Account takeover (ATO) is an increasingly strong threat to the world’s businesses. Not only are the resources of the company at risk from unauthorized access through ATO, but customers can also be seriously harmed by it.

Account takeover prevention is an important part of system security and essential service to customers. An intruder who breaks into a customer account is able to see the personal and financial information stored on your system. That confidentiality breach makes you legally liable and will also break your accreditation to data protection standards. So, there are serious financial and legal consequences for you to your customer’s accounts being compromised, not just for those customers.

If you are short of time and just need to glance over the tools we review below, here is our list of the ten best account takeover prevention systems:

  • Avanan Account Takeover Prevention An email protection system that focuses on detection phishing and impersonation attempts.
  • SpyCloud ATO Prevention This provider produces both employee and customer account takeover prevention systems.
  • Okta Account protection systems for workforce and customer accounts.
  • Sift Account Defense Roots out fake accounts and protects the accounts of genuine users.
  • Digital Shadows SearchLight Uses a multi-thread approach to protect employee accounts.
  • Shieldsquare Bot Mitigation This company produces a range of account protection software focusing on websites, mobile devices, and APIs.
  • Iovation LaunchKey A range of authentication hardening measures.
  • Experian Fraud prevention, device intelligence, and knowledge-based questioning to block account takeover.
  • Agari Advanced threat protection, brand defense, incidence response, and fraud protection.
  • Netacea Account Takeover Prevention Uses AI processes to identify normal behavior and then spot anomalous actions.

Consumer-facing businesses that don’t take proper measures to protect customer accounts will also experience a loss of reputation. That will lead to a loss of customers and it will make it difficult for your company to win new customers. Weak account protection will also be a concern to your business partners. You might find that other businesses are less interested in doing business with your company if the details about them that you hold on your system are not sufficiently protected.

Account takeover prevention is a necessity for any company that uses IT systems in its normal course of business. That means, practically every company.

Security policies

You need to put in place a number of policies before you embark on your account security improvements.

Many account takeover prevention measures can be implemented through working practices and user education because errors by users in the way they use their accounts provide the main access routes for account hijackers.

Account takeover strategies involve how your system administration monitors account activity and how it responds to suspicious behavior as much as it concerns tightening up access procedures.

You need to consider the following approaches:

  • User education
  • Intrusion prevention systems
  • Anti-phishing firewalls
  • Email content filtering
  • Access hardening
  • Account takeover prevention

Account takeover prevention is a category of security software, which we will explain further.

Account Takeover Prevention in ITIL

Account Takeover prevention falls into the Security Management section of ITIL. This is registered as ISO/IEC 27001:2005. The primary goal of this process is to control access to information and that means making access credentials sufficiently tight so that an accidentally disclosed password does not result in data loss.

Access control should ensure confidentiality, integrity, and availability. An access control strategy should be written in conjunction with the service level agreements (SLAs) to which the company is committed within its contracts.

The security management process is divided into four activities:

  • Control
  • Plan
  • Implement
  • Evaluate

The Control action involves defining account protection requirements and setting policy. The Plan action requires the creation of security commitments in SLAs, the creation of contracts to support those commitments, and the definition of operational needs in order to implement those commitments. The Implementation activity requires the creation of asset classification and control documents, personnel security training, security policies, and access control.

The core of the Implementation action is the Access Control sub-activity. This requires fine-tuning the security measures available in existing access rights management systems, and buying in extra security software to reinforce those measures should they have been assessed to be insufficient.

The Evaluation action requires self-assessment from the IT department, an internal audit, and an external audit. Any weaknesses identified at each stage of the Evaluation process should be addressed before progressing to the next sub-activity in the Evaluation action.

Vulnerable accounts

Employee user accounts are easier to protect than accounts open to the general public. This is because you have a clear idea of who needs access to the system. However, with a system that encourages self-created accounts is open to the creation of fake accounts, which are set up purely for the intention of damaging the company’s reputation or exploring ways to exploit the system.

