Guide to Account Takeover (ATO) Fraud Detection & Prevention

Having trouble protecting your user accounts? In this guide, we’ll see why accounts are targeted, how fraudsters acquire them, and, of course, which steps you should take to secure them.

This is your complete guide to understanding and preventing account takeover (ATO) attacks.

What Is an Account Takeover?

An account takeover (ATO) happens when someone logs into an account that isn’t theirs. In layman’s terms, it is often referred to as account hacking.

Account takeovers are used by fraudsters in many different ways:

• to acquire sensitive personal information
• to impersonate the account owner
• to gain access to funds and/or payment cards
• as a springboard to defraud the owner’s contacts
• to conduct schemes such as CEO fraud

Mark Zuckerberg, Elon Musk, Kim Kardashian, Jeff Bezos, Barack Obama, Jack Dorsey, and Kanye West have all been victims of ATO attacks.

How Does Account Takeover Fraud Work?

There are many paths to successful ATO fraud. Different things can happen, depending on the attack vector:

• Opportunistic: A fraudster stumbles upon someone’s login details. This could be accidental, or more sophisticated, for example following a mass phishing email campaign. It could be because of an easy-to-guess password, brute force, or via malware such as a keylogger
• Bought credentials: Every huge data breach means a proliferation of ATO attempts is sure to follow due to the account details being sold in bulk for cheap on the darknet
• Credential stuffing: This is when fraudsters automate attacks (usually with bots) using login details they bought from a leaked database.
• Exploiting security vulnerabilities: This is where unpatched security holes are used to gain unauthorized access to a system. For example, Cross-Site Scripting (XSS) and Server Side Request Forgery (SSRF)
• Targeted attack: Fraudsters will often target specific accounts which they know to be valuable. In social media and gaming, for instance, there is a huge market for what is known as OG accounts or accounts with a rare, short handle. To target these accounts, fraudsters often rely on spear-phishing techniques (targeted phishing), or SIM-Swapping attacks.

What Can I Do If I Have Been Hit by an Account Takeover?

If an account is compromised, the first thing to do is to freeze it. This will prevent the fraudster from performing any actions such as changing the password or making a purchase.

If the password has already been changed, you should force a password reset and inform the original user.

Don’t forget that users will probably blame your company for what they see as a lack of security. You should have a solid communication process in place designed to reassure them that it is only a temporary freeze and that their account will be restored as soon as possible.

8 Reasons Why Account Takeover Fraud Happens

Fraudsters have plenty of reasons to target pre-existing accounts:

• To acquire more data: Once hackers have entered an account, they can harvest more information. Is there a phone number attached? Better yet, a valid credit card number? Sometimes, it’s about collecting personally identifying information (PII) for other forms of fraud and identity theft. These types of attacks often target healthcare, the public sector, and even academic institutions

• Financial fraud: All ATOs are designed to extract monetary value at some point down the line. The closest an account is to a credit card, withdrawing funds and wiring money, the better for fraudsters. This is true both for standard currencies, cryptocurrencies, and even loyalty points or gift card credit

• Virtual currency fraud: Some currencies are also purely virtual, such as in-game digital items that can be resold for real-world gains

• Promo abuse: Fraudsters rely on multi-accounting techniques to gain as many sign-up or referral bonuses as possible. It’s even easier with legitimate accounts they’ve compromised

• Card testing: Certain accounts are only used to make small purchases, or to test credit cards. This helps fraudsters check the validity of stolen credit cards, which can then fuel their criminal buying sprees

• Spam: A legitimate account is a great tool to create fake listings, sell goods that don’t exist, write reviews and give feedback on services that are self-serving

• Phishing: Attackers access the account’s contacts and target them directly. The initial account gives them legitimacy and makes the contacts more susceptible to giving away valuable information. A malicious email received from a known contact is more likely to make it past your inbox’s spam filter

• Ransom attacks: If an account is extremely valuable, criminals can try to sell it back for a price.

