3 things anti-fraud tools need to do to effectively prevent account takeover

Many operators in the anti-fraud space are experts at flagging the fraud that stems from credit card chargebacks, fake account registration, and spam posting.

Unfortunately, their focus on individual user actions doesn’t address one of the fastest-growing forms of fraud, account takeover (ATO). ATO presents a fundamentally different problem than traditional fraud, which means it requires a different model to prevent.

Namely, ATO prevention is more similar to a security model, as it requires a complete understanding of your user behavior funnel, an adaptive model built on end user feedback, and leveraging external, holistic threat patterns.

1. Detect any and all anomalous user behavior

In ATO, it’s not clear what attackers will do once they’ve breached an account. They might capture personally identifiable information (PII), change profile details, transfer money, or simply lurk and learn. So while key events, like login and payment, are telling, it’s often the behavior that happens between these events that is more interesting. And for some users, it may be the absence of these events that is in fact suspicious.

In that way, ATOs don’t follow patterns in the same way that common fraud schemes do, so applying anti-fraud techniques to ATO ends up harming users with scores of false positives. Or, worse still, means fraud tools are only aware an ATO has happened when they’re notified by an end user dealing with the aftermath.

Making the distinction between a true user and an imposter therefore requires actually understanding user behavior. To prevent ATO, you invariably need to monitor the entire customer funnel.

Ultimately, you need much more data to prevent account takeover than you do to fight fraud. But anti-fraud tools aren’t meant for this kind of tracking, and aren’t fine-grained enough to properly distinguish suspicious behavior from malicious activity. Nor are they designed handle all of the data required to really prevent ATOs.

That’s why so many anti-fraud tools create false positives when they’re applied to ATO scenarios. Anti-fraud tools aren’t focused on understanding individual user behavior. (Which makes sense, because to fight fraud, they don’t need to.)

2. Harness the power of crowd behavior

To be truly effective at preventing ATO, it’s essential to be able to gain insights across the entire lifecycle of the account—but also across the entire ecosystem of accounts on your site as well as what’s normal behavior across the web.

At Castle, one way we do pattern recognition is by incorporating user feedback, but the other critical element is that we monitor threats at the macro level. In this way, we’re able to detect account scanning, brute force attacks, and coordinated attacks, such as when a lot of passwords are changed at the same time. It’s also why we monitor credential leaks, because it gives us an advantage in spotting potential problems before they start.

This approach enables us to detect anomalous patterns across multiple accounts, not only at the user aggregate level of a particular site, but also using those same patterns across multiple Castle clients. This gives Castle a broad view of behavior across the web.

3. The user is your friend — let them help you!

Unlike every other form of fraud, in an ATO, the account holder is your friend — not your foe. After all, the user knows better than a risk analyst or a blunt, rules-based algorithm whether or not fraud has been committed on her account. The solution to automating ATO security should therefore flip the current anti-fraud model and let users self-mitigate to take control of their accounts.

It would be inconceivable for a fraud tool to incorporate user feedback into its model. That would be like setting itself up to be taken advantage of, given that it’s the user that must be eyed with suspicion. But to properly fight ATO, incorporating user feedback leads to better security outcomes and also makes it possible to scale to millions of users.

Although it’s not trivial to design a system through which you can challenge users and incorporate their feedback. But when it comes to fighting account takeover, this makes all the difference (including making a real distinction between activity that’s merely suspicious versus actually malicious.) It’s simply unrealistic, and far too costly, to expect a risk team to be able to make judgments for millions of users — on top of the damage control they’re already doing in mitigating erroneous anomalies as a result of faulty systems and more.

At Castle, we flag unknown patterns and let users themselves label them as good or bad—without shutting down accounts, blocking purchases, or causing other headaches unless a user tells us to. By incorporating machine learning and end-user interaction, Castle can be completely automated and self-learning at scale. And Castle won’t ruin the experience for those users you’ve worked so hard to acquire.


ATO is a large and growing problem that impacts pretty much every business and user on the web. So while traditional anti-fraud tools aren’t built to prevent ATO, they shouldn’t be expected to: ATO is an entirely separate security problem from routine fraud. And the key to fighting ATO lies in understanding user behavior, both at the individual and the crowd level, as well as across the web. At Castle, we wanted to build a model that adapts to every user’s unique behavior and focuses on the best solution for your customers. That’s why our focus is on security, not mere fraud.

1 comment