DDoS prevention, bot prevention, and WAFs were never built for protecting your users. Yet when facing down growing security and fraud threats of all kinds, many businesses are building a higher and higher wall around their perimeter, often in the form of a web application firewall (WAF) or a bot detection solution. But the moat around your site is really only your first line of a multi-layered defense, meant to slow down attackers and make it harder to attack in hoards. That’s because when you’re dealing with account takeovers—and let’s face it, in 2018, everyone is—perimeter-based security doesn’t prevent your problems. It just postpones them. After all, just because you’ve built a car with high windows in order to prevent break-ins doesn’t mean that you’ve created a better experience for the driver (here, the user).
Perimeter-based tools fall short in fighting ATOs because:
Instead, as with everything when it comes to ATOs, you have to focus your security program on the user, the login, and what’s actually going on inside your app.
What sets ATOs apart from other common security threats is how rapidly they are evolving, as well as how unpredictable they are. You don’t know when the stolen account will be used to commit fraud, or how they’ll do it. Now, you have to worry about everything from spear phishing threats, man-in-the-middle attacks, and malware. And that’s not something perimeter protection tools are set up to do. Perimeter-based tools have to rely on early signals of potentially malicious behavior because they use pattern detection to keep bad actors out. That’s great for the obvious stuff, for things that are clearly bots. But as we said above, ATOs are evolving. It’s getting easier and easier to get U.S.-based IPs, and even residential IPs (i.e., those that are used in people’s homes), as well as configure a headless browser to interact exactly like a human visitor. Before long, there won’t be a lot of the quick wins left.
When you stop traffic earlier, such as soon as they land on landing page because you think they’re a bot based on IP or typing patterns, you might miss out on critical clues that protect your other users. For example, a hacker may have a database of logins, and if many are legitimate, they could later successfully log in without consequences. Because perimeter-based security has no way to associate activity with users, you miss out on that opportunity to clean up your security once and for all. After all, blocking a bot just means you’re throwing up a CAPTCHA, or delaying a request, because it isn’t actually associated with an account.
And you’ve got a further blind spot because of the unique phases of an account takeover attack, when there’s often a gap between the time when the account is actually compromised and when further abuse takes place. The attacker essentially lies in wait before striking further. Because of that, it would never be possible to build, holistic protection when you block at the perimeter because you don’t know if they’re actually going to log in, and you can’t be accurate in labeling the activity—or the false positives. That’s why so many sites have no idea how big their ATO problem actually is. They’re not really detecting or preventing it—they’re simply closing their eyes and hoping for the best.
Perimeter-based security programs also mean you miss out on the many, many attacks that are perpetuated by humans. In environments in which WAFs and IP rate limiting are considered the primary lines of defense, security threats increasingly have a way of creeping in. The trouble is, they creep in undetected. As with the earlier example, when a human hacker has login credentials, nothing at the perimeter is stopping that, period.
Finally, and perhaps most important, relying on perimeter-based security creates poor user experiences. Perimeter stops are like often like profile-based traffic stops: A lot of innocent people get caught up in them. When you design to be around the login endpoint, and even further down funnel such as at the password update form, you can be way more accurate in terms of whether it’s an ATO, and ultimately reduce those false positives for users.
Make no mistake, there should still be solid perimeter-based security program. Just because you’re able to shut down certain requests, doesn’t mean that your users are protected. Ultimately, perimeter protection solutions do not make great account protection solutions, which require much more finesse and understanding of user-behavior and login patterns. (And by the same token, account-protection solutions can’t replace your perimeter protections.) Perimeter-based security programs are an important tool in any security toolkit. But for ATOs, they only address a fraction of the problem, while leaving you to deal with another, bigger one another day. That’s why it’s essential to use both in coordination—the right tool for the right job.