Account takeovers (ATOs) are a type of cyberattack, fraud risk, or identity theft that results in the unauthorized access of an account, typically through the use of stolen credentials. Once an account has been compromised, it may be used to launch additional attacks, make fraudulent purchases or transactions, or steal valuable information.
In the first half of 2022, ATO increased 131% YoY across the entire Sift network. In the first quarter of 2023, ATO has increased an additional 427% compared to all of 2022. The exponential growth of ATO should be a wake up call for businesses that fraud detection is required to avoid financial losses and the erosion of digital trust.
One reason that ATOs are so common is because they can target almost any type of account, from consumer services to enterprise IT accounts—even IoT devices, such as IP video cameras have been targeted by ATOs.
Another reason that ATOs are so common is because they can occur in so many different ways, including data breaches, phishing attacks, brute force attacks, malware, and other more obscure methods we will explain in this blog.
Preventing and detecting ATOs can be challenging because they target legitimate accounts, but there are steps both consumers and businesses can take to improve password security, authentication, and monitor behavioral patterns to detect the risk of ATOs.
What businesses are targets of account takeovers?
There are certain businesses that are more likely to be targeted by ATO for financial gain. Some of the most common businesses that are target by ATO include:
Banks—Unauthorized access to bank accounts can be used to make fraudulent transactions and transfers or to steal sensitive financial information.
Credit cards—ATO can result in unauthorized purchases or steal personal information.
Payment services—ATO can result in unauthorized transactions and transfers.
Stock exchanges—Unauthorized access can be used to conduct fraudulent trades and transfers.
Cryptocurrency exchanges—ATO can result in the theft of digital assets.
Retail—Unauthorized access can be used to make fraudulent purchases or to exploit stored payment information.
Marketplaces—Buyer accounts can be used to make fraudulent purchases or leave fake reviews. Seller accounts can be used to create fraudulent listings.
On-demand services—Unauthorized access can be used to fraudulently order services or to access stored payment information..
Food delivery services—Can be used to place unauthorized orders or to access payment details.
Hotel and travel—Unauthorized access can be used to make fraudulent bookings or to transfer loyalty program rewards.
Social media—Can be used to send scams and spam.
It is important to note that while these businesses are more likely to be targeted, ATO can occur in any industry by targeting services such as email or remote login credentials, such as VPN.
There tends to be a difference in the techniques and goals of consumer ATO—which targets the accounts listed above for financial gain—and enterprise ATO, which tends to target email or privileged account access to conduct further attacks, such as business email compromise (BEC) or ransomware.
How do account takeovers happen?
ATOs can occur through a variety of methods and techniques, but they ultimately seek to gain unauthorized access to user accounts—typically by stealing their username and password. Here are some of the most common ATO attacks:
Data breaches—Data breaches are one of the most prevalent methods of ATO. When a company’s database containing user information is compromised, it can expose usernames and passwords, which can be used to gain unauthorized access to user accounts.
Phishing—Phishing attacks are another one of the most common methods of ATO. Phishing attacks involve tricking users into providing their credentials by sending fraudulent emails, text messages (e.g., “smishing”), or phone calls (e.g., “vishing”).
Credential stuffing—A side effect of data breaches is that user name and password combinations obtained from a data breach may be reused across multiple platforms. Credential stuffing attacks use stolen credentials to exploit reused passwords. According to one survey, more than half of its respondents have not changed their passwords in more than 12 months—even after hearing about a breach in the news.
Brute force password attacks—Brute force attacks use automated tools to guess passwords by trying numerous combinations. Weak passwords or easily guessed passwords (e.g. “123456”) are susceptible to this type of attack, enabling unauthorized access.
Malware—Malicious software, such as credential dumping malware, keyloggers, or Trojans can be used to capture usernames and passwords or to directly steal stored credentials from infected devices.
