OWASP Automated Threat (OAT – 019) – Account Creation

Account Creation - Create multiple accounts for subsequent misuse, it is one of the major security challenges faced by web applications and API's.

OWASP – The Open Web Application Security Project, a worldwide not-for-profit charitable organization focused on improving the security of software, created the handbook to provide information and resources to help defend against automated threats to web applications.

What is Account Creation?

Account creation is a type of an online security threat in which individuals or companies use an application’s account sign-up processes to create bulk accounts for subsequent misuse. Such misuse may include content spam, spreading malware, laundering cash and goods, causing mischief, affecting brand reputation, skewing SEO, reviews, and website analytics.

Account creation is also known by the terms such as account pharming, fake account, fake social media account creation, impersonator bot, massive account registration, new account creation and registering many user accounts.

The Symptoms of Account Creation

OWASP, the organization focused on improving the security of software, notes that there are several possible symptoms of account creation. These include,

1. Higher than average account creation rate compared to average frequency over time


2. Accounts with incomplete information relative to a typical account holder


3. Accounts created but which are not used immediately


4. Accounts created with disproportionate use, and/or misuse, of the application’s functionalities

Sectors Targeted by Account Creation

Account creation activity is aimed at a variety of industries, including financial services, government, healthcare, education, retail, technology and social networking. Data commonly misused with account creation includes authentication credentials, payment cardholder data, other personal data, medical data, other financial data, intellectual property, other business data and public information.

Ways to Prevent Account Creation Security Threat

OWASP suggests several possible countermeasures for Account Creation that include

1. Limiting the functionality and/or capacity available to all newly created accounts, documenting the acceptable use of all possible account creation functions, defining test cases for account creation that confirm the application will detect and stop users from attempting to create accounts in bulk.


2. Randomizing the content and the URL’s of account creation forms, trying these changes to the individual user’s session, verifying the changes at each request and restricting any identified automated usage.


3. The OWASP Automated Threats Handbook also suggests considering identifying and restricting automated usage by fingerprinting before and account creation attack can occur, removing self-registration to existing people, identifying and restricting automated usage by reputation methods.


4. Enabling CAPTCHA or ReCaptcha, adding application-specific challenge questions, or using secure authentication such as two-factor authentication.

OWASP lists account creation among other 21 automated threats that are focussed on the use of bots to exploit the business logic of websites. Bad actors aim to exploit these sorts of attacks to increase the revenue from web-related threats. Thus, the future of web application security is to have solutions that solve the challenges posed by the OWASP automated threats.

Online businesses can also opt for a bot mitigation solution that prevents account creation and other OWASP automated threats in real-time without affecting any legitimate visitors. Bot mitigation is probably the most accurate solution for preventing OWASP Automated Threats and also ensure real-time protection against malicious bots.