Smart Signals: Be smart about preventing account takeovers (ATO)

As someone who avoids most in-person shopping, banking, and (let’s be honest) whatever else that can be done online, very few things annoy me more than when I get a notification that one of my accounts has been compromised. 

You’ve likely heard it time and again: Fraudsters are quickly evolving their tactics, and companies are trying to keep up. As a result, many consumers have dealt with some type of fraud before, from unauthorized purchases on a credit card to receiving (and hopefully deleting) phishing emails. 

What I’m going to cover in this blog post specifically, however, is a type of fraud that can be one of the most stressful things any customer and business has to deal with: Account takeovers (ATO for short). I'll also share how Fingerprint's Smart Signals can help prevent ATOs.

What is an account takeover (ATO)? 

We’ve covered account takeovers in past posts here and here. As a quick TL;DR refresher, an ATO happens when someone gains unauthorized access to an online account and uses it to steal money or personal data, or worse. This specific type of fraud has been on the rise — in 2023, 29% of American adults were victims of account takeovers, compared to 22% in 2021.

As a result, more organizations are requiring extra authentication steps for users, including MFA, 2FA, and OTP, the costs of which can be significant. On the flip side, while these extra steps provide additional security, they can also cause friction for legitimate users. So, how can businesses balance the need for security and fraud prevention while preserving the customer experience?

Visitor ID + Smart Signals = Real-time data to help prevent ATOs

By using Fingerprint’s Smart Signals in conjunction with visitorID, companies can get deeper insights into all online visitors in real time, even if they’re anonymous or using a VPN. Let’s dive into some of these Smart Signals to see how they can help contribute to identifying and preventing potential fraudulent activity — and prevent ATOs. 

Attackers will typically deploy a wide variety of methods to escape being caught, including using proxies, VPNs, and tampering with the browser fingerprint. Automation and bots are used for "database leak" attacks, where a fraudster gained access to account information and want to try as many different logins as possible (the recent Snowflake data breach is a good example.) 

Fingerprint’s device intelligence technology sees through proxies, VPNs, and incognito browsing sessions to identify and assign unique visitorIDs to new visitors while allowing you to recognize returning ones — enabling you to spot potential malicious actors and legitimate users in real time. 

For example, if you see a returning user identified as using the same device they always use (i.e., they have the same visitorID), you can be relatively sure that you’re not looking at an account takeover situation. However, if you see a returning user from a device you’ve not seen them using before, you may want to activate further verification methods, such as 2FA, MFA or OTP.

You could also leverage Fingerprint's Smart Signals to take a closer look at their activity. If one or more of the signals are present — especially if they have never been present for this user before — some of your standard authentication methods might not be enough. The signals may indicate a fraudster, and the client may be a victim of a more sophisticated ATO, such as SIM swapping. 

Some Smart Signals to look out for include:

• Browser tamper detection detects if a browser has been spoofed or configured in a way that might indicate fraudulent intent. 
• IP geolocation provides information about the physical location of the originating IP address. Detecting that the location has been changed from the user’s typical locations or even seeing “impossible travel” could be an indication of ATO, as could the presence of the IP on Fingerprint’s blocklist. 
• Similarly,VPN detection, detects not only the presence of a standard VPN through signals, but also flags anonymizing services by detecting mismatches in time zone, IP location, and operating system fingerprints, which all can indicate a user trying to match their identified location to harmonize with stolen user address information.  
• Rooted device detection and jailbroken device detection detect whether a user is visiting from a rooted Android device or a jailbroken iPhone, which enables them to spoof their device’s location, bypass geographical restrictions, modify the device’s identifiers to evade detection, and more.  
• Browser incognito detection and privacy-focused settings detection detect if a user is trying to hide their identity through use of incognito mode or privacy-focused browsers.

Additionally, Fingerprint’s Suspect Score is an easy way to initially integrate these Smart Signals into your fraud protection workflow. Suspect Score is a single value representing how many Smart Signals indicative of suspicious or fraudulent activity were triggered for a particular requestId.  

Finally, by using Fingerprint’s bot detection to reliably distinguish real users from bots, you can prevent bot-driven ATO attacks, which are on the rise, with a 10% year-over-year increase in 2023.

“We are very happy with the account takeover attacks that we could stop. Without Fingerprint, it would have been much harder for us to identify these fraudsters.”

Prashanth Yerramili, Manager - Platform Abuse Team, Dropbox

Key takeaways

Fraudsters are getting smarter and finding new ways to use technology to steal valuable information and take over customer accounts. By using Fingerprint’s visitor ID capabilities in conjunction with Smart Signals, companies can reliably identify visitors with high accuracy in real time and block bad actors from gaining unauthorized access to accounts  — all while streamlining the customer experience from recognized users and devices. 

Interested in learning more? Check out the Smart Signals docs here.