Automatically-generated account requests also need to be rooted out. These fake accounts are created by automated processes set up by hackers.

Another form of unproductive account both in the employee sphere and customer areas are abandoned accounts. These accounts that are no longer active need to be identified and removed from the system because they are gateways for intruders.

Account theft

The main point of weakness in any user account system comes from hijacked accounts. These are valid accounts that get appropriated by intruders. Employee accounts and paid-for accounts have fewer possibilities of credentials disclosure than free accounts. An account that costs the user nothing to set up has less value than credentials that guard important information and financial data that the account holder values.

Accounts that have value to the user can still be compromised through trickery. Phishing scams involve a hacker-controlled copy of a website. The user is tricked into entering the account credentials into the fake site, which gives the username and password to the hacker.

Another trick to win account credentials comes in the form of an impersonation scam. An overworked employee receives a call from a supposed colleague claiming to have been locked out of the system and needing to complete an important task. The victim is asked for his account login details as an urgent measure. This trick often works, but it requires research into the names and habits of at least two employees of the business.

The amount of damage that account hijacking can cause depends on the privileges allowed to the compromised account. Therefore, categorizing accounts by their importance is a strategy that can focus on account takeover prevention actions on the most important accounts on the system.

Account protection measures

There are procedural steps that you can take to prevent account takeover and there is specialist system software that you can buy to help you implement stronger account security.

Whether the account scope that needs to be protected serves in-house users or customers, your account protection strategy needs to be sufficiently intelligent so that it allows genuine users to continue to enjoy full access to their system accounts.

Identifying compromised accounts is the hardest task in ATO prevention. Many of these systems deploy innovative technologies, such as artificial intelligence in order to pick off the intruders without hindering legitimate users.

Remediation methods need to be swift and can be implemented automatically by the account takeover prevention software. You will be able to allow the security software to suspend accounts so that intruders no longer have access.

Post-intrusion actions

The success of your post-intrusion measures will either save or worsen the situation. Compromised accounts should be suspended rather than deleted. Particularly in the case of customer accounts, the user might want to continue having access and shouldn’t be penalized because of the actions of an intruder.

Your automated process might not be able to spot hijacked accounts. However, one hacker strategy is to alter the account recovery processes in the profile’s settings and then change the password, making it impossible for the legitimate user of the account to gain access.

Your system or sites should give clear instructions to users on how to recover their accounts in these situations. Usually, these procedures involve a call or an email to the system’s support desk, where the user can be queried further for identification. Those support technicians should be able to rollback account settings to allow the user to regain access quickly. However, the identification process should be sufficiently rigorous to prevent tricksters from getting access to accounts by posing as legitimate users.

Information about hijacking events needs to be stored for analysis to see what measures should be taken in order to prevent such account takeovers from happening again. However, these should not involve resetting passwords to give technicians access to the account. A hijacker might taint an account knowing that the takeover will be quickly reversed but carry out the action for the purposes of giving access to the account by a corrupt technician.

There are many subtle lines in account takeover prevention – between controlling account access without locking out legitimate users and between shutting down compromised accounts while allowing continued activity by the legitimate owner of the account.

The management of these sensitive decisions shouldn’t be left to technicians. Human intervention leaves too much to the judgment of the individual and results in inconsistent treatment of users. Automated monitoring of accounts and remediation handle the problems caused by account takeover fairly and efficiently. Deploying ATO prevention software is a better strategy than training technicians in the field.

The best account takeover prevention software

Account takeover prevention is a growing specialization in cybersecurity. There are many worthy ATO prevention systems available. They don’t all use the same tactics. As outlined above, your account takeover prevention plan needs to start with a strategy. Once you have a policy that fits the specific activity of your business and its accounts, you will be able to assess which ATP prevention system fits your needs.

Using this set of criteria, we looked for a range of account activity tracking systems with packages that are suitable for system access, email accounts, and card fraud scanning.

