Account takeover (ATO) fraud remains one of the most pervasive threats in the digital landscape, and the financial impact of ATO is staggering. In our “Guide to understanding and preventing account takeover fraud,” we shared how the average cost of one data breach involving stolen credentials is $4.62 million.
The fact is a successful ATO attack can lead to significant operational downtime, lost revenue, and damage to brand reputation, making it crucial for companies to implement proactive defense mechanisms.
Recently, Gartner® published the report “How to Mitigate Account Takeover Risks,” offering additional guidance for businesses looking to strengthen their defenses against account takeover fraud. Drawing from their own research, Gartner provides actionable recommendations for business leaders to enhance active and passive authentication methods and strategies to improve account recovery processes. These perspectives help organizations avoid the growing threats posed by account takeover attacks.
Here are five key takeaways from the Gartner report.
Over-reliance on active authentication
According to Gartner, “There is an overreliance on active authentication measures — typically a password and sometimes an additional authentication factor — to secure login processes, and then a lack of focus on detecting ATO post-login. Except for device profiling and bot mitigation, there is relatively limited adoption of passive authentication that can provide risk and recognition signals without impacting the user experience (UX).”
Device intelligence: A key defense against ATO
As stated by Gartner, “Device profiling is a passive interrogation technology incorporated into high-risk points within the user journey. It gathers hardware (CPU, GPU, screen resolution) and software (OS, browser, language, time zone) metadata from the device being used.”
By creating a detailed profile of a user’s device, businesses can detect anomalies that suggest malicious activity, such as when an unfamiliar device attempts to access a user’s account. This approach allows organizations to assess potential threats without requiring additional actions from the user, striking a balance between security and a seamless UX.
Mitigating bot threats with advanced techniques
Bots continue to be a driving force behind many ATO attacks, and Gartner highlights the need for robust bot mitigation strategies by stating that “Bot mitigation services seek to distinguish human users and good bots from malicious bots.”
These bot mitigation strategies often include friction-focused techniques, such as CAPTCHA, but increasingly rely on more advanced methods that continuously analyze user behavior to distinguish between legitimate users and automated threats. However, this friction is often passed on to legitimate users as well, having a negative impact on their experience with accessing their accounts and data.
Strengthening the account recovery process
As per Gartner, "For many organizations, account recovery and credentialing is a process vulnerable to attack, because most such processes rely on password reset emails or security questions to recover accounts.”
Beyond authentication: A holistic security strategy
As we covered in the “Guide to understanding and preventing account takeover fraud,” consumers who fall victim to an ATO attack often lose trust in businesses that fail to safeguard their data and finances. Organizations must implement additional authentication layers to enhance security and protect their users to mitigate the risk of reputation damage and significant financial losses.
The Gartner report emphasizes that “SRM leaders should avoid being overreliant on active authentication alone (namely, authentication methods that are visible to the user and impact the UX).”
By integrating device intelligence, bot mitigation, and passive authentication technologies, organizations can detect threats at every user journey stage, not just at the login point. This continuous risk assessment allows businesses to act quickly when suspicious behavior is detected, reducing the likelihood of a successful attack.
Defending against ATO attacks: The path forward
The latest Gartner report states that “Account takeover attacks remain a stubborn security problem in customer and workforce environments. Security and risk management leaders should augment active authentication before and during the user journey and protect the account recovery process.”
Implementing these strategies strengthens security and maintains a seamless user experience, which is crucial in today’s competitive digital environment. Proactive prevention is essential to success, leveraging technology to detect and mitigate risks before they cause damage to the brand, reputation, data, and customers. As the threat of account takeover rises, businesses prioritizing robust, adaptable security measures will be better equipped to protect their users, data, and reputation.
Interested in learning more? Watch our latest on-demand webinar that explores the ATO landscape and shows how focusing on user experience can actually reduce ATO risks and increase revenue.
Gartner, “How to Mitigate Account Takeover Risks,” Akif Khan, Ant Allan, Dan Ayoub, 6 August 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally. All rights reserved.