Intuitive ATO Protection

Eliminating Password Reuse To Prevent Account Takeover Fraud

Account Takeover (ATO) fraud occurs when a hacker uses valid credentials to gain unauthorized access to someone else’s online account. These attacks happen in every industry and type of environment.

For internet-facing apps and sites, ATO puts the individual, your reputation and your business at risk. When ATO occurs, it leads to associated trust, reputation and financial damage. Dissatisfied consumers take their business elsewhere. If you are particularly unlucky, you end up with a PR or social media nightmare.

Increasing your security and/or fraud detection measures may help keep the bad guys out, but it may also interfere with legitimate consumers’ experience. And even after making these investments, you won’t have actually addressed the root cause of ATO.

Coming up with a practical solution to ATO requires understanding the problem.

Who can we blame for account takeover fraud?

Unlike other security vulnerabilities on your site, the primary cause of ATO comes from the poor security practices of your consumers themselves.

You’ve validated every new password to prevent obvious weak password choices, but many consumers will choose to use the same “strong” password they use on other sites.

The vast majority of the population readily admits to reusing passwords on multiple sites. As a result, with the endless series of data breaches, there are almost certainly valid credentials for your site floating around the Internet and Dark Web. They are available to anyone motivated to obtain them.

Cybercriminals take advantage of this fact to employ armies of automated, credential stuffing bots to identify the vulnerable accounts on your site. With a working username and password combination identified, they can access the account and wreak havoc.

Unfortunately, while consumer choices are usually the cause of ATO, the blame will usually be directed at the organization for not sufficiently protecting consumers from themselves.

What’s the best way to defend your organization against ATO vulnerability?

The simple solution to ATO protection is to PREVENT your consumers from using compromised credentials on your site.

This takes away the hacker’s ability to use stolen keys, closing an obvious gap.

PasswordPing allows you to identify when your consumers’ credentials have been compromised in a 3rd party data breach. This is done by comparing their current credentials against a continuously updated database of billons of exposed login credentials.

PasswordPing’s automated technologies and security analysts scour the Internet and Dark Web sources where cybercriminals find these exposed credentials. This data is carefully curated, secured and made available as a simple service to help determine which of your consumers’ credentials are at risk.

How can compromised credentials be completely eliminated from your environment?

PasswordPing offers a simple RESTful API that integrates into your existing systems. Credentials are typically checked for all new accounts and at password resets. For existing accounts and on-going protection, checks are done at each login.

When compromised credentials are detected, the workflow can be tailored in a way that is appropriate for your business and the particular use case.

For industries where the consequences of an account takeover are most severe, organizations typically block access until the credentials have been secured. The process of requesting a password reset can prevent a would-be attacker from ever getting into the account.

Alternately, some organizations prefer to balance ATO risk against disrupting a consumer transaction. In these environments, a more gradual approach can be taken to eliminate the use of compromised credentials. For example, an email can be sent to the consumer, notifying them that their account is at risk. An effective communication builds trust as the consumer realizes your interest in protecting their safety.

The end goal for either of these approaches, or whatever approach you take, is to eliminate the acceptance of compromised credentials on the site. This solution addresses the root cause of ATO.

Protecting consumers from themselves is the organization’s responsibility

The marketplace has a very reasonable expectation that organizations should be better protecting consumers against this type of risk.

Until now, the problem of password reuse and compromised credentials has seemed unsolvable. Most organizations repeatedly admonish consumers about password reuse in hopes of changing their behavior. They also look to other authentication methods, which have their own flaws and leave the password layer unprotected.

PasswordPing now makes it easy to eliminate the use of compromised credentials on your site. This eliminates password reuse threats and hardens your organization against ATO threats.

Learn more