Our methodology for selecting an account takeover prevention system

We reviewed the market for account takeover prevention tools and analyzed the options based on the following criteria:

  • Options for system and email account protection
  • Behavior analysis for activity pattern baselining
  • Anomaly detection
  • Fraud detection systems
  • Data protection standards compliance
  • A free trial or a demo service that allows a cost-free
  • Value for money provided by a comprehensive threat detection system at a reasonable price

In order to present a wide enough selection that will cater to all protection strategies, we have created a shortlist of ten systems.

1. Avanan Account Takeover Prevention

Avanan offers a cloud-based account protection service that is available in three editions. The service is built with modules and each successively more expensive plan includes more modules. One of those modules is the Account Takeover Prevention service.

Key Features:

  • Cloud-based
  • Email protection
  • Behavior analysis
  • Automatic account locking
  • Technical analysis

The ATO prevention system examiners the origins of incoming emails, the behavior of user email accounts, the location of the devices logging into the system, and unexpected measures that undermine account security.

The Avanan system will automatically lock suspicious accounts by resetting their passwords and notify administrators of the discovery.

Pros:

  • A simplistic dashboard makes viewing top-level insights easier
  • Can automatically deactivate or delete inactive accounts
  • Uses behavioral analysis to detect account compromise
  • Features an excellent UI that uses color well to illustrate key metrics
  • Comprehensive for both enterprise and smaller organizations

Cons:

  • Could use a longer trial period for testing

2. SpyCloud ATO Prevention

SpyCloud offers two types of ATO prevention: Employee ATO Prevention and Consumer ATO Prevention. Both systems are cloud-based. The employee account protection service includes more actions than the consumer version. This is because the employee protection system includes the monitoring of email activity and extra scrutiny of privileged accounts.

  • Systems for employees and customers
  • Cloud-based
  • Includes email protection
  • API implementation

Both systems can be integrated into your existing interfaces through APIs, so the credential protection service doesn’t require the login procedure to be ported to a cloud server.

3. Okta

  • Can protect both customers and employees through different scanning services

  • Includes robust access rights and controls

  • Allows businesses to provide dark web scanning as a service

  • Offers robust API support for custom integrations

  • Better suited for MSPs and larger organizations

Okta’s ATO prevention systems are segmented into a Workforce Identity service and a Customer Identity service. Both are cloud-hosted services that can be called into software under development through APIs. The authentication services include multi-factor authentication, a single sign-on system, and a centralized access rights system to unify the various AD and LDAP controllers that run on your site.

  • Cloud-based
  • Employee and customer account detection modules
  • Single sign-on

4. Sift Account Defense

  • Simple yet intuitive user interface

  • Focuses on user identification and behavior to detect attacks

  • Hosted in the cloud, making Okta highly scalable

  • Supports a wide range of integrations including LDAP and custom API

  • Better suited for larger enterprise environments

Sift Account Defense scans new account creation actions to spot fraudsters and prevents them from setting up fake accounts. The service also implements measures to protect genuine accounts from takeover. The purpose of the Sift strategy is to block bad accounts without disturbing genuine users.

  • Fraud detection
  • Operates with self-service accounts
  • Behavior analysis

The service uses AI techniques to compile a list of regular activities. It also pools the discoveries of threats on all of its clients’ sites to build up a constantly updated threat intelligence database, which informs activity scans and identifies suspicious accounts.

5. Digital Shadows SearchLight

  • Great custom dashboards and interface for both NOC teams and solo sysadmins

  • Focuses on preventing fake account creation

  • Leverages AI and data science to detect fraud and ATO attack

  • Continuously updates its library through a backend threat intelligence database

  • Would like to see a free trial version for testing versus a demo

SearchLight scans a system for account-related vulnerabilities. It also examines user behavior to identify compromised accounts. The service can be integrated into new applications through an API. The Digital Shadow system doesn’t include remediation measures. However, these can be sourced from two partner software houses.

