Account takeover attacks (ATOs) are an important vector to consider as you evolve your security strategy. When bad actors take over your legitimate user accounts, they’re able to steal customer data, commit fraud, and gain a wider attack surface within your application. To help companies better understand and protect against ATOs, we’ve put together a new ATO whitepaper.
This nine page whitepaper, “Preventing ATOs: How to Identify and Defend Against Account Takeover Attacks”, provides an overview of ATOs, the tactics that attackers use to take over accounts, how you can better protect against ATOs, and gives a real life example of how Sqreen has protected ourselves against ATOs in the past. If your web applications have user accounts with privileged information or that have a wider set of permissions than non-authenticated users, this is a good whitepaper for you.
You can download the whitepaper here. To better determine if this is of interest to you, here’s a section of the whitepaper for you to check out:
Whitepaper snippet: Best practices for protecting against ATO attacks
To protect against ATO attacks, there are several best practices that are worth implementing if you’re able. If you’re able to pay attention to the following areas and take steps to enhance them, you’ll set yourself up well for ATO protection.
Apply strong user authentication
Making sure that your user authentication is strong will go a long way to limiting ATO attacks. One of the premier methods is two-factor authentication (2FA). If you’re able to implement strong and widely adopted 2FA measures for your platform, you will be able to dramatically cut down on successful ATO attacks. However, 2FA isn’t always feasible or possible to implement, but there are additional options.
Some proactive approaches can also help reduce the likelihood of attacks. The first one is to ensure that your users have a strong and unique password:
- Encourage your users to use strong passwords. No need to go overboard and sacrifice your UI, but requiring at least 8 letters and one of digit or mixed case is already helpful
- UI hints: evaluate your user’s password strength using tools like Dropbox’s zxcvbn
- Make sure your website works with popular password managers
- Integrate with 3rd party identity providers, such as Google, Apple, and Github
- Integrate with https://haveibeenpwned.com/ to check if your users’ passwords have already been compromised. If they have been, you should lock their account and ask them to change their password
Watch for suspicious signals of ATOs
Increasing your sensitivity to ATO behaviors will make it as hard as possible for the attackers. Consider doing the following:
- Apply rate limiting on your login page
- Require a CAPTCHA on the login page if you detect too many failed logins
- Track connections from unusual countries and lock your user’s session until they confirm they are at the origin of the connection – otherwise reset their password
If this seems like a relevant topic to you, you can download the whitepaper here: https://www.sqreen.com/resources/preventing-atos. We hope it’s useful for you as you consider the best ways to secure your applications!