Account takeover (ATO) is when a fraudster gains control of an account that belongs to a genuine customer. Fraudsters can then make unauthorised transactions, sell the compromised accounts on and/or scrape personal information out of the account which can be sold.
Phishing, spyware and malware can all be used to commit more sophisticated ATO attacks. However, credential stuffing is the most common tactic used to launch ATO attacks.
Credential stuffing uses stolen username and password combinations to automate login requests in order to gain access to user accounts. Estimates on the average success rate of credential stuffing attacks range from 0.1-2% with a peak of 8% quoted by some sources.
Following a breach, stolen credentials are purchased on the darkweb and shared via cracking forums. Data breaches are therefore a major contributing factor to increasing levels of ATO attacks. Combined with high levels of password reuse, this is especially concerning.
Credential stuffing can be scripted by more skilled fraudsters. However, automated tools like Sentry MBA make credential stuffing very easy for anyone to commit. This means there is a range of actors involved in committing ATO; from sophisticated hackers through to teenagers looking to order a ‘free’ pizza.
ATO attacks have significant consequences for merchants. It’s not just the cost of replacing goods or refunding payments - it’s also the time spent by support teams dealing with angry customers and other teams tackling the legal and operational fallout. In addition, there is often significant reputational damage incurred.
Taking into account the nature of ATO, Ravelin have introduced a number of different ways to combat the issue.
Credential stuffing relies on a list of username and password combinations. In order to mitigate against this, we maintain a breached credentials database. Calls can be made to the database either via the v3/login event at login or via /v2/lookup/credentials/check during registration or password change to verify if we’ve seen the credentials in the wild. Though we cannot guarantee that every breached credential will be in our database, this can go a long way to preventing ATO. You can also search for and view users that have logged in with credentials that appear in our database - providing additional context during investigations.
We have added customizable rate limits at login around device, username and IP. Thresholds can be set for this depending on your specific operational requirements. Rate limits are useful for tackling high volume attacks.
In addition, we check for things we know can indicate that a user is a fraudster like proxies and TOR.
We can set ATO specific rules around device, username, IP and velocity. For example, if the same device tries to access X accounts within a set time frame. Rules are especially useful for tackling ‘low and slow’ volume attacks.
By leveraging data collected via v3/login event, we provide oversight of login activity within our dashboard. Login activity reporting is available to explore via our Analytics tool, making it easier to spot anomalies in ‘normal’ login activity across your customer base. In addition, you can interact with login data via a filterable login list and drill down to view login information for a specific customer on their customer profile.
The point of login is a critical step in detecting account takeover. We want to prevent the malicious actor from being able to log in just like we want to prevent the fraudster from completing an order.
This is the endpoint used to tell Ravelin about every login attempt, both successful and unsuccessful. Unsuccessful logins can be important signals for an ATO attack. It will provide an ATO recommendation response if asked for via the query parameter score=true. Otherwise it will simply record the data without further processing.
|
Property |
Type |
Required |
Description |
||
|
timestamp |
integer |
yes |
Unix timestamp with milliseconds, (Nanoseconds also accepted) |
||
|
login |
object |
yes |
|||
|
device |
object |
no |
Not required but highly recommended. Defined below |
||
|
location |
object |
no |
|||
{
"device": {
"approxDeviceIdRate": 0,
"approxDeviceIdRateBlock": true,
"approxIPAddressRate": 0,
"approxIPAddressRateBlock": true,
"browser": "string",
"cookiesEnabled": true,
"custom": {
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
},
"deviceId": "string",
"firstSeen": "string",
"ipAddress": "string",
"location": {
"city": "string",
"country": "string",
"custom": {
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
},
"geohash": "string",
"latitude": 0,
"longitude": 0,
"neighbourhood": "string",
"poBoxNumber": "string",
"postalCode": "string",
"region": "string",
"street1": "string",
"street2": "string",
"zone": "string"
},
"manufacturer": "string",
"model": "string",
"os": "string",
"screenResolution": "string",
"type": "string",
"userAgent": "string"
},
"location": {
"city": "string",
"country": "string",
"custom": {
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
},
"geohash": "string",
"latitude": 0,
"longitude": 0,
"neighbourhood": "string",
"poBoxNumber": "string",
"postalCode": "string",
"region": "string",
"street1": "string",
"street2": "string",
"zone": "string"
},
"login": {
"approxUsernameRate": 0,
"approxUsernameRateBlock": true,
"authenticationMechanism": {
"magiclink": {
"email": "string",
"failureReason": "string",
"phoneNumber": "string",
"success": true,
"transport": "string"
},
"oneTimeCode": {
"failureReason": "string",
"success": true
},
"password": {
"failureReason": "string",
"passwordBcrypted": "string",
"success": true
},
"recaptcha": {
"failureReason": "string",
"success": true
},
"rsaKey": {
"failureReason": "string",
"success": true
},
"smsCode": {
"failureReason": "string",
"phoneNumber": "string",
"success": true
},
"social": {
"failureReason": "string",
"socialProvider": "string",
"success": true
},
"u2f": {
"failureReason": "string",
"success": true
}
},
"custom": {
"additionalProp1": {},
"additionalProp2": {},
"additionalProp3": {}
},
"customerId": "string",
"loginId": "string",
"success": true,
"username": "string"
},
"timestamp": 0
}Above is the full login request object. This is similar to our /v2/login endpoint but with additional information regarding the authentication attempt. This request is expected to be sent after all successful and unsuccessful logins from your backend system.
