Bot mitigation could be the answer to your ATO worries

Bot mitigation could be the answer to your ATO worries

Like most kids, my son has the Fortnite bug and is immersed in the incredibly popular platform game from Epic Games. Fortnite has been an immensely successful product, becoming the most revenue-driving game in history — Epic has made close to $4 billion from the game already. Its success has been largely driven by in-app purchases of everything from character clothing to accessories and add-ons. 

While my son is not playing at a level that will earn him a $3M prize, his Epic account is still valuable nonetheless. It contains items he has purchased and also gained through gameplay. The value associated with these virtual items has made accounts like my son’s an attractive target to criminals.

What is account takeover (ATO)?

Account takeover (ATO) attacks are a form of identity theft where criminals attempt to gain access to an online account in order to make fraudulent purchases or commit other types of malicious activities. In the past, cybercriminals used to mainly focus their efforts around bank accounts, but as online accounts for eCommerce, social media, gaming, and other basic daily activities are increasingly instrumental to everything we do — attackers are broadening their scope to include a range of targets that are extremely lucrative. 

In fact, research estimates that 40 percent of all account access attempts online are now high risk and losses from fraudulent online transactions are expected to reach $25.6 billion by 2020.

How to protect yourself from credential stuffing attacksRelated Solution brief

How do attackers take over accounts?

The earliest iterations of account takeover attacks were carried out manually — an attacker would obtain a username and password combination, often through social engineering or phishing, and then use those credentials to access an account. These first attacks had very little automation, mostly employing automation to perform numerous logins with common credential combinations. 

But today, modern ATO attacks are very different — attackers now leverage massive password lists stolen from other website breaches and employ advanced bad bots to try these stolen credentials against a website in credential stuffing attempts. Unfortunately, over 50 percent of people use the same credentials across multiple accounts, making it easier to yield significant profits when using automated attacks techniques against many different sites. 

To counter account takeover attacks, organizations have turned to technologies like CAPTCHAs, which often test for anomalies. However, it’s easy to circumvent a CAPTCHA using botnets to send traffic and attempts from many different machines and sources — making them almost indistinguishable from real human traffic. 

Some organizations have implemented other security measures like two-factor authentication (2FA) — Epic games introduced 2FA as a way to protect user accounts with them going a step further and actually rewarding users with virtual items if they enabled the security measure. Unfortunately, this solution still falls short at fully preventing account takeover. 

Not only does 2FA itself have vulnerabilities that can allow interception of codes or passwords, but many people find it hinders their overall user experience. That’s why only 28 percent of Internet users have 2FA enabled for their personal accounts.  

Bot mitigation prevents ATO attacks

The ongoing wave of consumer data breaches ranging from personal insurance to online retailers to travel companies has given criminals a strong supply of credentials to exploit. Organizations have an obligation to protect their customers from themselves — especially now that businesses could end up shouldering hefty fines for failing to keep consumer data safe. 

So, what can businesses do to protect their web apps — and their customers? 

Of course, it is recommended to implement stringent security measures like always-on 2FA, but businesses should also consider alternate protections such as a bot mitigation solution. Account takeover attacks generally utilize sophisticated bots to automate large-scale login attempts — bots are capable of performing upwards of 100 attacks per second

Bot mitigation solutions, specifically those aimed at detecting sophisticated bots, are able to prevent automated ATO attacks by blocking all bot traffic. Instart Bot Management offers industry-leading protection against bot activity with technology that collects signals across both the client and server to validate users and their browsers to ensure they are human. By providing strong protection against sophisticated bots and credential stuffing, you will greatly decrease the possibility of account takeover.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo