particularly dangerous?
For both your company and your customers, ATO attacks are particularly dangerous. This is because when someone has managed to convince you that they’re a legitimate user, all your other security safeguards won’t be able to protect your system. Everything else in your system—your logging, your security controls, your permission system—all thinks that the person logged in is a legitimate user. This opens up a wider range of permissions for this actor inside your application. Once someone has taken over an account, detecting their malicious behavior and correcting it becomes exponentially harder.
What are the most common avenues for ATO attacks?
A credential stuffing attack is a subset of a brute-force ATO attack. Usually, a credential stuffing attack starts with an attacker using a list of common passwords and potentially a list of email addresses or common usernames. The attacker then starts stuffing pairs of usernames and passwords into the login system for a particular website. It could be an online retailer or social media site that the attacker is targeting—the specifics don’t matter. Attackers here aren’t looking to gain access to any specific account; they’re just trying to find combinations of usernames and passwords that work together.
Once an attacker has that data, they log into the account and drain it of any value. For a social network, that first login might be a stepping-stone to other account compromises. For an online retailer, they could be looking to extract credit card information or make fraudulent purchases. One thing that can make a successful credential stuffing attack more dangerous is that many people reuse usernames and passwords on different websites.
The credential stuffing attack works as a variation on brute-force because many security systems don’t detect it. Lots of applications will lock users out of logging in if they enter an incorrect password multiple times in a row. However, those same apps will rarely detect when a particular client has attempted logins with many different usernames. Credential stuffing provides a way to circumvent common security systems while still looking to gain access to accounts.
A brute-force attack is similar in structure to a credential stuffing attack. The attacker attempts a variety of passwords for a specific username in an attempt to find valid login credentials. A brute-force attack differs from a credential stuffing attack because usually in a brute-force attack, the attackers are attempting to compromise one specific account. Usually, brute-force attacks are attempted against particularly valuable accounts, like administrator accounts. In the context of websites like social media services, brute-force attacks are most commonly levied at the accounts of celebrities or public figures. It’s much more likely that someone would try to compromise Bradley Cooper’s Twitter account than mine, for example.
As we talked about before, many web apps have systems in place specifically to prevent brute-force attacks. These sites lock out attempts after a series of unsuccessful login attempts. Savvy attackers will understand how these security measures work and seek to avoid them. The best security systems will make doing so difficult or nearly impossible. If your business has high-profile customers or particularly valuable accounts, you should know how to protect against brute-force attacks.
A dictionary attack is another variation of a brute-force attack. Instead of trying all possible passwords, a dictionary attack is more sophisticated. Instead, attackers precompute information about a variety of commonly used passwords. Those passwords are often based on dictionary words, which is where the attack gets its name from. Attackers are able to check a wide variety of dictionary words against stored passwords very quickly.
Instead of being used specifically to try to gain access to an account, dictionary attacks are often used when an attacker has gained a user’s encrypted password. In those circumstances, attackers don’t need to try different combinations in a login form. Instead, they look at the encrypted password and all of the passwords they’ve precomputed. Once they find a match in their computed tables, they can log in immediately.
An attack like this makes it possible for attackers to compromise hundreds of accounts in minutes. To execute it, they first need a dump of credentials from a company database. Unfortunately for you, that dump needn’t come from your company. Customers reuse credentials across websites. So, if attackers gain access to a user’s credentials from another company’s website, they might be able to take over the user’s account elsewhere.
To protect against attacks like this, many websites create rules about what makes a valid password. They require things like needing to use capital letters, numbers, and special characters. While those offer some protection, attackers are more sophisticated today than ever. Computing power makes it possible to generate the cryptographic output of millions of text combinations. Another way to combat an attack like this is to recognize logins from new computers or locations. When that happens, many sites will require the user to verify their identity via text message or email.
Some of the most damaging and difficult-to-detect attacks are phishing attacks. This is when someone poses as your business and convinces a customer to give up sensitive information to someone who’s not you.
Phishing attacks rely on attackers abusing the trust your customers have in your business. It’s much more difficult to protect against them technically, because your users usually aren’t even in your environment when they give up this information. Instead, the best way to prevent against phishing attacks is through customer education. Make sure that legitimate emails never ask for things like a user’s password. Make sure that you’re using legitimate SSL certificates on your website, so that users can recognize when they’re visiting your website. Much like with dictionary attacks, you can detect when a user logs in from a new location or an unrecognized computer. When you detect that, require the user to verify their identity.
Always keep studying
If you’ve taken on responsibility for security, you’re in for a never-ending job. Attackers are always seeking new ways to compromise customer accounts. You need to be constantly learning about new attacks—and new ways to counter them. Your customers rely on you to make sure that the systems they use for their daily life are as secure as possible.
The only way to do that is to make sure that you’re constantly learning. The good news is that there’s a lot of sophisticated software and tools that can help you detect when your information has been compromised or when malicious actors are after your systems. Application security management tools that integrate into your company’s software help your team detect threats as they’re happening, even if the attackers are using novel approaches.
This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.