Account takeovers (ATO) are becoming the bane of online businesses. And it’s getting easier for fraudsters to access stolen account credentials, sometimes with incredible sophistication. Whether it’s banks, ecommerce, or gambling platforms, no one seems to be safe – or prepared.
In fact, one of the biggest misconception surrounding ATOs is that they only target big businesses. A study sampling 50 random organizations in different sectors between April and June 2018 detected 60 account takeover incidents, 78% of which ended up with phishing email attempts. Security firm Javelin’s report estimated the cost of ATOs in 2017 at $16.8 Billion.
What Makes Valuable Account Details
At the most basic, fraudsters will need a login name and password. However, even as organizations implement more security measures to protect against hacking, account takeovers continue to proliferate online.
One worrying new method consists of adding matching browser cookies in the package along with the login and password combination. For instance, this could come from a portable browser (packaged to work directly from a USB drive, for instance) with all the necessary cookies and cache data – which will bypass security checks.
This means sellers can bundle all the info needed to bypass geolocation or device checks into one neat package that buyers can open on-the-go to fool the platforms they are trying to infiltrate.
Where Do All These Accounts Come From?
This is the heart of the problem. Criminals have access to a growing number of marketplaces to purchase, sell, and exchange account details. While the dark web famously provides cover of anonymity, it’s now also increasingly easy to buy accounts on clearnet cryptocurrency auction sites. Cryptocurrency auction sites, for instance, still fail to curb the sale of account details for everything from computer game stores to online banking accounts.
- Example of full accounts available on a clear net site
As to where sellers get these accounts, they can come from a number of places:
Phishing attacks. Hackers target individuals so they submit their credentials.
Brute force attack. Fraudsters automate login attempts until they stumble on a winning combination.
Data breaches. Large databases of stolen accounts are freely available all over the web. If you’ve ever been asked to change your password, this is why.
Account farming. Not all accounts are stolen. Some of them are created to be sold. They usually geolocation via proxies, and fake devices via virtual machines. This method forces farmers to work fast, which makes detection a lot easier. On the downside, it’s easier than ever to buy stolen IDs for a fake new account.
One interesting point about account farming: it is often done with email address created just before the signup process. This means little or no social media footprint or even an email that can be traced back directly to a data breach – both processes that are easily detected by the right fraud prevention tools.
In the large majority of cases, sellers will create accounts using “Fullz”, a combination of stolen documents, also widely available for purchase on fraud marketplaces. A Fullz is a package that can contain a full name, address, and even a social security number. They are bought on criminal marketplaces, phished manually, photoshopped, or even acquired through fake job ads.
Finally, the most sophisticated account farmers will automate the process through bots that scrap websites, aggregate data, and instantly create new active accounts that can be resold later.
Who Buys These Accounts?
ATOs seldom result in good surprises. Those who buy these accounts rarely have the organization’s best interests at heart. For instance, it would be to:
- Spam the platform
- Leave fake reviews
- Scam and phish with disposable accounts
- List fake accomodation or goods to scam legitimate users…
One big problem is also the abuse of promotions and bonuses, which takes advantage of a company’s offers.
However, not all account takeovers are used for attacks. Some customers also rely on multiple account logins for the following reasons:
- Previously banned people who still want to access the service
- People who need multiple accounts for multi accounting
- Customer who want to bypass geolocation based rules
Balancing Onboarding Ease and Security
Online businesses are often at a crossroad when it comes to their onboarding policies. They want legitimate users to login without friction, but not without security checks.
This is why we believe why risk-based authentication is the only way to manage this delicate balancing act. Online business should first decide if they need extra KYC checks based on digital footprint riskiness. For instance: if the customer has no social data, you can force phone verification via SMS. If they use a disposable email address, you can ask for official documentation.
Login authentication should be just as flexible, allowing you to only trigger SMS or 2FA verification based on risk (low digital footprint, use of virtual machines / emulators, similar IP or device ID.)
As always, it’s up to fraud managers to implement appropriate KYC processes, without risking losing users in the process. See how SEON’s Sense Platform can help supercharge fraud prevention and reduce account takeovers, with seamless integration and no friction increase.