Network attacks—Network attacks intercept network communication to capture login credentials. Encrypted traffic helps prevent these attacks, but man-in-the-middle attacks, such as creating a fraudulent Wi-Fi access point can enable the attacker to intercept account credentials.
SIM swapping—SIM swapping is a social engineering technique that targets mobile service providers to transfer a victim’s phone number to a SIM card under their control By doing so, they can intercept verification messages used for multi-factor authentication (MFA) to gain access to their victim’s accounts.
It is crucial for individuals and organizations to stay vigilant against these attack vectors. Implementing strong security measures, such as two-factor authentication, regularly updating passwords, and staying informed about potential threats, can help mitigate the risk of account takeovers and protect sensitive information.
Business impact of account takeovers
The impact of ATO on businesses can vary significantly, depending on whether the compromised account is a consumer account or an enterprise account. Here are some of the most common example of the business impact associated with ATO:
Fraudulent purchases—Fraudulent purchases using stolen payment information can result in financial losses and reputational damage for businesses.
Fraudulent reviews—Posting fraudulent reviews to manipulate online ratings can damage consumer trust and influence buying decisions.
Fraudulent listings—Creating fraudulent listings for non-existent products or services can lead to financial losses and damage consumer trust.
Transferring funds/loyalty points—Transferring funds or loyalty points from compromised accounts can result in financial losses for both business and consumers, as well as damaging customer relationships.
Persistence—ATO can establish persistent access to compromised accounts by changing passwords, personal information, or creating new authorized users. This can make it difficult to detect the attack, prolonging its impact.
Data theft—Unauthorized access to consumer accounts can result in the theft of personal information that can be used in identity theft. Unauthorized access to enterprise accounts, such as IT administrator accounts, can result in the theft of entire databases.
Privilege escalation—A successful enterprise ATO can enable attackers to escalate their privileges within a corporate network, enabling them to access sensitive information or compromise other accounts or systems.
Lateral movement—Enterprise ATO can enable attackers to move to other accounts or systems to expand their access, resulting in further compromises or data breaches.
Malware/ransomware—In some cases, enterprise ATO can be part of a broader attack strategy involving the deployment of malware or ransomware, which can cause significant business disruption.
Botnets—Compromised IoT devices can be harnessed by attackers to join botnets, which are networks of infected computers used to launch distributed denial-of-service (DDoS) attacks, phishing attacks, and brute force attacks.
BEC—ATO can be leveraged as a stepping stone for BEC by gaining access to corporate email accounts to conduct fraudulent activities, such as impersonating executives or initiating fraudulent wire transfers.
Protecting against account takeovers
Both consumers and businesses can take proactive measures to prevent protect against ATO attacks. By implementing security best practices and remaining vigilant, both individuals and organizations can significantly reduce the risk of falling victim to these attacks. Here are some strategies for protecting against ATO.
How can consumers protect themselves from ATO?
Strong/unique passwords—Consumers should create strong and unique passwords for each of their online accounts, combining upper and lowercase letters, numbers, and special characters. Avoid easily guessed passwords (e.g. “password”) and refrain from reusing passwords across multiple accounts.
MFA—Enable MFA whenever possible, as it adds an extra layer of security to your accounts. MFA requires users to provide an additional form of verification, such as a one-time passcode (OTP), in addition to their password.
Don’t save passwords—Avoid saving passwords in browsers or on devices, as this can make it easier for attackers to gain unauthorized access to your accounts if your device is compromised.
Don’t fall for phishing—Be cautious of suspicious emails, messages, or calls asking for your login credentials or personal information. Avoid clicking on suspicious links or downloading attachments from untrusted sources. Always verify the authenticity of requests before providing any sensitive information.
Monitor accounts—Regularly review your account activities, transaction history, and notifications for any signs of unauthorized access or suspicious behavior. Report any unusual activity to the respective service provider immediately.
How can businesses prevent ATOs?
Strong password policies—Businesses should enforce strong password policies for their employees and customers. This includes requiring complex passwords, regular password updates, and discouraging password reuse across different systems.
