21 July 2023
10 min read
Account takeover fraud occurs when cybercriminals gain access to online accounts through the original user's account credentials. Typically such account takeover attempts are focused on financial accounts but also social media, eCommerce profiles and other accounts with a financial element. In many of these accounts, cybercriminals can find not only financial information but also personal details and even previous purchase history. This can be further used in identity theft, unauthorized payments and more.
In general, any and all user accounts can be targeted for account takeovers. Once an attacker has access, they will then target other accounts from the same user for a wider account takeover.
Common targets for an ATO attack include:
Naturally, increased security will go a long way to ensuring user accounts are less viable for account takeover attacks. This can include not only ensuring the same password isn't used elsewhere, preventing cybercriminals from gaining immediate access to multiple accounts at once, but also multi-factor authentication, to ensure user credentials alone are not enough.
Most account takeover incidents follow a similar sequence. While the methods and exact user accounts targeted may vary, the general process of ATO attacks are often the same.
It's important to note, however, that each incident can vary. Sometimes, the identifiable data is sold at an earlier stage, while at other times it may still be the same individuals or organizations behind every step. Nonetheless, these are the most critical steps behind ATO attacks.
The main reason for an account takeover fraud is that user accounts were exposed or otherwise able to be cracked. Account takeover fraud is the result of leaked data, so it's worth understanding how and why this occurs.
Attackers often rely on automated attacks at the very earliest stages, using various schemes to gain access to detect vulnerabilities. This makes it more efficient for them, as they can quickly pinpoint to more vulnerable accounts once identified.
So how do fraudsters gain access to accounts? There are many ways to gain identifiable information online, the 5 most common being:
While we commonly talk about account takeover in the context of websites or online services, it's critical to note that mobile apps are not immune and are, in fact, a growing area of interest for ATO attacks. Popular eCommerce apps, reward programs and even cryptocurrency apps are all financial accounts in nature, making them highly appealing targets.
Many of the aforementioned methods, such as phishing and brute force, can be used to gain access to mobile apps. This, combined with a general lower level of security on smartphones, makes the need for ATO fraud detection on mobile apps paramount.
One of the best ways to gain access to individual accounts is to target well-known businesses, thereby potentially gaining access to multiple accounts at once. The consequences for a company can be very broad:
Let's not forget that businesses themselves are also not immune to identity fraud. With the right account takeover, attackers also have access to the company's own financial information. Organizations have their own bank accounts, social media profiles and more, all of which can be exploited if a business email compromise attack is successful.
To understand the ATO-related risks, you need to detect fraudulent activities that indicate potential incidents. On the users’ end, red flags that identify account takeovers can include, at the earliest stages, failed login attempts. If sufficient additional verification steps are in place, this can alert you to a halted ATO attack or at least one still in progress. Businesses, likewise, may notice multiple IP addresses being used alongside other irregular activity, which can alert them to inspect the respective accounts.
Nevertheless, the ability to make informed decisions starts with understanding your users and their behavioural patterns. By getting familiar with their usual login and usage habits, device preferences, transaction history, and network details like IP addresses, you can better differentiate between normal actions and suspicious behaviour with great precision.
Every interaction with your website or mobile app leaves traces that fall into three key user-related contexts:
Both the anti-fraud industry and fraudsters are well aware of these three contexts. That's why it's essential not to rely only on thorough detection methods but also to employ methods that go beyond the information made available by users and unveil tactics of hiding identities or browser spoofing, for example.
Considering the consequences of ATO, prevention is always the best option, especially considering that even a successful recovery process can be too time-consuming. Therefore, the best approach is to use technologies and measures that either make it harder to access the users’ accounts or otherwise identify suspicious activity when it occurs, taking additional defensive actions in real-time.
There are many such measures that can be taken here, most notably multi-factor authentication (MFA). But MFA can sometimes add too much friction to the user experience, so real-time detection with AI technology is still the best way to go. Going further with the user-related context from above, let’s see what technology we need to prevent ATO effectively.
Digital fingerprinting involves tracking software that remembers the last device used to access respective user accounts. If a new or otherwise unrecognized device is detected, this is flagged as suspicious activity, so additional authentication steps are taken. In short, this adds an extra layer of protection against attackers using stolen credentials from a remote location. Critically, when an ATO attempt is detected, blocking the fraudsters is not recommended as a logical next step. This can actually be helpful for fraudsters to know about the risk related to their operation. In return, they can simply retry the operation by slightly changing the context.
Similar to fingerprinting, this approach tracks users’ regular behaviour and activity on their accounts. Activity that does not match the pattern is then flagged in order to add extra authentication layers.
Read more about how to use behavioural biometrics for fraud prevention.
As the name implies, this is a method that operates continuously, using behavioural biometrics and other verifications while the account holder is using the account. Commonly found in the likes of bank accounts, it tracks various data from the start to the end of each session.
To boost the value of your data gathered, get more context information about each session and challenge declarative data beyond the information made available by the user. To do so, consider the following signals:
Fraudsters constantly update their methods and strategies, so it’s essential to keep an eye on the Dark Web to gather intelligence and reverse-engineer their techniques to improve fraud recognition.
Businesses can also benefit from updated roles and permissions within their organization, ensuring staff only have access to the necessary information, tools and accounts necessary for their job. This will help limit the possibility of business email compromise in a forgotten or overlooked account.
Responding to the need for more robust fraud prevention solutions against ATO, Nethone built a hybrid rule-based and machine learning-powered solution that x-rays every single user on browsers or mobile to know the real intention of the visitor.
We base our approach to ATO prevention on the following:
We hope that the above guide has given you an in-depth and valuable understanding of account takeovers and how to best protect yourself against this digital threat. For more information, we've answered some of the most commonly asked questions below.
A bank account takeover happens when an attacker gains access to a victim's bank account, usually through social engineering techniques via remote access tools. Typically, this is achieved through gaining credentials, often an email address and password. This is then used to access bank details, whether it's via a bank portal or app, and commit financial fraud.
The first step in account takeover fraud is to gain the necessary information to access accounts. This is done via various means, such as malware and scams, alongside brute force attacks and credential stuffing to essentially 'guess' the missing data.
Once accessed, they strive to maintain control of the targeted account while using their access to commit fraud, such as making unauthorized transactions, changing account settings, accessing sensitive information, using the compromised account for further attacks, or selling the account details on the dark web.
At its worst, account takeovers can lead to identity fraud. Alongside making financial transfers, they can use the same credentials to access numerous other accounts from the same individual, causing significant damage to their personal life.
Multiple IP addresses, sudden switch from one browser and/or OS to another, device spoofing, and many more.
Account takeovers are caused by stolen credentials, social engineering techniques, malware and keyloggers, credential stuffing, brute-force attacks, and vulnerable security infrastructures.
Identity theft happens when an individual's personal information is stolen and used without authorization, typically for financial gain or other fraudulent activities, and account takeover is a common effect of identity theft.
Multiple parties can benefit from account takeover fraud. Fraudsters and hackers benefit from account takeovers financially, primarily via transferring the users funds or from selling the accounts on the dark web. However, these stolen accounts can also be used by other malicious individuals for spreading viruses and malware as well.
Account takeover is becoming an increasingly common form of identity theft and fraud. industry estimates from 2022 suggest account takeover attacks are increasing by 130 to 150% Year on Year.
Account takeovers are considered a form of identity fraud. Stolen usernames and credentials can be used to gain access to an individual's accounts by assuming their identity. Using such access to these accounts is considered identity fraud, as the individual is making transactions or other actions under the false assumption of the original user's identity.