Account Takeover (ATO) Attacks Simply Don’t Matter

Account Takeover (ATO) Attacks Simply Don’t Matter

Account Takeover (ATO) attacks seemingly just don’t matter. That’s the conclusion a semi-informed outside observer might potentially come to based on how these pernicious attacks are being addressed by the cybersecurity community.

That ATO attacks desperately need to be addressed, and addressed in the right way, goes without saying. For the last few years, the statistics around ATOs have been fairly eye popping. End users are still using the same password across accounts at a 60% to 70% rate. Compromised credentials still account for some aspect of the breach vector in about 75% of all breaches the last three years. And a recent Verizon report indicated that 90% of retail login traffic can be attributed to credentials stuffing attempts.

If you believe protecting from ATOs is relatively easy to do and doesn’t need a “re-think,” then we would definitely recommend that you read no further.

Convoluted Solutions to a Real Problem

Almost as problematic as ATOs are the attempts by the cybersecurity community and within the ATO vendor space to address this growing problem.

We haven’t formulated the correct approaches, we haven’t articulated the problem correctly and how to solve it, and the “solutions” presented are fairly pedestrian and therefore far less effective as the statistics above indicate. Amazingly, a number of so-called “solutions” can actually increase the footprint of ATO attacks through insecure solution offerings, further exposing organizations. Consider the irony here.

When we consider [the] axiomatic trend within cybersecurity, juxta positioned against current pedestrian approaches and the incredible risk around ATO, determining a visionary commercial vendor in the ATO space becomes absolutely paramount.

The Right Solution

VeriClouds has solved the ATO problem from the beginning with a number of important approach nuances in mind.

There are two main approaches about protecting against ATOs.

The first one is through the SOC team using threat intelligence. This approach is slow, prone to a lot of manual labor, prone to false positives. Cyber-attacks are asymmetric warfare. Most organization’s SOC isn’t scaling. There is a lot of alert fatigue.

The better approach is to leverage the existing IAM infrastructure and integrate the compromised credentials intelligence throughout the whole customer life-cycle from account set-up to authentication and password reset.

Most commercial solutions – outside of the outright pedestrian approaches, such as completely ignoring the problem, or the “download periodically from Have I Been Pwned (HIBP) and call it ‘good’” approach – still aren’t delivering a solution effectively in three key areas:

  • Delivering key automation, correctly aimed within IAM
  • Delivering accurate results with no false positives factoring BOTH the user ID and the password
  • Delivering a the most secure, zero trust solution

Presented here is how VeriClouds approaches and delivers its solution, nuanced and differentiated from other commercial solutions in the three key areas aforementioned.

Delivering Correctly Aimed, Key Automation

Simply providing APIs does not necessarily equate to automation. What is required to use those APIs, the data those APIs provide, where the APIs are aimed, and their intended use or integration points all play into the effectiveness of the solution.

VeriClouds’ solutions are specifically aimed at increasing the intelligence offered to and leveraged by components of an organization’s existing IAM infrastructure, easily integrated at strategic points of their choosing that allow self-service remediation.

Active and passive application of VeriClouds’ comprehensive credentials intelligence and password analytics is entirely possible throughout the strategic layers of your organization across IAM vendor product portfolios. This is the most effective and strategic approach and follows a clear path into the future as IAM continues to reshape itself as becoming more and more component driven.

Protecting against ATO will need to go beyond linear, deterministic approaches.

Delivering Accurate Results

VeriClouds delivers pinpoint accuracy and no false positives by comparing all aspects of user credentialing, not just user identifiers. A number of other services use only a user identifier which leads to false positives and inaccurate results. It’s difficult to drive IAM mitigation and remediation strategies unless high assurance exists around any integrated intelligence.

Invariably, accurate results play hand in hand with a secure approach. Delivering a secure approach based on zero trust that also provides accurate results is what sets the VeriClouds solution apart from the rest of the compromised credentials intelligence landscape.

