How to prevent account creation fraud in registration forms

A signup form is a strategic marketing move: an important part of the sales process that creates a custom database with important demographic data about the users, helping to understand their interests and behavior.

Faced by multiple industries, account creation fraud has been producing significant losses and reputational damage to brands for years that, according to a study run by BioCatch, amount to $2.1 billion in the USA just in 2020.

But what is exactly account creation fraud?

This term refers to any customer account created with fraudulent information, a practice that is becoming increasingly difficult to detect as attack techniques rapidly evolve.

Actually, there are a large number and variety of cases, from individuals trying to abuse sales promotions and discount coupons, to highly distributed and sophisticated attacks that use fake or stolen identities, making them difficult to effectively detect and stop.

These massive and organized attacks are usually an automated bot activity, which means that actually the accounts do not belong to real users. They are also used to generate spam and fake news, influence the results of reviews and voting processes, abuse offers and discounts, commit financial fraud, and other malicious and often criminal activities.

Actually, one of the challenges for many businesses is that getting more and more users is a sign of growth, and the rising number of registrations is not usually investigated too rigorously.

The password problem

Many account management systems still simply use email and password to verify their users’ identity, a method that was not designed with today’s hacking possibilities in mind.

Thousands of people also use the same password to access different sites and services (even after a known security breach), the majority of them are not strong enough either, and many of them use the same password for all their online accounts.

In an ideal world, filtering new account requests via email verification would be a relatively secure and easy way to stop illegitimate requests. But considering that the reuse of the password in other accounts is quite common, it may not be enough in some cases.

As it is quite easy to get around password protection and email verification, the solution needs to be just a change in how users are verified.

The essential approaches to prevent it

Nowadays, there is a difficult balance between security and UX, between letting users easily create an account and stopping fake attempts to do so, but there are two types of approaches when looking for a solution.

Background data analysis

A growing number of companies are offering services that can detect suspicious activity on new accounts, by analyzing background data from the user, such as the number of account requests from similar IPs, or flagging examples of potentially malicious activity.

IBM’s Trusteer was one of the first of these tools, and is still one of the most popular, but there are already many user authentication systems (Auth0, Okta and Firebase, for example), data enrichment services (like Clearbit) and even some specific ones (such as BioCatch and IPQS) that offer this option.

This type of services analyze users' digital behavior to distinguish between genuine and fake users in order to detect fraud and identity theft. By profiling interests, timings and interactions, they identify patterns and establish rules for "good" and "bad" behavior from statistics.

The new user verification methods

As user behavior analysis improves, new ways of verifying user identities emerge leveraging the security advantages of cloud storage and the huge amounts of data that now can be stored and linked to user accounts. These new systems are usually organized into three categories:

• Multi-factor authentication. This category includes all the authentication systems that use more than one factor (password, temporary code, magic link...) to verify that the user actually has access to an email account, a device or both of them. They are usually combined with push notifications, just like Google and Yahoo. A shift towards user verification systems that are not exclusively based on passwords, or not at all.
• Temporary codes and credentials. An approach that AWS is currently using in its cloud security solutions, but it remains to be seen whether this will have a significant impact on other systems. At the moment, it is more common to find them used as one of the factors in multi-factor authentication systems.
• Biometrics. Biometric identifiers are unique to individuals, which makes them more reliable than common credentials in verifying identities. The advantage is obvious, but privacy concerns are being raised about the end use of this information, thereby its use is not really widespread at present yet.

Combine them all with Arengu

If you are thinking of improving the user authentication system of your service, but you still haven't found the right formula, we really have good news for you. 

Thanks to our flow editor you can create, iterate and run complex user authentication flows that can include, among many other features:

• Email and phone verification.
• IP scoring systems.
• KYC tools to recognize identity documents with biometrics.
• Any external service with an API.

Arengu is a software tool that allows you to create forms with complex flows that are compatible with any tech stack. Thanks to a JS SDK and a set of flexible native actions you will be able to save a lot of development time when it comes to finding the user verification flow that best suits your business needs and setting up common integrations.

Do you want to try it free? Sign up or schedule a demo with our team. And if you prefer to explore it yourself, take a look at the quick start and our guides and tutorials.