Automated ATO Prevention

In an account takeover attack, criminals use another person’s login credentials, most often by leveraging reused or similar passwords from previously breached sites, to gain access to existing accounts. Once inside, they make unauthorized transactions, siphon funds, and steal corporate data or personally identifiable information (PII) to use for other purposes, or simply to sell to other attackers on the dark web.

We Choose Weak, Common Passwords
Regardless of all the advice out there about the importance of strong passwords, users will choose sequential numbers and dictionary words or add a ! or 1 to the end of their password (especially when prompted to change passwords every 90 days by corporate IT). Memorable passwords may seem unique to users – but they often aren’t. Among the 3.1 billion passwords SpyCloud recovered last year alone, “123456” and “admin” were among the most common. Common basewords like “cat,” “zelda,” and “taylor swift” were all found in abundance, too. Unless these passwords are banned and password complexity requirements put in place, some users will always select easy-to-remember passwords.

We Reuse Passwords Across Multiple Accounts
In a Google study, 66% of people admitted to reusing the same password across one or more accounts. SpyCloud’s own research shows that even employees at some of the world’s largest and most innovative companies share this bad habit; 70% of users are reusing passwords across work and personal accounts. When one site is breached, cybercriminals can access any other accounts that are protected by the same credentials. Using a password manager is a way to kick this habit, but only some flag compromised passwords and stop users from choosing them.

We Click Links & Download Attachments from Unfamiliar Sources
To the dismay of security teams everywhere, users habitually click almost any link or file that lands in their inbox, whether they recognize the sender or not. Inevitably, this leads to users’ machines becoming infected. Some infostealer malware can harvest usernames and passwords, browser cookies, autofill data, and more – putting those users at extremely high risk of ATO.

If it was, we’d be seeing less of an account takeover problem as businesses adopt MFA. Requiring users to provide something they know (a password) plus something they are (biometrics) or something they have (smartphone token), is an important layer of protection and will deter some cyberattacks. Some – not all. It is still possible to bypass MFA via many avenues, including with session hijacking. Even still, MFA causes friction between the user and the service. Most of us will buck at pulling out our phones to tap ‘approve’ on a login multiple times a day and may turn MFA off at the first opportunity.

Password managers can help, but even when companies mandate their use, most employees don’t use password managers at home or for personal services. This wouldn’t be such a problem if password reuse wasn’t so rampant and the lines between personal and employee accounts and devices weren’t already blurred. Confusing BYOD policies and the use of employee accounts on personal devices only make the situation worse.

Password rotation policies actually benefit threat actors more than the users. Criminals test stolen credentials on a regular basis knowing that eventually, the user will think they’re safe and reset their password to one that has already been compromised. This blog on password rotation summarizes our point of view well.