A few years ago, when we launched Castle during Y Combinator, it wasn’t uncommon for us to talk to consumer-facing companies and be told that they didn’t have an ATO problem. But this was almost never actually the case: They invariably had compromised accounts that these companies’ fraud tools just hadn’t successfully detected. In some cases, we actually found hundreds of thousands of compromised accounts that snuck through their anti-fraud tools and home-brewed IP rate limiting.
So, while we all know the old saying that the best defense is a good offense, it’s probably never been more true in the security world than today. We’re confronted with a new breach every week, and hackers are constantly stepping up their modes of attack. Yet most solutions can only offer a defense that is hopelessly reactive. This is by design; these tools rely on analysts sifting through potential incidents to manually resolve them, and in order to scale that you need models that trigger only on known fraud patterns. These approaches learn from negative flags, which by definition means they can only react to problems—but by that point, those problems have already hurt your users, fractured trust, and maybe even cost millions. Relying on negative flags can also lead to other problems: For example, many solutions start by putting malicious IPs on a blacklist—only to later find out that they’re actually blocking out legitimate customers.
With account takeover (ATO) in particular on the rise, which demands preventive countermeasures to make a difference, it’s time to transition from reactive fraud tools to proactive security and anomaly detection.
To start, it’s important to spot emerging account takeover attack patterns in real time. Look for automated attack patterns, such as a spike in failed login activity or an unusual number of users not using the keyboard while logging in. It’s also best to survey across multiple accounts to gain a view of the user aggregate level of your site. In this way, you can build up patterns by analyzing account activity before, during, and after login, and enrich it with user feedback. In order to catch new patterns, you need to implement anomaly detection, but the only way you can scale that is to incorporate user feedback. In this way, you’ll be able to feed source info and identifying characteristics of an attack to block any additional attempts at the gate.
That user feedback is important, because your main focus in transitioning from reactive to proactive security should center on actually knowing and understanding user behavior. This essentially builds a moat around your login system based on normal/good user activity, which is used to trigger anomalies and take action. Being able to detect account scanning, brute force, and coordinated attacks—e.g., a lot of passwords being changed at the same time—means you can take swift preventive action before these accounts are leveraged nefariously. This stands in stark contrast to the approach of anti-fraud tools that use so-called supervised learning. They need labels of bad behavior to operate, meaning they’re reacting merely to the worst of confirmed ATOs.
As ATOs become both more common and more sophisticated, reactive approaches to securing accounts just won’t cut it. Bad actors are continually evolving their approaches, making careers of outsmarting reactive, rule-based defenses. What if, instead, they were reacting to you?