PayThink

For payment crooks, bots are the master key

Register now

Imagine a big key ring, full of keys. Maybe it is the kind a janitor or building manager carries — one with dozens or hundreds of keys on it.

If you found a set of keys like this, your first instinct might be to get them back to their rightful owner. But imagine if a criminal found or stole them. The key ring for a single building might unlock hundreds or even thousands of doors. Behind some of them are valuables he can steal or resell. He knows that the keys open some doors in the building, but he doesn’t know which ones. And he realizes that if he has to personally try every key against each lock in the building, he might never cash in.

If he instead had a whole team of people helping him, his chances of matching keys to locks would increase dramatically. This approach is one that cybercriminals have learned to do in the digital world, employing specialized software applications, or bots, to help them test the locks on online accounts. Instead of stolen keys, they are using stolen login credentials, and drafting an army of bots to help increase their chances of financial gain.

Every day, these swarms of bots, armed with stolen usernames and passwords, hammer websites with login attempts, hoping to find a few matches that criminals can use to exploit digital accounts for profitable gain. In the online world, we call this account takeover (ATO), and criminals have been employing increasingly sophisticated techniques to carry out these types of attacks.

One of the most popular techniques to identify vulnerable accounts, called credential stuffing, is the practice of testing a list of compromised usernames and passwords against multiple website login pages to try to find a match. Data breaches provide a steady source of valid usernames and passwords, which online criminals often purchase at wholesale rates. Because many people tend to reuse passwords, one set of credentials can provide access to dozens of accounts.

Meanwhile, criminals can easily and cheaply enlist bots to test logins. There are even video tutorials online that train novice criminals how to launch credential stuffing attacks in a matter of minutes.

More advanced software can use VPNs to emulate connections from different locations, or will slowly test a few accounts each day, rather than thousands en masse, gradually discovering which accounts can be accessed. In many cases, this slower and more distributed technique is harder to detect because it looks more like legitimate online behavior. This is the digital equivalent of wearing a disguise and patiently checking stolen keys a few doors at a time, rather than running frantically through the building, testing lock after lock.

In the physical world, security depends on a combination of technology and human capability, on mixing physical controls and verification with recognition and instinct. A person knows recurring building visitors by their physical qualities and behavior; they can instinctively spot a stranger doing something strange. Online security has always depended strictly on credentials — on simply having the right key. Criminals have long enjoyed the idea that online, nobody knows that you’re a bot.

Or almost nobody. There are proven techniques to detect bots and to tell the difference between a scripted attack and a legitimate user.

The first step in protecting your organization against these types of threats is to become more observant to better understand your website and the people who visit it. Like a good doorman or security guard, pay attention to anomalous behavior. Are unusual people visiting the building? Is a stranger attempting to use a resident’s key? Are visitors staying for very brief periods of time, and then leaving suddenly?

Detecting virtual bad actors means paying more careful attention to the digital interactions and touch points within your business, and how users interact with you through apps, websites or customer service centers.

By acting as an observant doorman for your business, you can spot suspicious users and stop them from testing the locks in your building. The same tools and observations that help stop these bad actors can also improve the experience of good users by warmly welcoming them, removing friction and providing them a secure place to do business.

On the internet, it is possible to spot a bot and keep it from wreaking havoc with your customers. By getting to know and recognizing your customers, you can prevent bots accessing their accounts, even when they lose their keys.

This is part two of a six-part series of articles describing the current state of digital identity and account takeovers.

For reprint and licensing requests for this article, click here.