There are billions of stolen credentials circulating on forums and the dark web, and credential stuffing attack exploits a very common mistake of using the same password for all our accounts. As with credential cracking, cybercriminals typically use malicious bots to perform credential stuffing attacks, attempting the stolen credential in thousands of websites simultaneously.
Social engineering.
In this type of attack, the cybercriminal spends time researching the victim, for example by monitoring social media activities, lurking forums, and databases, etc. to look for personally identifiable information (PII) and sensitive information that can be used to guess your credential like full name, date of birth, name of spouse, etc.
Phishing.
In phishing attacks the cybercriminal contacts potential victims (i.e. via email or social media), attempting to scam the user to reveal their sensitive information or even their credentials. The attacker, for example, may attempt to impersonate the victim’s boss or HR manager (with a seemingly legit email address) and ask for the victim’s password for their company email.
As we can see, different approaches may be required to prevent these different types of account takeover attacks, which we will discuss below.
Preventing Account Takeover Attacks.
1. Managing Malicious Bot Activities.
Since most account takeover (ATO) attacks, as discussed above, are performed with the help of malicious bots, we can effectively prevent these attacks by managing these bots’ activities.
So, isn’t simply blocking all these bots the best approach?
Unfortunately, the answer is no.
In fact, if you block a malicious bot right away, the attacker might be able to use the information you’ve provided them as you block the traffic (i.e. error message) to modify the bots. The attacker can also send different versions of bots (A/B test) to test why you are blocking the bot and attempt to find vulnerabilities.
So, a solution that can properly manage these bots is required. Since many malicious bots are now using AI technologies to impersonate humanlike patterns and rotate between hundreds of user agents/IP addresses, we also need an account takeover detection software by DataDome that can use behavioral analysis to detect and manage malicious bots in real-time with an autopilot approach.
2. Use Stronger and Unique Password.
A basic but very important method to prevent account takeover is to strengthen your password and to use a unique password for each different account.
Your password should be at least 10 characters long and uses a combination of uppercase, lowercase, symbols, numbers, as well as spaces when possible. Nowadays, we can use various password manager tools to help generate and ‘remember’ complex and unique passwords, so there’s simply no excuse not to use strong and unique passwords.
3. Two Factor Authentication (2FA).
2FA is an additional layer of security in case your credential is stolen, and essentially it’s about asking for a second factor besides your password before you can access your account. This second factor can be:
- Something you are: your face ID, retinal/iris scan, fingerprint, etc.
- Something you know: additional PIN, second password, etc.
- Something you have: USB key/dongle, a device to pair with, etc.
2FA is very effective protection in preventing especially credential stuffing attacks.
Conclusion.
While there isn’t a single one-size-fits-all approach to stop cybercriminals from attempting account takeover attacks on your account, the three best practices we’ve shared above can be very effective in protecting your accounts.
Most ATO attacks involve the use of malicious bots. So, using DataDome to effectively detect and manage these bot activities can be the most effective solution in preventing account takeover attempts.
