Surfacing Key Indicators of Account Takeovers

Account takeover (ATO) is a threat to any organization that conducts financial or e-commerce transactions via web applications. In fact, business losses attributed to ATO are projected to be over $5 billion in 2018. Account takeovers are made possible by dumped credentials that attackers acquire on the Dark Web. These stolen credentials are a primary means attackers use to access personally identifiable information (PII): of the 2,216 breaches Verizon examined for their 2018 breach report, the use of stolen credentials was the number one action attackers took to commit fraud.

Instrument Normal Account Actions

To stop account takeovers, you need visibility into where they start: at the point of account creation and login. Visibility requires monitoring the success and failure rates for specific event types:

  • Account login

  • Account creation

  • Password reset

Identifying malicious activity requires your organization to define an expected baseline level of activity for each of these key events over a defined timeframe: you know,, your business best and the patterns of your customers’ actions. For example, you would expect an increase in account creation if your financial institution ran a promotion waiving new account fees. During non-promotional periods, you would expect to see a different account creation volume.

An increase in malicious activity causes requests to spike above your defined baseline. To be alerted of such spikes, you should monitor two key traffic trends:

  • An unexpected increase in login attempts is a primary indicator of account takeovers, especially if the increase follows an unusual number of account creation attempts.

  • A higher-than-normal amount of password resets signifies that customers are locked out of their accounts, or malicious actors are attempting to reset passwords in an attempt to commandeer legitimate customer accounts.

A Threshold Approach to Identify Malicious Activity

Account takeover attempts can be blocked using a threshold-based approach: using your defined baseline for the amount of activity your organization expects for key authentication events, you’ll know when potentially malicious traffic occurs when the volume of those authentication events spike above expected thresholds.

Fastly customers use our out-of-the-box coverage to stop bots and scrapers. Power Rules utilize authoritative sources like SANS Malicious IP database and Fastly Network Learning Exchange (NLX) to determine the reputation of source IP addresses.  Aside from being an accurate IP reputation feed based on confirmed malicious activity collected from Fastly customers, NLX recognizes attack patterns across our customer network to proactively alert and defend web applications and APIs.

Power Rules can also examine a request and identify patterns in the headers of incoming HTTP requests. Bad actors frequently stage attacks from data centers, TOR exit nodes, known bad IP ranges, or bot signatures: unexpected traffic from these sources are signs of account takeover activity—so having a means to accurately determine the reputation of a request’s source IP is key to detecting and blocking malicious authentication activity.

Indicators of Successful Account Takeovers

Account Lockouts

A crucial issue for financial services providers, account lockouts not only increase customer service support costs as customers seek help accessing their accounts but can result in reputation loss as customers question the security of their accounts.

Using both your CRM system and Fastly, you can correlate customer contact increases with abnormal spikes in key application account activity, like login failures or password resets. Both are indicators that customers are locked out of their accounts. An increase in login failures could be attributed to malicious actors resetting legitimate customers’ passwords. As those customers try and regain access, they’ll initiate password reset requests.

Account Linking and Cashing Out

After successfully acquiring account credentials, attackers will link them to their own accounts and transfer funds. Fastly monitors two key activities related to cashing out:

  • Account linking activity: an unexpected increase in account linking can indicate attackers are preparing to siphon funds to third-party accounts.

  • Funds transfer activity: following spikes in increased account linking, funds transfers represent the payoff for attackers.

API Misuse

APIs function as the backbone of modern web, cloud, and mobile applications. Just as attackers utilize bots to mimic legitimate users, they can also deploy bots to enable high-speed abuse and misuse of APIs to perpetrate various malicious activities, including account takeover. Financial services companies expose APIs in order to serve both customers and third parties who need access to customer-specific data. However, detecting malicious requests is key to preventing attackers from abusing those same APIs and causing service disruption, data leakage, or account lockouts.

Defeating API abuse requires the same visibility that shows you where and how attackers are attempting to manipulate your application’s business logic, including authentication events. This requires instrumenting your application to monitor key application events in order to surface those real-time insights.  In addition to account takeover, account linking, and fund transfers, other examples of automated API misuse include:

  • Fake account creation:  the attacker manipulates the API to create large numbers of bot-controlled accounts.

  • Data aggregation:  an organization’s source data is aggregated with that of others as part of a commercial enterprise without the source organization’s permission.

  • Data scraping: the automated harvesting of proprietary data via the API

The Real Picture of Account Takeover

Now that you know how to zero in on when and how account takeover can occur in your application, you need a solution that provides the actionable visibility necessary to easily and consistently block it.

Fastly provides organizations visibility not only into key events like login and account creation but also the transactions attackers target for abuse and fraud — along with easy configuration and no performance overhead. This deep context and the ability to immediately block and mitigate attacker activity are key to active protection against ATO attacks. Moreover, an added benefit of using a threshold-based method to detect ATO-related activity is little to no false positives.

In contrast, other common WAF solutions are expensive to implement and maintain due to their reliance on regex-based rulesets while adding significant latency, impacting application performance and customer experience. They are limited in their protection capabilities and can only protect certain transactions like login and account creation.


Stopping account takeovers requires a solution that is easy to implement and provides the necessary visibility into the actions attackers take to acquire account access. common WAF implementations can take months and add significant latency to web requests. As you ramp up a common WAF, you’re missing out on the visibility and detection capabilities necessary to stop application abuse.

Fastly embeds into applications without adding latency to web and API requests and requires no application code changes. Once deployed, Fastly, out-of-the-box monitoring and detection capabilities enable your staff to monitor and stop ATO activity. In short, you’ll get more visibility faster— when it counts— with Fastly.


5 min read

Want to continue the conversation?
Schedule time with an expert
Share this post

Ready to get started?

Get in touch or create an account.