Based on article originally published in Forbes
Account takeover or ATO is a cyberattack where an online account(s) gets taken over by a malicious third party. There are three phases of an account takeover:
- Credential Theft
- Stolen Credential Validation
- Fraudulent Use
While we might picture a single bad actor working alone to access someone else’s account, the scope and repeated cycling of ATO attacks make them much more potentially dangerous. Understanding how the phases of account takeover attacks work can help you proactively protect and intelligently defend against attempted account takeover fraud and help prevent financial losses.
Phase 1: Credential Theft
An ATO simply means an attacker gains access to an online account. Today, most people have dozens of online accounts, all subject to account takeover fraud. When someone gets this type of sensitive information (credentials), it can spell disaster.
ATO attacks can mean financial account takeover, such as obtaining your username and password for a financial institution, but also could be obtaining data from many other types of accounts such as email, social media, shopping websites, streaming platforms, and more. Once your credentials have been stolen, cyber attackers will swarm other sites with this information to try to use it for profit.
These malicious actors steal credentials and PII (personally identifiable information) via data breaches, PII harvesting schemes, malware, phishing, dangerous attachments, and more.
After stealing someone’s personal credentials, hackers often sell this information to other cybercriminals on the dark web for a profit, and to be used in future attacks.
There are billions of credentials and bits of PII for sale on the dark web — 90% of organizations report at least one identity-related incident over the past year, with that rate on the rise. And research results show that nearly 40% of people reuse passwords across multiple accounts. When someone’s login credentials are hacked, the stolen credentials have the potential to wreak havoc for the victim across dozens of accounts—but only if the credentials are useful and valid.
Phase 2: Stolen Credential Validation
Once these bad actors violate online accounts, validating the stolen credentials is the next step. The data isn’t as valuable to fraudsters if they can’t access accounts with it.
Attackers use sophisticated bots to attempt millions of logins across thousands of websites. If the bot can access an account, the validated stolen personal information can be resold for a profit. There’s a full market for stolen validated account information, ranging from a few dollars to several tens of dollars per validated data set, especially if it’s on a coveted website.
Phase 3: Fraudulent Use
So they have the data, and the data has been verified. Now the attackers can extract value from the information. Modern apps and websites store massive amounts of information, including things like credit and debit card numbers, gift card balances, loyalty points, airline miles, and other digital currency. If a fraudster gains access to an account’s credentials, they can then steal that value by making fraudulent purchases or credit transfers.
Consequences of Account Takeover
Account takeover protection is not only more important than ever, as cyber attackers use more and more intelligent ways to try to access your accounts, it can be harder to detect when you’ve been a victim until major damage has been done.
Financial Loss
Victims of account takeover can find accounts instantly wiped out due to fraudulent purchases. They may find huge balances on credit cards which they’ll have to dispute and hope to be credited. These actions can be both financially and emotionally devastating.
Data Breach and Privacy Violation
One of the most damaging data breaches is the theft of your social security number, which could be used to open fraudulent accounts. Medical data can also be breached and sold.
If your accounts are compromised you may have to visit dozens of websites to reset your username and password, report fraud, and resolve false charges.
Disruption of Services and Trust Damage
The methods of ATO know no ethical or moral boundaries. Other methods of fraud include:
- Warranty fraud: Fraudsters can look back at recent orders in e-commerce accounts, call customer support complaining that their package wasn’t delivered or is broken, and ask for it to be re-sent to a different address.
- Fake credit applications: Attackers take out fake loans and lines of credit using your PII.
- Fake reviews: Hackers can also post fake reviews to promote or falsely report damaged products.
- Phishing: Bad actors can use compromised accounts as a platform for phishing attacks against the legitimate user’s contacts
- Distribute malware: Hacked accounts can be used to distribute spam or use in-platform messaging to distribute malware. This enables the attacker to steal even more personal information and begin the ATO and web attack lifecycle anew.
How to Stop Account Takeover Attacks
For maximum account takeover protection, website owners must address every phase of the attack lifecycle. Here are a few steps you can take:
Strong Authentication Measures
Authentication is an important barrier for protecting an account, but just because a user is authenticated doesn't mean that they are legitimate. Cybercriminals could use valid stolen credentials to log into an account. Stronger authentication measures can include requiring multiple security questions, 2FA (two-factor authentication), an IP block list, limiting the number of login attempts, and firewalls. Go beyond blocking bots. Many website owners look only for bots or common fraud signals to prevent ATO attacks. This is critical and necessary, but it isn’t enough to prevent human ATO fraud.
Regular Security Updates and Patch Management
Secure your database. Leaky forms, vulnerable third-party code and broken access control increase your risk of having sensitive user data stolen. Adopt a code mitigation solution to continuously evaluate the behavior of client-side scripts. Safeguarding your security infrastructure also means making sure patches and updates are implemented quickly and monitoring your systems for any unusual activity.
Multi-factor Authentication (MFA)
Multi-factor authentication requires presenting two or more entries for verification. For example, not just a username and password, but also a third method of verification on top of those two, such as a fingerprint or code sent to a cell phone.
User Education and Awareness Training
Educating users about things like what phishing attempts can look like, being wary of attachments, and how to avoid malware are important to safeguard online accounts.
Monitoring Account Activity
Continually evaluate user behavior. Monitor users’ actions post-login to identify suspicious activities within an account. By looking for signals of abuse and anomalous behavior patterns, you can proactively identify and stop fraud.
Strengthen Login Defenses with Dedicated Bot Mitigation
Sophisticated bot mitigation solutions use a variety of techniques such as examining mouse movements and key presses to filter out bot traffic and secure valuable customer accounts from automated credential stuffing and brute force attacks.
How HUMAN Can Help
HUMAN provides organizations with comprehensive security for their online accounts on applications and websites. Account Takeover Defense hardens the authentication process by neutralizing credential stuffing and brute force attacks and Compromised Account Defense continuously monitors accounts for signs of abuse, no matter how the account was broken into (e.g. by phishing, MFA bypass, malware).
