It’s not uncommon for people to have multiple accounts online anymore due to social media, digital banking, online shopping, etc. — to the point that an average person now has at least 100 online accounts. This scale of technology and convenience harms a vital part of security, opening new opportunities for online crime, especially account takeover fraud.
Even though most internet users know the cyber-higiene basics, some tend to dismiss good habits and reuse their login credentials for multiple accounts. That makes it easier for hackers to steal sensitive information and gain access to payment cards. But that’s just the beginning.
One thing that all types of fraud have in common is that they can affect both users and businesses. This highlights the importance of understanding and implementing preventive measures to combat account takeover fraud, safeguard personal information, and protect the reputation of businesses.
What is Account Takeover (ATO)?
Account takeover is a malicious attack and a form of identity theft, which happens when a cybercriminal gains access or — takes over — an online account. It can be anything from an email address or a bank account to a social media profile.
During ATO, cybercriminals exploit stolen credentials and use them to hack into online accounts through phishing, data breaches, social engineering, and other illicit activities. Bad actors also often trade or buy passwords and usernames off the dark web for practically nothing.
What is the Impact of Account Takeover on Businesses?
Account takeover isn’t a simple or victimless crime. These attacks aim to obtain personal and financial data, which means they aren’t limited to personal accounts. Attackers also target organizations and employ malicious tactics to compromise corporate structures. In severe cases, publicly disclosed ATO incidents can result in significant stock market declines.
Account takeover attacks can include installing malware on corporate systems, leading to potential financial losses. Or, if the user whose account was compromised disputes the fraudulent transactions, the company may be held responsible. That’s why ATO can seriously affect any company’s reputation, making it challenging to retain or attract customers and business partners.
What happens inside the company when its users are attacked through ATO? This is the typical cycle:
Stage 1: ATO attacks also strain internal teams, including support and IT, as they must navigate security issues.
Stage 2: Meanwhile, customer requests are storming in as the teams work to assist users in reclaiming their compromised accounts.
Stage 3: The finance department must allocate resources to fight chargebacks resulting from fraudulent transactions.
Stage 4: The loss of reputation and brand trust leads users to seek alternatives and turn to competitors, resulting in negative consequences of ATO attacks.
What are the Risks of an Account Takeover Attack?
Account takeover can act as a gateway for more extensive attacks, going far beyond individual user accounts. That’s why ATO provides an initial foothold for criminals to exploit different vulnerabilities and potentially compromise an entire system or network.
By gaining control over an account, attackers can use it to infiltrate deeper into the target’s infrastructure. That’s when they can exploit weaknesses in the system, network, or application to escalate their access privileges: move laterally across different systems, gain access to sensitive data, or use resources that can lead to further compromises.
We go into more detail about ATO attack risks by providing a few examples:
ATO and Credit Card Fraud
Account takeover is much more complex than credit card fraud. If a user notices fraudulent transactions, they can immediately dispute them. That’s why many financial institutions monitor their operations and send users real-time alerts if the system detects unusual patterns. But with account takeover, attackers can change the essentials, such as the user’s name, email, etc., which makes it hard for the victim to log in or notice what happened.
But in case you’ve noticed that any of your accounts were breached, you must take action to prevent further unauthorized activity by freezing your cards if payments are involved or informing your relatives in advance if they might receive phishing messages. Also, don’t forget to contact your provider and send them the details about the account takeover. This will help with the account recovery process
ATO and Multiple Accounts
Account takeover attacks can be difficult to detect since bad actors often mimic the actions of legitimate users. For example, people can change their address and get a new phone, so it becomes challenging to identify whether the changes on an online account are legitimate or not. Not only that, a big issue is that many users today don’t pay attention to their passwords and tend to recycle them regularly.
That means if an attacker gets access to a single account, all other accounts are in danger, including the person’s whole identity. In this scenario, criminals can control multiple accounts or create new ones under the stolen identity. Also, they can easily access emails, social media, and wallets easier now because of convenient features like “Sign in with Google,” which effectively serve as keys to unlock other online accounts.
How Does Account Takeover Happen?
Hackers use automated bots to execute account takeover attacks. This method helps them systematically test different combinations of usernames and passwords across various platforms, including e-commerce, retail, finance, or travel websites.
Here’s how the full cycle of the ATO process is in more detail:
- Criminals obtain credentials off the dark web. Stolen data, typically obtained through illicit means, is frequently sold to fraudsters on the dark web. And there’s no surprise. It’s estimated that the deep web encompasses between 90% to 95% of the whole internet, making the dark web the go-to platform for the bulk sale of stolen credentials.
- After accessing data, criminals use bots. Credential stuffing tools and bot attacks can hide bad actors’ IP addresses, making it easier for them to bypass security systems. According to some estimates, over 50% of all web traffic is generated by bots, which can perform up to 100 ATO attacks per second.
- Criminals then test data and use it for fraud. This can involve making unauthorized transactions, or instead of directly exploiting the account, the attacker can choose to sell the login credentials to others, potentially putting the account and its owner at further risk.
- Criminals go a step further, leading to more ATO. For instance, if an email account is successfully compromised through an ATO attack, criminals can leverage it to reset passwords for other accounts linked to the email address.
Alternatively, hackers may focus on obtaining personally identifiable information (PII) through other means. This encompasses a range of fraudulent actions, such as committing insurance fraud, obtaining lines of credit, or acquiring credit card data. On top of that, cybercriminals often use personal details in phishing and spam campaigns to make them look more legitimate.