  • Cloud-based
  • API implementation
  • Risk analysis

6. Shieldsquare Bot Mitigation

  • Can protect image copyright and trade secrets

  • Looks for usernames, passwords, and other indicators of compromise

  • Uses visualizations to help highlight key insights

  • Only offers a seven-day trial

  • Lack remediation tools

Shieldsquare’s account protection services focus on blocking automated attempts at takeover. The system can detect the difference between contact by humans, by good bots, such as search engine web crawlers, and by bad bots that attempt to crack passwords on accounts.

  • Brute force attack protection
  • Bot detection
  • Behavior anomaly detection

The Shieldsquare methodology is AI-based and relies on machine learning to spot anomalous behavior. It also relies on blacklists and a threat intelligence database to spot repeat offenders.

7. Iovation LaunchKey

  • The user interface is intuitive and easy to learn

  • Can protect web assets from scraping bots, scalpers, and automated brute force attacks

  • Leverages AI and behavior analysis to tell friend from faux

  • Can identify manual human attacks and automatically ban repeat offenders

  • Focuses more on preventing bot attacks versus advanced ATO attacks

LaunchKey uses a different approach to account protection. It provides an app for mobile devices that enables access. That is, it adds an extra layer of protection and you make it impossible for users to access your network or website without going through that app.

  • Mobile app protection
  • Multi-factor authentication
  • Financial transaction verification

The authentication process can be customized, allowing you to select from a range of security methods, such as two-factor authentication. The system also has a way to get customers to confirm financial transactions.

8. Experian

Experian is a credit reference agency that has branched out into a range of account security services and fraud protection. The company’s Fraud Prevention Platform includes customer account takeover prevention. The Experian Digital Device Intelligence is able to identify fake accounts and block fraud attempts without disrupting the user experience of legitimate customers. The company’s Knowledge-Based Authentication system helps root out impersonators while allowing access to genuine users.

  • Offers mobile app protection – a unique feature not found in many other competing tools

  • Allows administrators to customize step up verification and authentication measures

  • Supports multiple forms of two factor authentication

  • Lacks some advanced AI features that enterprises may require at scale

  • Fraud detection

  • Customer account protection

  • Spots impersonators

9. Agari

  • Well known brand trusted in the credit card industry

  • Has vast data resources for identifying fraud and ATO attacks

  • Uses device ID as well as behavior analytics to stop attacks

  • Offers a range of step-up verification choices

  • Better suited for enterprise organizations

Agari Advance Threat Protection and Agari Incident Response combine to provide ATO prevention and mitigation. The Advanced Threat Protection service includes ATO prevention. It monitors the source of emails for known scammer locations and also examines the locations of those attempting to log in to an account.

  • Account system hardening
  • Email source assessment
  • Data leak detection

The app monitors both incoming and outgoing mails, looking for interaction patterns that indicate that the credential might have been given away. Threat intelligence causes the Agari system to block mails from known suspicious actors.

10. Netacea Account Takeover Prevention

  • Provides robust ATO prevention, protection, and incident response tools

  • Continuously updates its database of known threat actors to improve attack filtering

  • Monitoring incoming and outgoing emails to detect rogue elements inside your network

  • Uses AI and behavior monitoring to identify ATO attacks

  • Would like to see a free trial option

Netacea Account Takeover Prevention uses machine learning to identify credential stuffing and brute force password cracking attempts. The system doesn’t rely on just blocking log-in attempts from a particular source because hackers are known to direct their password cracking attempts through multiple locations.

  • Brute force attack protection
  • Source fingerprinting
  • Activity logging

Selecting an account protection strategy

Now that you have a better idea about account takeover threats, it is time to start making plans to block them. Your starting point needs to be with the formulation of a policy that fits the specific operations of your business. Once you are clear about the vulnerabilities of your system, you can start to investigate suitable software to help you prevent account takeover threats.

  • Offers a sleek and highly customizable UI

  • Leverages machine learning to identify manual and automated attacks

  • Supports auditing and user monitoring data collection

  • Dynamically stops attacks using artificial intelligence

  • Must contact sales for pricing

Image: Scam Hacker from Pixabay. Public domain.