Mar 15–18, 2020

Mobility behavior fingerprinting: A new tool for detecting account takeover attacks

Sathya Chandran (DataVisor)
2:35pm3:15pm Tuesday, March 17, 2020
Location: LL21B
Secondary topics:  Security and Privacy

Who is this presentation for?

Data scientists or analysts

Level

Intermediate

Description

Account takeover attacks (ATO) are one of the most common and devastating threats digital platforms face today. Attackers can compromise accounts themselves via credential stuffing attacks or buy them in bulk in the underground market. Despite techniques such as device fingerprinting and second-factor authentication, fraudsters continuously evolve their tactics to bypass detection.

Sathya Chandran shares insights from when DataVisor analyzed 52 billion events from 1.1 billion users of social, ecommerce, and financial digital platforms to understand recent trends in ATO attacks. The study made some interesting discoveries. First, in 65% of ATO attacks, the user hasn’t logged into their account for over 90 days. Since attackers are likely to go after dormant accounts, the ATO activity mostly goes unnoticed. Second, in financially motivated ATOs, fraudsters take meticulous efforts to stay under the radar. In 20% of financial ATO cases, a fraudster accessed the account within 300 miles of the original account owner. Fraudsters do this to make sure they don’t deviate from the original account owner’s behavioral profile. Third, once an account is compromised, the damage is almost immediate. DataVisor observed that in 72% of the financial ATO cases, a fraudulent money transaction was made within the first hour of compromise. Fourth, to maximize their effort, fraudsters conduct ATO attacks at scale using hundreds or thousands of accounts. They use techniques such as password spraying and credential stuffing from IP addresses rented out from data centers. The process is also automated using scripts.

Guided by insights from its analysis of ATO attacks, Sathya explains what DataVisor identified as some fundamental differences in account usage by a good user and a fraudster. Specifically, user behavior involves change along multiple dimensions such as device or IP address. A user may travel between home and work using different IP addresses and may use different devices while accessing their online account. The company models behavioral change of user activity in a multidimensional space using global good users across multiple digital platforms and calls this the “trusted change space.” Its data-driven analysis of ATO attacks reveals that any post-ATO activity deviates significantly from the trusted change space modeled based on good users.

DataVisor’s features are robust in the face of an evolving adversary. For example, even though a fraudster tries to stay close to their victim in the case of financial ATO, the IP address switching pattern will be very different compared to the original good user. The company incorporates its user mobility features into an anomaly detection system to detect suspicious account logins and money transfers in real time. The experiments show the approach can detect ATO activity with a precision of 92%, causing minimal friction to user experience.

Prerequisite knowledge

  • General knowledge of big data technologies, including Spark

What you'll learn

  • Gain an insight into tools, tactics, and procedures of fraudsters in launching large-scale ATO attacks across multiple business verticals
  • See a case study of ATO attack lifecycle using real-world examples
  • Learn guidelines on building a scalable real-time ATO detection solution at scale
Photo of Sathya Chandran

Sathya Chandran

DataVisor

Sathya Chandran is a security research scientist at DataVisor. He’s an expert in applying big data and unsupervised machine learning to fraud detection, specializing in the financial, ecommerce, social, and gaming industries. Previously, Sathya was at HP Labs and Honeywell Labs. Sathya holds a PhD in CS from the University of South Florida.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)

Contact us

confreg@oreilly.com

For conference registration information and customer service

partners@oreilly.com

For more information on community discounts and trade opportunities with O’Reilly conferences

Become a sponsor

For information on exhibiting or sponsoring a conference

pr@oreilly.com

For media/analyst press inquires