By incorporating real yet stolen personal information, such as names, account details, or addresses, criminals make their fraudulent communications more credible, automatically deceiving more victims. The most targeted sectors for such account takeover attacks are healthcare organizations and academic institutions since they actually need to hold sensitive information often.
Why Do Criminals Carry Out Account Takeovers?
Financial gain is the primary motivation for criminals to conduct ATO attacks. In today’s context, account takeover can affect any organization.
ATO expanded beyond traditional financial institutions and now encompasses various industries with user-facing login systems. For example, it can involve deceiving victims into installing ransomware, which holds their data hostage until a ransom is paid, or stealing cryptocurrency.
After obtaining a list of verified credentials, cybercriminals capitalize on their findings in two primary ways:
- Selling the credentials to interested parties, or
- Exploiting the compromised accounts for personal gain.
In the case of selling stolen login data, the attackers find buyers who are willing to purchase the verified login information. On the other hand, when abusing the accounts, attackers also engage in unauthorized activities such as initiating fraudulent transactions, changing the account settings, or selling the verified credentials directly to another party.
What Industries are Impacted by ATO Attacks?
Like users, businesses are affected by ATO attacks. Estimates suggest that over 50% of fraudulent activities are account takeover attempts. Consequently, ATO attacks have far-reaching implications across various industries.
Of course, banks are particularly vulnerable due to financial reasons. Online service providers, such as streaming platforms or subscription-based services, can also suffer from unauthorized access to user accounts. Hackers even target email providers due to the potential for identity theft and the spreading of malicious content.
Here are some examples of account takeover attacks in different industries.
- Financial: Criminals target online banking or financial accounts to gain access to funds. Once they successfully take over the account, they may transfer money to their own accounts, buy stuff, and change account settings.
- E-commerce: Fraudsters exploit e-commerce accounts to make fraudulent purchases using saved payment data or stolen credit card details. They can change shipping addresses, add new payment methods, or use the compromised account to resell stolen items.
- Cryptocurrency: Attackers hack into crypto exchange accounts or digital wallets to steal digital assets. Once they have access, they can transfer the digital assets to their wallets, sell them on the market, or use the compromised account to conduct fraudulent transactions.
- Travel: Airline or hotel loyalty programs are valuable targets for fraudsters. They use such accounts to book flights or accommodations using the stolen rewards points, resulting in losses and inconvenience for the account owner.
Overall, attackers target different business accounts to access company information, customer data, and financial records. This leads to reputational damage, financial loss or can even enable further attacks on the organization’s systems or partners.
How to Prevent Account Takeover (ATO)?
As corny as it sounds, it’s important not to wait for the worst-case scenario and use common sense when protecting your accounts. Unauthorized transactions, unsuccessful login attempts, or disputes resulting from not sticking to proper security measures.
So the primary and most important step is to follow standard security measures and protect your accounts from ATO:
- Enable two-factor authentication (2FA). This adds an extra layer of security. Nowadays, 2FA is more user-friendly and easy to integrate through apps like Google Authenticator.
- Regularly update passwords. By doing so, you can protect your accounts from past data breaches. You can check if your data has been compromised in a breach by using websites like “Have I Been Pwned” for email addresses. Don’t recycle passwords and avoid using the same password for multiple accounts.
- Check the websites you visit. Pay attention to any signs of phishing attempts, especially if the URL or web page appears suspicious or unusual. Take extra caution when entering credentials or personal information.
- Be cautious with suspicious emails. Unknown email senders, poorly written text, or suspicious web pages are red flags indicating possible risks of ATO. If you’re not sure about the site’s legitimacy, for example, access it by typing its URL into your browser rather than clicking on any links.
Businesses must also prioritize robust data protection practices for all collected, transferred, processed, and accessed data.
Key ATO protection measures include restricting user input to prevent injection attacks, encouraging white hat hackers to identify vulnerabilities, implementing SSL encryption on pages that handle sensitive data, securing physical devices, especially in work-from-home setups, and finding the right balance between security and user experience.
How to Enhance ATO Attack Prevention with AI?
One effective approach is to analyze and track suspicious users. By isolating suspicious accounts within a secure sandbox environment, organizations can see all activities associated with the account, enabling necessary actions such as suspending the account if necessary. This helps you to mitigate the impact of compromised accounts and prevent further ATO.
But this process can be lengthy and time-consuming. That’s why many businesses choose to integrate automated solutions that help complete advanced account takeover fraud prevention systems. The user’s IP analysis, risk-scoring, and phone number checks are a few examples of how AI-powered tools can help organizations detect and prevent ATO easier.
By using automated solutions, businesses can complete these security steps to prevent ATO attacks in a robust and efficient way:
- Prioritize detecting suspicious users
- Analyze user biometric and behavioral data
- Monitor user activity throughout the whole cycle
- Continue the analysis of in-session events: unknown devices, malware, bots, etc.
- Conduct identity verification to prevent account takeover incidents
ATO Prevention with Identity Verification
ATO presents severe challenges in determining the true identity of individuals attempting to log in and perform actions, such as address changes or large withdrawals.
Integrating AI-powered ID verification solutions as a security measure is the number one step in preventing account takeover, detecting fraudulent login attempts, and fostering a secure user ecosystem.
At iDenfy, you can customize your identity verification flow based on the user’s risk profile or the actions they take on the online platform:
- Verify your users at the first stage of customer onboarding and
- Re-verify them in case any suspicious activity is detected
By implementing identity verification, you can detect suspicious login attempts and check the legitimacy of users before granting access — this way preventing ATO attacks and criminals using stolen info.
Contact us for more details, or get started today.