How IP Geolocation or Proxy Detection Mitigate Account Takeovers

How IP Geolocation or Proxy Detection Mitigate Account Takeovers

Intro

An account takeover (ATO) is a form of identity theft where hackers gain unauthorized access to user accounts (banking, email, social media) using stolen credentials. Attackers typically use bots for credential stuffing – testing stolen username/password pairs – to steal funds, sensitive information, or launch further attacks.

Key details regarding account takeovers:

  • Common Methods: Attackers obtain credentials through phishing, malware, or purchasing data from previous breaches on the dark web.
  • Impact: Victims may suffer from drained bank accounts, fraudulent purchases, identity theft, and compromised personal or corporate information.
  • Signs of an Attack: Unrecognized transactions, password changes, or unexpected MFA prompts.
  • Prevention: Users must use strong, unique passwords for every site, enable multi-factor authentication (MFA), and monitor accounts regularly for suspicious activity.

What can website operators do to mitigate ATO?

By using the IP address of the website user, websites can query IP geolocation or proxy detection databases to retrieve valuable information regarding the risks posed by that user. IP geolocation and proxy data are best used as risk signals and not hard blockers as there is always a margin of error when it comes to such data.

E.g., Use the IP intelligence data to decide “Does this login look normal for this user?” instead of “Is this IP bad?”.

Detect impossible or abnormal travel

IP geolocation based on the user’s IP can give us a pretty reasonable approximation of their physical location. Therefore, it is possible to check against the user’s recent history.

E.g., When a user logs in with a Malaysia IP address and then 5 minutes later, he logs in with a Germany IP address.

That’s physically impossible so it’s highly likely that the user is using a proxy server for some reason. Querying the IP address using a proxy detection database can easily confirm this fact.

In this scenario, it is best to perform additional security actions such as:

  • Step-up authentication via MFA.
  • Block the session if necessary.
  • Require a password reset.

By taking further steps to authenticate or block/reset (in sensitive cases), it will help to mitigate the following:

  • Credential stuffing attacks.
  • Session hijackings.
  • Breached passwords used from bot farms.

Identify high-risk networks (VPNs, proxies, TOR, hosting)

Most ATO traffic comes from:

  • Data centers.
  • Bulletproof hosting.
  • Residential proxy networks.
  • VPN.
  • TOR nodes.

Proxy detection data often has labels for such networks that makes it quite straightforward to detect them. When detected, increase friction to slow down potential bad actors:

  • Require MFA.
  • Throw up CAPTCHA.
  • Trigger email verification.
  • Enforce device binding.

Do not outright block, or you’ll break legitimate VPN users. If you’re curious about what types of proxies can typically be detected, do read the article What are the Proxy Types Supported in IP2Proxy.

Spot credential stuffing patterns

Credential stuffing often entails the use of proxy servers to try and obfuscate the IP geolocation for the login attempts. However, this means that the attacks will involve some of the following:

  • Same Autonomous System (AS).
  • Same proxy provider.
  • Same country cluster (less likely though).

If 200 accounts suddenly get login attempts from the same proxy network or ASN, that’s almost certainly automated abuse.

To mitigate this issue, ideally implement the following:

  • Rate limit per IP/ASN.
  • Temporarily block that network.
  • Enable global step-up verification.

Reduce session hijacking

If an authenticated session suddenly:

  • Switches IP country mid-session.
  • Changes ASN.
  • Jumps to data center.

The most likely scenarios:

  • Stolen cookie.
  • Malware.
  • Man-in-the-middle attack.

Best course of actions:

  • Invalidate session.
  • Force re-authentication.

Important caveats (common mistakes)

  • Do not block entire countries as there will be too many false positives and can be easily bypassed by fraudsters.
  • The use of VPN does not always mean malicious intent as some users rely on proxies for privacy and security. Users might also be behind a Carrier-Grade NAT (CGNAT) or a corporate VPN.
  • IP intelligence data is just 1 facet in a good ATO mitigation strategy. It is not infallible so use it in conjunction with other data like behavioral patterns, device fingerprints, password history, MFA and more.

Consider the use of IP2Location and IP2Proxy data

Using an IP2Location database, a website user’s IP address can unveil interesting IP intelligence insights such as country, region, city, latitude, longitude, autonomous system, usage type and more. Websites can utilize such data to easily mitigate account takeovers attempts, thus ensuring a safer and smoother user experience for legitimate users.

Coupled with the proxy detection data from IP2Proxy, ATO attempts can be severely curtailed without too much of a hassle. Indeed, more peace of mind for the website operators and their users.

Conclusion

Website users should avail themselves of Multi-Factor Authentication whenever possible to reduce the risks of their accounts being hijacked. Meanwhile, website operators should ideally utilize IP intelligence data for geolocation and proxy detection to detect ATO attempts and mitigate them. When both parties play their parts, the risks of account takeover incidents will be minimized.

Was this article helpful?

Yes No