Skip to content
/ ato-checklist Public

A checklist of practices for organizations dealing with account takeover (ATO)

263 stars 25 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

magoo/ato-checklist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
model.md
model.md
 
 
model.svg
model.svg
 
 
model.yaml
model.yaml
 
 

Repository files navigation

Account Takeover (ATO) Checklist

This is a list of considerations when designing a sophisticated program to deal with account takeover threats.

View the associated threat model here.

🐑🐑🐺🐑

Infrastructure 🛠

Backend systems we rely on for detection and mitigation.

  • General Rate Limiting
  • User Event / Authentication Logs
  • Device Identification (Cookie)
  • Browser Fingerprinting (No Cookie)
  • Device Verification (Email confirmation, SMS, Snail Mail)
  • Customer Session, Password Reset Workflows (Backend)
  • Link Shim
  • Leaked Credential Pipeline (Backend)
    • Scraping (Pastebin, torrents, etc)
    • D a R k W e B and UnDErGroUnD
    • Periodically accessible dumps

ATO Indicators and Features 🕵️‍♀️

This section describes useful data that often needs to be acquired externally. These can be used in automated classification or to decorate investigation workflows with correlating info.

  • Known proxies, tor, vps & colocation
  • Observed malicious or compromised (Paid)
  • Known Leaked Credentials
  • Recent Sim Swap
  • Domain intelligence
    • New domains
    • Disposable
    • Previously abused
  • Address verification
  • Cellular verification (VoIP detection)

Product / UX 🎮

All user facing experiences to help reduce risk within a product.

  • MFA Options
    • Security keys, MFA, SMS, backup codes, etc.
  • Knowledge Base and self-support
    • Reducing outreach to support for questions.
  • Link Shim
    • Allows for disabling of external links when copy-pasted, emailed, or otherwise brought off platform.
    • Allows for warning messages before leaving platform.
  • Victim and Witness escalation (Report Abuse)
    • Where victims of ATO report their issue.
    • Where witnesses of abuse report off-platform impact of on-platform ATO.
  • Forced Password Reset Workflows
    • Retroactively ask users to change leaked passwords
      • Existing customers will have weak passwords.
    • Handle newly found customers from a leaked credential backend
      • Newly leaked credentials will cause a regular need to change customer passwords.
    • "Reset the password to your email"
      • Some investigations will indicate a customer's email is compromised, not their password.
    • Account re-enable
      • Self service workflows to get back online after you have intervened.
  • Enforce password strength to prevent future weak passwords
    • New Registration
    • Password Change
    • Ongoing leaked / Newly weak
  • Developer console prompts w/ a warning message
  • Verification / Challenge workflows
    • When you are uncertain of the customer's location or device.
      • SMS
      • Email
      • Account / Identity Knowledge
      • ID Submission
      • CAPTCHA
  • Stolen Session Detection

Customer Service ☎️

Operational customer service interactions (Support tickets). Support organizations often escalate abuse at scale to engineering and have the most visibility into what is, or is not, working.

  • Standard Org Language
    • What counts as ATO?
  • Metrics / KPI
    • Tracking abuse going up or down.
  • IR Escalation
    • Playbooks / Plans for creating an outage or getting engineering resources involved.
  • Reset Workflows (Administrative Frontends)
    • Empowering scalable operations to mitigate abuse scenarios.

Investigations & Response 🚑

There will be periodic deep dives into ATO attacks to ask "what happened?". This section pertains to that perspective of work.

  • Authentications are searchable by device, ip, user agent
    • Searches can pivot: Device to IP, IP to device, etc.
    • Bonus: Actions / Events are searchable
    • Bonus: All routes / Endpoints are searchable
  • Tooling exists to reset bulk accounts that meet criteria
  • Tooling exists to reverse transactions / changes that meet criteria.

Automation 🤖

Tying everything together for operational ATO systems. Engineering time is the least scalable, customer support hours are more scalable, fully automated systems are the most scalable.

  • Customer service classifies abuse cases
  • AI systems classifies authentication events
  • Suspicious cases push customers to verify activity
  • XFN meetings between groups to improve anti-abuse systematically

Anti-Phishing 🎣

Raising the bar against trivial credential stealing attacks which cause the most problems for unprepared organizations.

  • SPF / DMARC / DKIM
  • Brand protection (Internet scanning for your brand being spoofed)
  • spoofed@ and customer phish reporting
  • App store hunting
  • Domain / ISP Takedowns
  • Browser blacklisting
  • Referer, hotlinks, adversary leaks

About

A checklist of practices for organizations dealing with account takeover (ATO)

Resources

Readme
Activity

Stars

263 stars

Watchers

13 watching

Forks

25 forks
Report repository

Releases

No releases published

Packages

No packages published