Delivering a Secure Solution

At VeriClouds, we believe providing insecure solutions to problems stemming from insecurity simply makes no sense at all. Some vendors require full uploads of your sensitive credentials data into their clouds, including in some cases, actual cleartext passwords! A solution provider shouldn’t be adding additional risk or simply moving the risk to another threat area as part of the solution offering.

VeriClouds is heavily invested in taking a zero-trust approach to solutions provided in the cybersecurity space. Through the use of encryption and obfuscation VeriClouds masks ourselves from seeing credentials or the results from credential comparisons as they happen on the client side. This approach also keeps our customers from seeing or storing passwords that don’t belong to their organization.

Consider the value of a zero-trust solution in an area of such high intelligence and high risk in contrast to other solutions in the ATO space that require full uploads of your organizational data, sometimes even in clear text.

Amazingly, a number of so-called “solutions” can actually increase the footprint of ATO attacks by offering insecure solutions, further exposing organizations.

The Future of ATO Protection

Very few cybersecurity domains have remained unchanged, or rather should we say unchallenged, over the lifetime of those domains. Nearly every cybersecurity domain has iterated over time out of necessity. When we consider this axiomatic trend within cybersecurity, juxta positioned against current pedestrian approaches and the high risk around the ATO solutions domain, determining a visionary, forward thinking commercial vendor in the ATO space becomes absolutely paramount.

VeriClouds is already investing in the future, developing and offering innovation in the area of credentials threat intelligence and what we believe is the emergence of password analytics.

In the very near future, protecting against ATO will need to go beyond linear, deterministic approaches. We’re already working on:

  • Protecting users and organizations from all previously leaked passwords of their users (not just simply a point-in-time submitted check), including leaked personal and corporate passwords.
  • Passwords similar to their past leaked passwords. We know how people change their passwords[1] and so as attackers.
  • Stopping the use of previously leaked passwords by other people found across all previous breaches (outside the domain of any user in question)

The above are just some of the ways VeriClouds can start protecting now against attack iterations the dark underworld is already formulating and aiming at organizations.[2]

The bottom line is that static, linear comparisons and other pedestrian approaches such as rolling your own integrations with “freeware dumps” or full uploads into a third party vendor cloud service aren’t going to cut it. Why invest any of your time, money and effort into any of those approaches?

Even now, VeriClouds offers organizations an on-site device that allows offline comparisons without any connection to the internet. No other vendor in the ATO solution space offers such critical intelligence to organizations, completely isolated and offline, and completely safeguarding your critical credentials data.

[Fully integrated into your existing IAM] is the most effective and strategic approach and follows a clear path into the future as IAM continues to reshape itself as becoming more and more component driven.

Putting It All Together

Let’s just be real: ATO attacks matter a lot. ATO attacks are pernicious threats that are difficult to detect and mitigate due to their nature, the attack approach and the attack surface. Solutions provided in this space are problematic because it typically involves providing intelligence to a third-party provider, often in insecure ways, further increasing your risk rather than diminishing it.

VeriClouds believes any solution offered must be easily automated at the right points within your organization, must be delivered accurately and above all, must be delivered securely. And then going beyond the here-and-now, the solution must be future positioned, forward-thinking and ever-iterating to continue mitigating the evolving ATO threat domain.

[1] Users create passwords using a certain “psychology” that becomes easier to predict using predictive analytics leveraging gigantic amounts of credentials data, widely available to and already in use by criminals on the dark web.

[2] Criminal organizations do not solely rely on simply trying batches of compromised credentials, but to actually generate new attacks based on a corporate email taxonomy and previously leaked passwords. For instance, using the top one hundred thousand leaked passwords along with iterations of the corporate email taxonomy to perform a brute force attack, leveraging predictive approaches.



About the author

I'm Stan Bounev, founder of VeriClouds, with two decades of experience in cybersecurity, focusing on the intricacies of identity-based attacks. My philosophy centers on the power of real-time, automated detection and remediation, a method I champion as critical for robust digital defense.

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to