What Is Account Takeover (ATO)?
Imagine you're at work when you receive an email from your company's IT department informing you about an update to the intranet with a direct link. You click the link, which takes you to the internal gateway. Nothing unusual happens, and you go about your day — until, a few hours later, you realize there was something off about that email. You report it to IT, which informs you that what you received was a phishing email, and that your login credentials have been stolen, and hackers have been on the company's internal system for hours.
This actually happened recently to a Reddit employee, as reported by the company, and is one example in the recent increase of account takeover attacks.
What is an account takeover?
An account takeover (ATO) is a type of fraud in which malicious actors gain unauthorized access to online accounts, typically in an attempt to commit identity theft or financial fraud. Once they have access, they can change your contact details and your password information, essentially cutting you off from your account.
Once in an account, they'll proceed to steal information such as credit card details, Social Security Numbers, bank account numbers, personally identifiable information (PII), or proprietary information. In another avenue to profiting from ATO, bad actors often sell online account information, passwords, transactions, and loyalty points on the dark web to other perpetrators of fraud. ATO attacks are also a way to gain access to an organization's network to initiate ransomware attacks or data breaches.
Read this blog to learn how ATO attacks are carried out.
ATO on the rise
ATO fraud targets both organizations and individuals. Coinciding with the rise in ecommerce transactions and the dependency on remote work stemming from the pandemic, ATO attacks grew 307% between Q2 2019 and Q2 2021, according to Sift's Q3 2021 Digital Trust & Safety Index. Businesses are under pressure to adopt remote access technologies that support a distributed workforce and enable consumers to make online purchases securely.
For organizations, an account takeover occurs at the user level. Attackers are focused on gaining access to internal systems through an employee profile. IT security leaders consider this fraud one of their top concerns. "ATO and credential abuse attacks moved up from fourth place last year to #2 this year," noted the Cyberthreat Defense Report.
For individuals, ATO attacks often target ecommerce profiles or accounts at financial institutions. Once a user's account has successfully been taken over, attackers try to change the account information and password. They even turn off notifications so that the legitimate owner will be unaware of malicious activities, such as moving money — making payments to a fake company or transferring funds to another bank account. Attackers will sometimes submit a request for a new credit card, a new bank account, or even other financial services.
How To Detect ATO
Gartner identified core capabilities that help detect and protect against account takeover attacks in its Market Guide for Online Fraud Detection (OFD). Across a user's journey there are multiple points to enable security solutions.
Bots are often used in ATO attacks, so it's important to be able to detect bot activity. If, for example, there is a high number of unsuccessful login attempts, it could indicate a bot. Or, if a customer account is accessed in California, then there is another attempt 10 minutes later from Brazil, it is indicative of a potential account takeover attempt (an indication known as "impossible travel").
Layered artificial intelligence (AI) at the identity perimeter can quickly detect anomalies in behavior and isolate bots. But success requires continuous monitoring and a strong identity management solution, and the ability to orchestrate across multiple layers.
A robust orchestration solution should be able to challenge a user's access to an account with a request for additional authentication — an approach known as adaptive authentication or step-up authentication. For example, additional proof of identity may be required when there are certain changes, such as the user's device or geo-location. By requesting a higher level of authentication before allowing access to a user's account or before a transaction is allowed, organizations can prevent account takeover fraud.
Using AI-Powered Orchestration To Prevent ATO
Bad actors have many tools at their disposal for infiltrating digital accounts, and there's no way to win the battle without a strong defense at the identity perimeter — at the point of authentication before any access is granted.
ForgeRock Autonomous Access is an AI-driven threat protection solution that helps you make smarter and faster access decisions at the identity perimeter. First, it looks for known bad behaviors, such as synthetic attacks (aka bots), credential stuffing, brute-force attacks, and impossible travelers.
It also looks for unknown and anomalous user behavior to catch threats we don't even know we should be looking for. Under the hood is a sophisticated layering of artificial intelligence, machine learning algorithms, and advanced pattern matching that analyze threat signals and behavior patterns to create risk scores. Organizations can use these risk scores to determine how to proceed:
- Low risk: a trusted user logging in at a normal time on a registered device sails through authentication without friction
- Anomalous behavior: a familiar user who may have new device or is logging in from an unusual location; this user receives a step-up challenge, such as a security question or another form of authentication
- Known threat: a high-risk user that is almost certainly malicious, possibly a bot, having failed multiple automated login attempts; access requests can be blocked or analyzed
Autonomous Access is built into ForgeRock Intelligent Access, where risk scores are used to orchestrate secure user journeys and block threats, while removing unnecessary friction and improving the digital experience of legitimate users.