In recent years, the number of account takeover (ATO) attacks has skyrocketed, increasing 307% between April 2019 and June 2021. And in 2019, eCommerce businesses and consumers lost an estimated $16.9 billion to ATO attacks. ATO fraud is a rapidly growing and costly problem that online businesses must address. So, this post delves into this problem, explaining:
- What account takeover fraud is
- How fraudsters commit ATO fraud
- What fraudsters do with the accounts they take over
- How businesses can reduce the risk of ATO Fraud
What is Account Takeover Fraud?
Account takeover fraud is where a bad actor gains access and takes over an account using stolen or hacked credentials. Once a fraudster gains access to an account, they engage in fraudulent activities. While all online accounts are vulnerable to ATO fraud, fraudsters tend to target accounts they consider highly valuable, like bank accounts and retail accounts with stored payment information.
How Do Fraudsters Commit ATO Fraud?
Bad actors will typically use automated tools like botnets and machine learning (ML) to engage in massive and ongoing attacks against consumer-facing websites. With automated tools, they commit ATO fraud using techniques like:
- Brute Force Attacks: A fraudster or crime ring attempts to “brute-force” their way into an account through trial and error, trying different combinations of usernames and passwords until they find the right combination.
- Credential Stuffing: When a fraudster successfully hacks into one online account, they typically use those same credentials to log into accounts at other websites. Fraudsters can also buy lists of stolen account usernames and passwords, trying the same set of credentials at various websites to see if they can access other accounts.
- A recent Security.org study found that 68% of Americans use the same password for multiple accounts, and 37% share their passwords with other people.
Fraudsters don’t always use automated tools for ATO fraud. They can gain access and take over accounts through:
- Dark Web Marketplaces: Fraudsters can buy account credentials from dark web marketplaces. These marketplaces get much of their stolen data from data breaches. Hackers sell data from breaches like account credentials, the personally identifiable information (PII) of account holders, and credit card information to dark web marketplaces. Currently, the dark web holds more than 15 billion username-password pairs.
- Phishing: Some fraudsters use phishing scams to get account credentials. You’ll see most phishing scams conducted through email, but some fraudsters use text messaging or social media messages. The messages use deceptive techniques to trick people into giving out their usernames and passwords. They often contain links that take you to a fake website or download malware.
- Call Center Scams: Another way fraudsters obtain account credentials is through call center scams. Fraudsters can often piece together enough personal information to beat the security measures at call centers. Call center security usually involves answering personal questions like the last four digits of your social security number or birth date. Skilled fraudsters can get past these security measures and trick call center agents into giving them access to user accounts.
- Man in the Middle (MITM) Attacks: A MITM attack involves a bad actor intercepting information as it is sent via the internet. Bad actors perform these attacks using malware or tools to create fake public WiFi hotspots. For example, a scammer might set up a fake WiFi hotspot in a popular coffee shop, using it to intercept customers’ internet messages. If customers log in to any accounts while at the coffee shop, the fraudster can obtain their credentials with a MITM attack.
Fraudsters typically target accounts that will bring the most value, doing many fraudulent activities with the accounts they take over.
What Do Fraudsters Do with the Accounts They Take Over?
Fraudsters can do a lot of damage once they gain access to an account. Let’s look at ATO fraud for a few industries:
- Finance: A fraudster who has taken over someone’s bank accounts can drain their funds, sending money to other bank accounts and making hefty withdrawals of cash. They can also use the bank account to take out unauthorized loans or open a new bank account under the account holder’s name. They can take over credit card accounts, using them to buy products online, including gift cards. In 2020, 32% of account takeovers were banking accounts, per a Security.org study.
- Digital Commerce: Some fraudsters take over eCommerce accounts and use them to make small purchases with stolen credit card numbers (card testing). Many fraudsters will drain the funds of gift cards and loyalty points balances or make unauthorized purchases with the payment methods on file. Those unauthorized purchases lead to chargebacks and lost revenue for those online businesses.
- Gaming: Many fraudsters target gaming platforms, taking over accounts to sell valuable in-game virtual items like skins, weapons, and trading cards to other players. Fraudsters will also take over gaming accounts to access stored credit cards and launch phishing scams against other gamers. Steam, a popular gaming platform by Valve, gets hit with more than 77,000 ATO attacks per month.
- Social Media: In 2020, 51% of the accounts taken over were social media accounts per Security.org. Fraudsters mostly use social media accounts for phishing attacks or to send spam. Some take over the accounts to damage the reputation of the account holders. For example, a fraudster might post offensive tweets or harass other users on the platform.
We’ve highlighted only a few industries that fraudsters target for ATO fraud. However, every online business in every industry faces some risk of ATO fraud attacks.
How Big Is the Risk of ATO Fraud for Online Businesses?
ATO fraud is a huge risk for online businesses because it involves online accounts created by legitimate users. Many fraudsters try to emulate legitimate user behavior once they take over a legitimate account, making ATO fraud difficult to detect. Also, 40% of the fraudulent activity related to an account takeover occurs within 24 hours.
Fraudsters often work together in crime rings and use advanced tools like botnets and peer-to-peer virtual private network (P2P VPN) services. With these advanced tools, fraudsters can distribute login attempts across thousands to millions of IP addresses and attempt hundreds of thousands of logins in just one day.
Sometimes fraudsters will wait months before doing anything with the accounts they’ve taken over. They wait a while and then suddenly use multiple accounts all at once or in a short time frame, quickly getting as much value from the accounts as possible. This technique is known as “bust-out fraud,” and it makes detecting ATO fraud more difficult.
Some fraudsters don’t use automated tools for ATO attacks. They have human labor (click farms) manually enter login credentials so that the attacks go undetected by tools that look for automated login attempts.
Fraudsters use sophisticated tools and techniques to commit ATO fraud. However, businesses can take steps to help prevent ATO fraud and detect when fraudsters have taken over accounts.
How Can Businesses Reduce the Risk of ATO Fraud?
You can significantly reduce the risk of ATO fraud by implementing the following:
1) Two-Factor Authentication
Requiring that users enable two-factor authentication (2FA) for account logins can help prevent fraudsters from taking over accounts. Many businesses use 3D Secure (3DS) to implement 2FA on their websites. 3DS is a technology created by Visa and Mastercard to securely authenticate users. Users validate their identity using two of the following:
- Something they know: e.g., a password, PIN, or passphrase.
- Something they have: e.g., a smartphone, smartwatch, or smart card.
- Something they are: e.g., a fingerprint, facial features, or voice patterns.
2FA is a good first defense against account takeover. However, fraudsters have found ways to bypass it — via SIM swap fraud, for example. So, you need to add a second line of defense in the form of a real-time fraud prevention solution.
2) A Real-Time Fraud Prevention Solution
It is impossible to prevent ATO fraud completely, as some fraudsters will find their way onto your platform. But with real-time identity protection that leverages an identity graph of more than one billion identities — which includes personas and behavior patterns — you can identify unusual behavior from user accounts quickly. You can identify behavior and activities generated from automated tools like bots and ML algorithms. You can also detect unusual behavior before checkout, automatically presenting suspicious users with 2FA at the payment stage when needed.