Account Takeover

Detect and prevent account takeover (ATO) attacks using multi-layered defense.

Account takeover (ATO) attacks occur when an unauthorized party gains access to a user's account. VerifyStack detects ATO by comparing current session behavior against the user's historical patterns.

Detection Layers

Layer	What It Detects
Device Trust	Unknown or previously-flagged device accessing the account
Behavioral Analysis	Typing patterns, mouse movements that don't match the user's profile
Geographic Plausibility	Impossible travel (login from NYC, then London 30 min later)
Session Analysis	Unusual session duration, navigation patterns, or API usage
Velocity	Rapid account changes (email, password, 2FA) in a short window

Implementation

Post-login monitoringjavascript

// Check at login
const loginDecision = await vs.decide({
  action: 'login',
  userId: user.id
});

// Also check sensitive operations
const changeDecision = await vs.decide({
  action: 'password_change',
  userId: user.id,
  metadata: {
    change: 'email',
    oldEmail: user.email,
    newEmail: newEmail
  }
});

if (changeDecision.decision !== 'allow') {
  // Require re-authentication before allowing the change
  await requirePasswordConfirmation();
}

Recommended Policies

Challenge all logins from unrecognized devices
Require re-auth for email/password/2FA changes
Block simultaneous sessions from different countries
Alert when login behavior deviates >2σ from historical pattern
Auto-lock accounts after 3 denied decisions in 24 hours

Submit /feedback for confirmed account-takeover incidents to improve future ATO detection quality.

Payment Fraud Bot Detection

Docs Index

Detection Layers

Layer	What It Detects
Device Trust	Unknown or previously-flagged device accessing the account
Behavioral Analysis	Typing patterns, mouse movements that don't match the user's profile
Geographic Plausibility	Impossible travel (login from NYC, then London 30 min later)
Session Analysis	Unusual session duration, navigation patterns, or API usage
Velocity	Rapid account changes (email, password, 2FA) in a short window

Implementation

Post-login monitoringjavascript

// Check at login
const loginDecision = await vs.decide({
  action: 'login',
  userId: user.id
});

// Also check sensitive operations
const changeDecision = await vs.decide({
  action: 'password_change',
  userId: user.id,
  metadata: {
    change: 'email',
    oldEmail: user.email,
    newEmail: newEmail
  }
});

if (changeDecision.decision !== 'allow') {
  // Require re-authentication before allowing the change
  await requirePasswordConfirmation();
}

Recommended Policies

Challenge all logins from unrecognized devices

Require re-auth for email/password/2FA changes

Block simultaneous sessions from different countries

Alert when login behavior deviates >2σ from historical pattern

Auto-lock accounts after 3 denied decisions in 24 hours

Submit /feedback for confirmed account-takeover incidents to improve future ATO detection quality.