Securing the Digital World

Account Takeover Gains Full Visibility with Web Behavior Analytics

Jul 29, 2016 | by Heidi Bleau |

Interest in and adoption of web behavior analytics is surging because of its ability to interpret the navigation and intent of each visitor to the website and as one of the best ways to protect the business against the skyrocketing rates of website fraud. Account takeover is one of the predominant threats plaguing organizations with customer-facing websites today. That observation, among others, can be found in a recent Pathfinder technology report developed by 451 Research and commissioned by RSA.

Not surprisingly, alignment between anti-fraud solutions and their ability to protect the business is often askew because the products designed to prevent fraud, especially when it comes to e-commerce websites, are mostly business-agnostic. That is to say, important to the health of the business, but not the reason for it.

For anti-fraud and security teams, the challenge is obvious: protect the business without intruding on the business. Sounds like an easy charter, however, four in ten retailers state it is still a major challenge to detect fraud across their Web and mobile applications. If that isn't enough, investigation is even a bigger challenge with 70% of retailers taking days - or longer- to investigate the source of fraud.

Often, it is the same pathways that allow users to log into their accounts, complete transactions and access personal data that are the very same paths fraudsters can take advantage of. Anti-fraud products need to ensure both authenticated users and anonymous guests are interacting with the website in all the expected ways.

The 451 Pathfinder report explores how web behavior analytics technology is providing the visibility into fraud attacks to help organizations:

  • Thwart account takeover from password-guessing attacksto prevent tools purchased on the dark web to launch stolen credentials against a website looking for acceptable combinations.
  • Control access from botsby identifying unusual access patterns, link click rates that exceed human capacity and sessions dropping immediately after login.
  • Prevent the loss of data by web-scraping threats such as using publicly-available website data to steal customers or undercut prices in competitive practices or to be resold or used as intelligence by competitors.
  • Throttle application-level distributed denial-of-service (DDoS) attacks that consume valuable compute cycles that effectively deny service to legitimate visitors.
  • Effectively secure transactions from mobile and tablet devices. These devices utilize mobile APIs and alternate paths into the website. Because the enterprise cannot force the use of a dedicated mobile app, the burden of anti-fraud security falls onto the website.

As the report contends, there are very distinct and compelling problems that drive enterprise anti-fraud and security teams to embrace web behavior analytics. No business wants its customers or partners calling the service desk complaining that it failed to prevent someone from taking over their accounts, and it certainly does not want to help push many of those customers to find happier experiences with competitors.

The 451 Research report also includes use cases, technical characteristics, and recommendations for enterprise executives seeking to evaluate websites protected with risk-based web behavior analytics when compared to those sites that rely on more traditional approaches. The full report is available for download.