Since posting my most recent blog on “I Am An Account Takeover Victim,” I have had many people respond to me with similar stories. All of them named very well known brands that we are familiar with–companies offering global movie streaming, food delivery services, online software, banking, and more. Everyone ranted about the significant amount of time and frustration they went through trying to validate and resolve the problem. I was also asked, “Why did it take so long for me to get an email?” and, “Why wasn’t I notified right away?”
While not all of the experiences were the same, it certainly points out a widespread problem across a variety of industries. Companies have broken processes when it comes to notifying customers on compromised accounts. A new approach is needed.
So, why is this such a challenge for organizations? Resolving account takeovers is complicated. Here are three core burdens:
Credential stuffing attacks are on the rise
Account takeovers aren’t just a “security” problem
Today’s solutions are falling short with remediation capabilities
Credential stuffing attacks are on the rise
Credential stuffing attacks are happening at a faster pace. And it’s no surprise when we look at the onslaught of data breaches in the past five years. According to the Breach Level Index, over 14.7 billion records have been breached since 2013 and over 6.1 million records are stolen per day.
With every successive breach, the attacker’s toolbox gets bigger. They have access to more account data such as names, email addresses, passwords, social security numbers, and more. Most attackers will use a technique like credential stuffing as an attack form to accomplish account takeover.
How does credential stuffing work? Essentially attackers compile a list of stolen credentials, and then they go to sites and one by one they try every username and password combination to see which login attempt succeeds.. If they can get in, then it’s an account takeover and they can start to extract value out of that account.
So many of us re-use our passwords and account names, and this puts all companies with online users at risk. As a matter of fact, a recent Castle customer in the finance industry was attacked with a credential stuffing attack. In that attack, we found that 25% of the emails and usernames used in the attack were actually accurate. And of those, 20% also had an accurate password. This is just one example, but it highlights why it’s so important to have the right detection and response solution in place.
Credential Stuffing Attacks Aren’t Just a Security Problem
At a high level, when we think about credential stuffing and account takeover, the onus is on the security team to detect the problem and present a solution. But if you’ve spoken with someone in security who has been through it, you realize it’s actually not that simple. There are often many layers of an organization that end up being involved in responding to the attack.
A typical organization and account recovery flow could look like this:
A network infrastructure team monitors traffic hitting their sites and look for alerts and threats being detected. They may see what looks like a DDoS attack, but when they notice the traffic is all being directed to the login page, it’s a tip off that it’s a credential stuffing attack.
The network monitoring team hands it off to the security team for analysis. They are looking for signatures of the attack; commons sets of IPs, ISPs, or User-Agents that are behind the flood of traffic. This can be extremely challenging with more sophisticated attacks.
If the team is able to identify an attack signature, the next step is to cross-reference it against their user-base, looking for any users that had a login from the signature. This is the list of users that were compromised, and the security team hands it off to customer support.
The support team needs to freeze those accounts and kickoff an account recovery workflow, emailing each user a password reset link. But since support doesn’t always know what to say, especially given the sensitive nature around security incidents, marketing is pulled in to put together some messaging.
Marketing prepares the appropriate messaging, sometimes cleared first by legal, and then gets it back to support.
Support sends communication to customers. It’s now a waiting game to monitor those accounts, wait to see a password reset was completed, and mark that account as case-closed.
Doing this for every attack becomes chaotic. And it certainly explains why sometimes it can take a long time before customers are notified that their account has been compromised. Without a clear plan in place, it is often days (if not weeks) before the list of compromised user accounts is accurately compiled and customers are notified – if they are notified at all.
Today’s Security Solutions are Falling Short with Notification and Account Recovery
Bot Protection Bot protection tools are aimed at detecting and preventing bot-driven attacks. They fall short in fighting this problem because they are more focused on protecting the application vs. the end user itself. They also tend to miss attacks created by humans. In terms of the account recovery process, these solutions are not aware of which users were targeted or compromised so they cannot help in this regard. You can read more on how perimeter-based solutions don’t stop account takeover in Johan Brissmyr’s blog here.
WAFs Web Application Firewalls (WAFs) protect web applications by filtering and monitoring traffic. They typicallyprotect from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection. Like Bot protection, WAFs do not associate activity with users either, which creates major security blind spots. Stopping bot traffic with CAPTCHAs or delaying a request doesn’t help you improve user security. An attacker could have a database of logins and if some are legitimate, they may be able to successfully log in later without consequence. And with many account takeovers, there may be a gap between when an account is compromised and when further abuse takes place. This lack of understanding of user activity makes it extremely challenging for an organization to determine how big of an ATO problem they actually have and also provides no ability to do user account notification or recovery.
Traditional Adaptive Authentication Traditional adaptive authentication solutions are moving in the right direction but also leave gaps in user activity and behavior. These solutions are focused on the user (vs. the application) and provide excellent credential verification capabilities with some account recovery workflows, but they have 3 core limitations. They lack robust machine learning, the attack detection is limited, and their visibility stops at login. The main issue there is that an attacker could get in with valid credentials and perform abusive transactions after login, and they can’t be stopped. In this case the basic workflows and playbooking they may have for account notification or recovery wouldn’t be triggered.
A New Approach is Needed
When we look at the different challenges and available solutions we can now see the gaps and why it might be difficult for an organization to notify customers when their account has been compromised. Solutions have two main issues. First, we have solutions that aren’t addressing the issue of full user account activity both before and after login. And second, they lack the ability to address company-wide planning, remediation speed and automation for account recovery.
As a result, the most common complaints we hear from security teams is that they have a gap in visibility into everything a user is doing, and there is too much manual work required with security analysis and account recovery. For security teams, the gaps are what keeps them up at night and the manual work is what keeps them overwhelmed.
At the same time, there are now compliance regulations that organizations need to be concerned about. New regulations like California Data Law and GDPR can require that users be notified within 72 hours of a breach. So now security teams have additional pressure to respond with a quick turn-around time. Having a quick response is no longer a nice-to-have, it’s a must-have.
To truly protect the end user accounts of customers, a new approach is needed. Instead of focusing solutions around the perimeter and the point of login, we need to look at a security approach that is fully focused on protecting user accounts both before and after login, as well as one that is able to automate the process end-to-end.
Some of the key features to look for in a robust Account Security solution include:
Protection for users both before and after login
Understanding user activity, behavior, devices and risk for all activity and transactions
User response and feedback built in to the model to harden security
Detecting threats against users in real-time
Identifying the source of the attack and the impact
Ability to develop playbooks that support company-wide initiatives
Automating the account recovery workflow
Castle has taken on this new approach with a dedicated focus on protecting the user end-to-end. With risk-based authentication we can verify valid users, understand risk, stop account takeover attempts and automate account takeover recovery with customizable workflows that can notify users on what happened and how to recover their accounts.
Leading brands choose Castle to protect and engage their users in security. You can read more about their stories here.