|
Property |
Type |
Required |
Description |
||
|
username |
String |
yes |
The username of the user. This is the unique string that ties this particular user to the authentication mechanism used. Typically this is the email address. |
||
|
customerId |
String |
yes |
customerId is the unique identifier for a user. This identifier does not change even if the username is changed. This is optional for login events as you will see failed logins against usernames that do not exist in your system and therefore do not have a customerId. Please send this on login attempts where a customerId is available. If you are using our fraud solution, this should be the same customerId as used there. |
||
|
success |
Boolean |
yes |
If the login attempt was successful and access was granted |
||
|
authenticationMechanism |
yes |
At least one authentication mechanism must be provided. More than one may be provided. For example a password and a oneTimeCode may be used to authenticate. |
|||
|
password |
Provided if the user is using a password to authenticate |
||||
|
passwordHashed |
string |
The SHA256 hashed (https://en.wikipedia.org/wiki/SHA-2 ) form of the password. This is used to check the password against our ever updating list of breached credentials. This hash is not stored by Ravelin. It is used to check our breached credential database and then discarded. |
|||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
social |
Provided if the user authenticates via a social login provider |
||||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
|
socialProvider |
string |
yes |
The social provider of the used for the authentication process.
Valid values are: |
||
oneTimeCode |
Provided if a one time code such as those used by google Authenticator is used |
||||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
u2f |
Provided if u2f authentication is used as defined by the FIDO alliance. https://fidoalliance.org/download/ |
||||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
rsaKey |
Provided if an rsaKey is used such as a Yubikey |
||||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
smsCode |
Provided if a one time code was used sent via sms |
||||
|
phoneNumber |
string |
yes |
The number the sms was sent to |
||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
magiclink |
Provided if a one time link was sent to the user via a trusted communication channel |
||||
|
transport |
string |
yes |
The transportation mechanism for the magic link. Valid values include: email, sms |
||
|
phoneNumber |
string |
conditional |
The number the link was sent to. Required if transport is sms |
||
|
|
string |
conditional |
The email the link was sent to. Required if transport is email |
||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
|
recaptcha |
Provided if recaptcha was performed |
||||
|
success |
boolean |
yes |
If the authentication was successful |
||
|
failureReason |
string |
conditional |
This is required if success is set to false. Valid values are:
|
||
Device is a required field on the login event. Both the deviceId and the IP address must be present in request and are vital to any ATO product. The deviceId can be generated via our javascript library. Details about that can be found in the device fingerprinting section. Any other details can be very useful but are not strictly necessary. For more details about device tracking please see our API and the Guide.
Location is not required as we are aware you will not typically have a location at login time. If you do have location as part of your flow this can be very useful to localise ongoing or repeat attackers. Please see here for details about the location object: Location API
You can see an example of a successful response from the /v3/login endpoint below. This response is identical to other responses given by the Ravelin platform for payment fraud endpoints. Note that we do provide payment fraud scores at login time as well. The Payment fraud and ATO responses are both included. Ensure you use the correct action when dealing with ATO vs. Payment Fraud.
|
Property |
Type |
Description |
||
|
status |
integer |
HTTP status code of the response |
||
|
success |
string |
Indicates if the request was successful or not |
||
|
timestamp |
string |
RFC3339Nano encoded timestamp for the response |
||
|
credentialStatus |
object |
The status of the username and password |
||
|
passwordBreached |
bool |
Indicates if the password + username combination appears in our breached credential database |
||
|
usernameBreached |
bool |
Indicates if this username appears in our breached credential database |
||
|
data |
object |
The Fraud and Account Takeover results. This is identical to fraud endpoint responses |
||
|
ato |
object |
The Account Takeover specific results. All other results at the top level are indicative of payment fraud |
||
|
action |
string |
The action to take regarding Account Takeover. One of BLOCK, WARN, PERMIT |
||
|
rules |
object |
Indicates which rule was triggered to cause the given action |
||
|
customerId |
string |
The customerId of customer in question |
||
|
action |
string |
The action to regarding Payment Fraud. One of ALLOW, PREVENT, REVIEW. |
||
|
score |
integer |
The score given regarding Payment Fraud |
||
|
source |
string |
The source of the score given regarding Payment Fraud |
||
|
scoreId |
string |
The scoreId of the given score regarding Payment Fraud |
||
|
effectiveTime |
string |
The effective time the decision was made. All data sent before this time as measured by ravelin servers will be included in the decisions. The time is formatted as RFC3339Nano. |
||
Example response:
{
"checks": {
"additionalProp1": {
"action": "string"
},
"additionalProp2": {
"action": "string"
},
"additionalProp3": {
"action": "string"
}
},
"credentialStatus": {
"passwordBreached": true,
"usernameBreached": true
},
"data": {
"action": "string",
"ato": {
"action": "string",
"rules": {
"passiveAction": "string",
"triggered": [
{
"action": "string",
"description": "string",
"state": "string",
