CategoryArticles

Visualizing the Account Recovery Funnel

V

At Castle, we are focused on building tools that power end-to-end user security alongside a frictionless user experience. We believe that when it comes to protecting your users, the ability to detect unauthorized access to their accounts is just the beginning. Beyond the detection, developers are using Castle’s APIs to block the unauthorized access in-line, notify their users in real-time of...

In Defense of Reddit

I

Last week, Reddit announced a security incident in which an attacker compromised employee accounts for Reddit’s cloud and source code hosting providers. Breaches like this serve as reality checks to those of us responsible for securing user data and identities online. Hats off to the Reddit team for the way this incident was handled as incidents are nightmares to deal with, both for users and...

Perimeter-based Security Doesn’t Stop Account Takeovers — It Postpones Them

P

DDoS prevention, bot prevention, and WAFs were never built for protecting your users. Yet when facing down growing security and fraud threats of all kinds, many businesses are building a higher and higher wall around their perimeter, often in the form of a web application firewall (WAF) or a bot detection solution. But the moat around your site is really only your first line of a multi-layered...

8 Things To Avoid When Building Account Takeover Prevention In-House

8

In the past two years, account takeover attacks have evolved dramatically. One recurring theme we’ve seen is that gaps often emerge when the security program’s focus is misplaced. For us, it starts and ends with protecting the user—which means the emphasis has to be on protecting the user account. But great security doesn’t have to come at the expense of great UX. We put...

Account Takeovers Happen At Login. Not The Transaction

A

Account takeovers (ATOs) are unique in that by the time most companies become aware they have a problem, it’s already too late: When people report back to the company that they’ve been compromised, or they see fraud in the aftermath of an ATO. Ironically, these are the metrics fraud vendors are using to measure the number of ATOs they’ve seen. But by then, the challenge becomes one of clean...

Reactive vs Proactive Account Takeover Prevention

R

A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised...

Stop Calling It Account Takeover “Fraud”

S

A few years ago, when it started to become clear that account takeover (ATO) was becoming a threat, it was understandable that it was seen as a fraud problem. After all, the identity theft inherent in taking over a user’s account does, on some level, amount to fraud. But as the ATO problem has grown, impacting nearly every online business, it’s become clear that we need a mindset shift in how we...

We shouldn’t focus on changing user behavior—but on understanding it

W

The state of online identity is bleak—mostly because it relies on an outdated username and password model. Each year, 1 billion credentials are leaked or breached, and 73 percent of passwords are being reused across sites. These dynamics have led to an increase in account takeovers (ATOs), in which a hacker tries stolen credentials across a variety of websites and takes over entire accounts to...