MFA—Implement MFA across corporate systems and customer-facing platforms.
Dynamic friction—Employ adaptive authentication mechanisms that adjust the level of friction based on risk factors. This approach allows businesses to implement stronger authentication measures when there are suspicious activities or anomalies detected during login attempts.
Continuous monitoring & behavioral analytics—Implement real-time monitoring and analysis of user behavior, login patterns, and account activities. This enables businesses to identify anomalies and potential ATO attempts, allowing for timely intervention and response.
When it comes to monitoring behavioral analytics for signs of fraud, these are some of the most common indicators of fraud:
Password change requests
New device logins
Shipping to a new address
Adding a new authorized user
Changing account details
Requesting a new card
Unusually large purchases
One important consideration is that manual fraud review may be challenged to keep the pace of increasing fraud rates, both as a company grows and ATO balloons to record levels. Automated solutions can help ease this pain and AI-enabled solutions can help achieve more accurate ATO detection rates.
Account takeover protection from Sift
Sift simplifies account security and accelerates growth by proactively detecting and blocking ATOs, cultivating customer trust, and building flexible fraud operations.
Pinpoint risky account activity—Handle large-scale, bot-based account attacks with ease and confidence, using a full suite of built-in MFA tools. Instantly identify ATO at login with intelligent automation powered by Sift’s real-time machine learning models.
Build and sustain customer trust—Deliver frictionless experiences to trust users and kick risky sessions to review—or off your site altogether—with Dynamic Friction. Protect every user with automatic notifications in response to suspicious activity.
Manage fraud at scale—Automate risk decisions with Sift Workflows, deep-dive into complex cases, and accelerate manual review with a comprehensive view into account activity and data using the intuitive, customizable Sift Console.
Unmatched accuracy, speed, and adaptability—Identify and act on potentially compromised accounts with unmatched accuracy. Enhanced, sophisticated feature extraction and real-time data fuel an unbeatable combination of ML and customizable, rules-based insights.
Customizable fraud prevention built for your business—Stay fast and flexible even as your business expands into new markets. Deploy new configurations with confidence, and simplify trust and safety across customers, geographies, and languages with models tailored to your specific business needs.
Accelerate growth and operational efficiency with Sift Connect—Seamlessly integrate your fraud stack with best-in-breed technology partners using Sift Connect. This ecosystem of apps and open APIs features platforms like Zendesk, Jumio, and Onfido that add improved data accuracy and efficiency to fraud operations.
One Sift customer, Rently, a property management service, was able to reduce ATOs by 65% and eliminated hours of manual reviews. According to Sahil Farooqi, Head of Customer Care and Security, Rently, “I have great confidence in Sift. It’s learning from manual reviews, making decisions, and pinpointing the bad actors from trusted customers. The automation saves us a lot of time, even when we’re not working.”
Farooqi continued, “Sift is a game changer that’s keeping us ahead of ATO and scammers. Its flexibility makes it easy for us to change our rules as needed, and it’s constantly updating with new signals, which is critical for staying ahead of scammers who are always changing tactics.”
Another Sift customer, Traveloka, was able to double its number of orders while maintaining a low ATO rate. According to Wayan Tresna Perdana, Sr. Product Manager, Traveloka, “Sift helps us to identify more trusted customers and reduce the number of transactions that have to be authenticated, thus reducing payment friction and increasing overall conversion. It also detects more ATO than our rules-based system could, and the console makes it easy for our team to investigate suspicious cases and take action quickly.”
The post What are account takeovers (ATOs)? appeared first on Sift Blog.
*** This is a Security Bloggers Network syndicated blog from Sift Blog authored by Sift Trust and Safety Team. Read the original post at: https://blog.sift.com/what-are-account-takeovers-ato/?utm_source=rss&utm_medium=rss&utm_campaign=what-are-account-takeovers-ato