PINDROP BLOG

Fighting Account Takeover Attacks With AuthTables

The goal of many attackers is taking over a target account. That can be the account of an admin at a large enterprise, the bank account of a high net-worth victim, or the email account of a human rights activist. While banks and financial services companies are aware of the problem, many other organizations aren’t, so a security research has released a new tool to help detect account takeover attempts and protect users’ information.

The threat is a huge one, made all the more difficult to defend against by the surfeit of valid account credentials available online as the result of data breaches and other compromises. Anyone with access to Google and some free time can find thousands usernames, passwords, and other account credentials for just about any site or service they choose. People often reuse passwords across many different services, so access to one valid password and a matching email address can give an attacker the tools to compromise a large swath of a victim’s accounts.

Social media accounts can be a big part of these account takeover operations, too, for reconnaissance purposes as well as for credential reuse. Ryan McGeehan, the former director of security incident response at Facebook, has years of experience defending against and triaging these attacks and decided that organizations needed help identifying when stolen credentials are being used by a remote attacker to access their networks. So he built a tool called AuthTables that looks at a number of factors, including IP address and known cookie, to help decide whether a login attempt is good or bad.

“After a successful authentication attempt, AuthTables can very simply respond to your app with BAD if it hasn’t seen the user on the IP or device identifier before. You can then challenge the user with MFA, an email confirmation, or other verification. If it has seen the user, it will respond with OK and you have greater assurance that the user hasn’t been compromised by a basic ATO,” the documentation for AuthTables says.

“AuthTables depends on no external feeds of data, risk scores, or machine learning. Your own authentication data will generate a graph of known location records for a user as they authenticate with known cookies or IP addresses. Every new login from a previously known IP or Cookie makes this graph stronger over time as it adds new record for the user, reducing their friction and increasing their security.”

McGeehan said that despite the huge number of data breaches in the last decade and the flood of credentials they’ve produced, plenty of organizations still don’t understand the scope of the account takeover problem.

“Most companies are surprised by the account takeover threat. Remote credential theft (password dumps, phishing attacks, some types of keylogging) are by far the largest source of ATO. I want more companies to consider preventing this threat earlier on, and I’d like to see a more open source ecosystem response to the problem. There’s a lack of knowledge around account takeover which I’m trying to build out with AuthTables,” McGeehan said by email.

“There’s a lack of knowledge around account takeover.”

The new tool is not designed to take all of the work out of the hands of the security team or the app that it’s associated with. It provides a binary answer as to whether a login attempt is totally unrecognized. It’s then up to the organization’s security infrastructure to decide what actions, if any, to take.

“It would need be integrated nearby any application where passwords are checked. After a user successfully provides a password, the application would ask AuthTables if the metadata of the session is familiar or not,” McGeehan said.

“AuthTables would respond with a ‘BAD’ or ‘OK’ response whether it is a familiar session or not. The application would then decide on how it would need to handle it. This is totally dependent on the risks they want to manage for themselves or their users.”

McGeehan said he has tailored AuthTables to defend against remote credential reuse, which is the biggest threat from credential dumps. He said that the tool has a number of limitations, including correctly identifying users who often change hosts and clear the cookies and data in their browsers. Ideally, he said, organizations should deal with responses from AuthTables with further authentication challenges.

“AuthTables will simply respond if the login is unfamiliar or not, and the application would challenge them with an email confirmation, SMS, MFA, etc as a result, or deny certain sensitive features. If the user passes this challenge, it would feed this new information to AuthTables so challenging them again in this same location is less necessary,” he said.

Webinar: Call Center Fraud Vectors & Fraudsters Defeated