Use Case - Account Takeover

Stopping account takeovers

Learn how Castle can be used to stop account takeover (ATO), a precursor to other types of fraud.

The Problem

Online credentials aren’t secure

Online credentials, typically a username and password, have major security flaws. They can be easy to guess, leak to the dark web from data breaches, or can be phished from unsuspecting users. When a criminal obtains stolen credentials, the end result is usually an account takeover, where the criminal logs in as if they were the real user and is able to commit fraud. This can financially impact your business, as well as damage your reputation with customers.

The dark web

Security analysts estimate that more than 15 billion stolen credentials are available on the dark web. Each leaked password has the potential to provide access to dozens, if not hundreds of online accounts.

Social engineering

Social engineering attacks are used to trick people into giving away credentials like passwords or MFA pincodes. The costs can be staggering with some suggesting $25,000 - $100,000 per incident.

Credential stuffing

Credential stuffing is a tactic used by cybercriminals to find out which online accounts they are able to breach. These criminals obtain a list of credentials from any number of historical password leaks.

The Solution

Risk-based authentication

Castle enables you to use risk-based authentication with factors beyond the traditional 2-factor methods of SMS, email, and authenticator applications. A user's known patterns of physical location, as well as device-based authentication, are both additional factors that can be used to inform adaptive MFA. The result is an innovative approach to affirming the identity of a user with the least amount of user friction.

30+ risk signals
ML trained risk models
Solution Detail

Using Castle to stop
account takeovers

A comprehensive set of functionality to stop account takeovers.

Assessing user risk

How do you know someone is who they say they are? Use Castle's Risk API to assess user risk. In your authentication service, if a user provides correct credentials, call the Risk API. The Risk API will return a verdict - allow, challenge or deny.

Fast travel
Spoofed device
Proxy IP
TOR Browser
New country
New device

Blocking software bots

The majority of malicious activity on the web comes from software bots. Use the Castle Filter API in-line, at the edge of your app, to detect and block bots.

Robotic mouse movement
Unnatural typing speed

Recovering compromised accounts

When an account is compromised, it must be locked and a notification sent to the user. Use Castle to assist with this process and automate account recovery workflows.

Device verification
Device labelling

Mitigating fraud with policies

When you learn about new types of attacks, use Castle policies to implement protection in real-time. Once Castle's APIs are integrated into your application, policies can be used (with no further code changes) to alter which users you allow, challenge or deny.

Fast travel
Spoofed device
Proxy IP
Tor browser
per 10,000 good events

No minimum commitment
Start for free
  • Bot Detection
  • Account Takeover Prevention
  • Policy Management
  • Device Management
  • User Behavior Analytics
  • REST API & Webhooks
  • Email & chat support
  • Credit card payments
per 1,000,000 good events

Get in touch
  • Includes all Pro features
  • Enterprise SLAs
  • Enterprise support
  • * Volume discounts available
  • Customizable billing
  • Invoice payments