"triggered": true
}
]
}
},
"cachedScore": true,
"comment": "string",
"connect": {
"fraudulent": true
},
"customerId": "string",
"effectiveTime": "string",
"lookup": {
"lookupAction": "string",
"lookupResult": {
"email": {
"address": "string",
"hasChargebacks": true,
"reviewedAsFraudster": true
},
"hasChargebacks": true,
"industry": "string",
"ipAddress": {
"address": "string",
"fromTime": 0,
"hasChargebacks": true,
"reviewedAsFraudster": true,
"toTime": 0
},
"reviewedAsFraudster": true,
"telephone": {
"hasChargebacks": true,
"number": "string",
"reviewedAsFraudster": true
}
}
},
"market": {
"city": "string",
"country": "string",
"region": "string"
},
"rules": {
"passiveAction": "string",
"triggered": [
{
"action": "string",
"description": "string",
"state": "string",
"triggered": true
}
]
},
"score": 0,
"scoreId": "string",
"source": "string",
"thresholds": {
"prevent": 0,
"review": 0
},
"warnings": [
{
"class": "string",
"help": "string",
"msg": "string",
"state": "string"
}
]
},
"message": "string",
"status": 0,
"success": "string",
"timestamp": "string",
"traceId": "string",
"warnings": [
{
"docs": "string",
"id": 0,
"message": "string"
}
]
}You can see an example of a failed response from the /v3/login endpoint below. A failure response will indicate why the failure happened and will try to direct you to relevant documentation.
{
"docs": "string",
"errors": [
{
"Docs": "string",
"Error": "string",
"Path": "string"
}
],
"message": "string",
"retryable": true,
"status": 0,
"success": "string",
"timestamp": "string",
"traceId": "string"
}Using the information supplied to Ravelin, logins and other events are categorized in one of three buckets: PERMIT
WARN
BLOCK
This information is sent in the response body to scored POST requests (with ?score=true) as defined above.
Events sent to Ravelin using POST requests get an empty response body by default. The information is stored in our system and no further action is taken during the request.
To force an immediate evaluation based on the information received up to and including an event add the ?score=true query parameter.
This will do two things: 1. Process the event payload 2. Force immediate recalculation of the action and return it
The score will be calculated based on the information in this event, and in all events previously received and met with a 200 OK status.
The ?score=true query parameter is available on every event endpoint. This includes both ATO and Payment Fraud related endpoints. Specify it when you want to make a decision regarding a login attempt.
The most important field in the payload is action under the ATO object:
|
On this action |
In your system |
|
PERMIT |
Allow this login or account detail change to proceed - no action is required |
|
WARN |
We advise that you allow the login but take extra validation steps for this login or account detail change. Additional validation could include enforcing 2FA if you have a verified phone number, notifying the user that there has been suspicious account activity and asking them to cnfirm if the activity was legitimate or not or prompting the user to complete a recaptcha |
|
BLOCK |
We advise that you block this login or account change and show a generic error message which does not explain why the user was prevented from login. This is important as we do not want to make it obvious to the fraudster that we have detected the attempt. If we return a |
Other fields are provided for analytic and debugging purposes.
Ravelin maintains an up to date list of breached credentials that can be found in the public domain. At login, you can view whether the login attempt was using breached credentials by looking at the credentialStatus object within the /v3/login response.
You can use the database to check if a user is attempting to register a new account, or update an existing one, with credentials that have been seen in the wild via our v2/lookup/credentials/check endpoint. The below request is expected to be sent at password creation or update. The response will tell you if the username and/or password is found in our breached credential database.
{
"username": "string",
"passwordHash": "string"
}{
"usernameBreached": true,
"passwordBreached": true
}There are three distinct flows where we check if a users credentials have been breached. For each flow, you may want to take a different action. Below we have outlined what we suggest for each flow.
While your backend is processing a login request, you can call our v3/login endpoint. Our response will indicate within the credential status object whether or not the username and password appear in Ravelin’s breached credential database.
| Credential Status | Action |
|---|---|
|
If the response is PERMIT and the credential status is FALSE for both username and password, we suggest you allow the login - no action is required.
|
|
If the credential status is only true for username, we suggest you take no action. |
|
If the credential status is true for both username and password, we suggest you take at least one of the following actions taking into account your risk appetite:
|
At registration, you can call our v2/lookup/credentials/check endpoint. We will return the responses outlined below.
| Credential Status | Action |
|---|---|
|
No action is required if we return false. |
|
If the credential status is only true for username, we suggest you take no action. |
|
If a user is trying to register using credentials that appear in the breached database, we advise that you do NOT allow the user to set that password at registration. |
During an account update (e.g. forgot password, password change), you can call our v2/lookup/credentials/check endpoint. We will return the responses outlined below.
| Credential Status | Action |
|---|---|
|
No action is required if we return false. |
|
If the credential status is only true for username, we suggest you take no action. |
|
If a user is trying to update their account using credentials that appear in the breached database we advise that you do NOT allow the user to use the password at time of update. |