IAM 101 Series: What is Account Takeover?


Two years ago, at the onset of the pandemic, consumers began spending less time shopping in physical stores and more time making their purchases over web and mobile channels. With the acceleration in digital spending, there's been a coinciding increase in cyberattacks, specifically account takeover attacks, known as ATO. According to a recent Sift digital trust report, account takeover fraud skyrocketed 307 percent in the year between Q2 2019 and Q2 2021.

What is ATO?

Account takeover (ATO) is one of more dire consequences of identity theft, and it occurs when a malicious outsider gains access to a user's login credentials to steal funds or information. The perpetrators digitally break into a bank account or ecommerce account through a variety of techniques, such as phishing, malware, and man-in-the-middle attacks, among others (see below for more information). ATO is a major threat to global organizations and their customers due to the financial losses triggered by ATO fraud and the cost of mitigating such attacks.

ATO’s Superpower: Invisibility

Once a user's account has successfully been taken over, attackers try to avoid any unusual activity that would signal a compromised account. Instead, they often try to change the account information, password, and even notifications so that the legitimate owner will not be aware of illicit activities happening with the account.

Once compromised, fraudsters will often steal money from an account by making fraudulent transactions, such as payment to a fake company, or by transferring funds to another bank account. They sometimes submit a request for a new credit card, a new bank account, or even other financial services. Such attacks are so damaging because those who perpetrate them have the power to carry out any number of unauthorized transactions.

How ATO Attacks are Carried Out

There are many ways that attackers can obtain account numbers and login credentials to financial services and other online accounts. Hackers can break in, but that takes time and effort. That's why the preferred approach is buying them on the dark web, which is where stolen credentials often end up after a data breach and where they can easily (and cheaply) be bought and sold.

Here are other common ATO attack methods:

  • Credential stuffing - These attacks typically involve bots that leverage automated scripts to try to access a user’s account. This information can often be used to gain unauthorized access to multiple accounts due to the fact that many people reuse credentials like usernames and passwords. Another significant ATO method is known as a "brute-force" attack, which involves making multiple login attempts using a different password each time. Unfortunately, brute-force attacks are often successful because so many people use simple passwords that are easy to guess. (Read some tips for avoiding brute-force attacks.)
  • Malware – Another way to take control of a user's account is by installing malicious software – or "malware" – via the user's email account on a computer or mobile device. This is often achieved by getting users to download applications from malicious sources that appear to be legitimate or by persuading them to open an attachment that contains a malicious payload. Shlayer, for example, is a downloadable MacOS trojan that masquerades as a Chrome browser update. Another type of malware, called a keylogger, can intercept everything a user types, including login credentials, and spyware can remotely monitor a system's online activity, among other exploits.
  • Phishing – This social engineering attack relies on a user's tendency to trust. Phishing attacks impersonate well-known and trusted brands and individuals, most often arriving as an email, though text messages (SMS) and social media messaging services can also be used. Once easy to spot with their poor design and misspelled words, phishing attacks have become increasingly sophisticated, appearing to be from legitimate sources. Their intention is to persuade users to click links that redirect them to fake, malicious websites or to open an attachment that will install a piece of malware that harvests credentials.
  • SIM card stuffing – Swapping a SIM card is a legitimate service offered by mobile phone carriers when a customer buys a new device. In a SIM card swap scam, a cybercriminal leverages social engineering approaches to transfer a user’s mobile phone number to a new SIM card. First, the criminal contacts a customer’s mobile phone carrier and impersonates the customer, convincing a call center agent to port the mobile phone number to the illegal SIM card. If successful, the victim’s apps, including banking apps, can be activated on the impersonator's phone. If the banking app uses text messages for multi-factor authentication (MFA) or for delivering one-time passwords, then taking over the victim's number becomes an attractive way for a criminal to perform fraudulent transactions.
  • Man-in-the-middle attacks – In this type of attack, fraudsters position themselves between organizations (such as financial institutions) and users to intercept, edit, send, and receive communications without being noticed. An attacker can take over the communication channel between the user's device and a bank's server by setting up a malicious Wi-Fi network as a public hotspot in a coffee shop. People take advantage of public hotspots, not realizing they may be transferring their payment data through a network controlled by a bad actor.

How To Spot and Mitigate ATO

Account takeover is challenging to detect because those committing the fraud hide behind a user's normal login history and behavior. That said, there are some signs of an ATO that organizations can look for. For example, if multiple users suddenly request a password change or if there is an accumulation of unsuccessful login attempts, these could be indicators of a compromised account. Similarly, if a user accesses a customer account in Europe, then tries to access it again 10 minutes later from North America, it is indicative of a potential account takeover attempt. But preventing or spotting such behavior can only be achieved through continuous monitoring.

The solution is to have full visibility into user activity, with real-time monitoring functionality that can identify patterns of behavior that indicate suspicious activity and the possibility of an account takeover.

Finally, a solution that can challenge a user's access to an account with a request for additional authentication – an approach known as adaptive authentication – can help to mitigate account takeover. For example, additional authentication may be required when there are certain changes, such as the user's device or geo-location. By requesting a higher level of authentication before allowing access to a user’s account or before the transaction is allowed, organizations can prevent account takeover fraud.

Learn how to prevent account takeover and fraud with AI-driven threat protection.

Learn more about how your organization can prevent account takeover in our informative webinar.