Finally, there is the huge problem of account reselling: Bad actors lump numerous account details together and resell them on criminal marketplaces.

This is why, in the long run,  account takeover is one of the most damaging fraud attacks. ATOs fuel fraud marketplaces which, in turn, leads to more ATOs.

6 Account Takeover Scenarios

There is no shortage of options for criminals who want to acquire user accounts. Some of the most common methods include:

• Credential stuffing attack: This is where a fraudster tries all the combinations of passwords and email addresses they’ve found in a large data dump.

• ATO from phishing: Criminals send an SMS or email asking you to log into a clone of a known website. From here they redirect you to a page where a keylogger captures your password or other personal details. Having this data gives creative criminals a wide range of options!

• Social engineering attacks: Fraudsters contact people in person and attempt to extract login information. This works not only for end-users but also for employees and business executives

• Man in the middle attack (MitM): This is where fraudsters intercept data between your site and end-users. It’s the digital equivalent of eavesdropping on a conversation and uses techniques such as SSL stripping or Evil Twin attacks, that mirror WiFi access points to capture data

• SIM-Swapping: Most of the accounts for the high-profile names at the beginning of this guide were stolen using SIM-swapping or SIM-jacking attacks. This is when fraudsters contact telecom operators and manage to take control of a mobile phone number. Because so many accounts are verified via Two Factor Authentication (2FA), gaining access to a number means you can log into someone’s Instagram, Twitter as well as a range of other potential services.

• XSS to ATO: XSS stands for Cross-Site Scripting. It allows criminals to target a website by executing malicious scripts in a victim’s browser. This is often with the goal of setting up new passwords on pre-existing accounts.

How Much Does it Cost Businesses?

According to research from Kaspersky, more than half of all fraudulent attacks are in fact an account takeover.

While it’s harder for businesses to put a monetary value on ATO losses than, say, credit card fraud, it doesn’t mean it’s a victimless crime. There are very real consequences for affected businesses:

• Hacks and security issues put a strain on your IT team.

• Support is overwhelmed by customer requests while attempting to reclaim their account.

• The finance department must fight chargebacks.

• Users turn to competitors due to a loss of reputation and brand trust.

In the worst-case scenario, stocks can even plummet after a publicized breach. According to Bitglass research, this can be down by as much as 7.5%.

How to Protect Yourself from Account Takeover Fraud

Letting your users and employees understand how valuable their accounts are is a great first way to make life harder for fraudsters as this will change their behavior around protecting access to their accounts.

Common sense applies, but you should also make a coordinated effort to remind people to:

• Stop reusing passwords: Losing one account can have a few bad consequences. Losing all your online accounts can be disastrous

• Update passwords regularly: This can protect accounts from historical data breaches. You can check if your data has been leaked in a breach, for example by using the Have I Been Pwned website for email addresses and ensure your passwords are quickly updated after any major ones

• Use password managers: These generate strong passwords, store them securely, and autofill on websites and apps when needed.

• Be vigilant with links: Especially from unknown email senders, poorly written text, or suspicious web pages. It’s always better to access important sites directly into your browser rather than following any links

• Double-check URLs: Watch out for signs of a phishing attempt if the URL or web page looks unusual, especially when entering credentials or personal information, for instance: www.paypall.com

• Enable MFA (multi-factor authentication): Two-step verification (2SV) or two-factor authentication (2FA) are easier to use than ever thanks to third-party apps like Google Authenticator

• Use a VPN: Especially when connected to public WiFi networks.

You should also be open about the risks of ATO with your users, and communicate regularly with them about changes that may affect their accounts.

For example, this could be using a confirmation email to let them know a new phone number has been registered or to confirm their recent conversation with a customer service representative.

You can check to see if your password(s) have been exposed at the Have I Been Pwned website.

How to Improve Your Security Against ATO Scams

As a business, it’s best to ensure the best data protection practices are followed. This should be for all data that is collected, transferred, processed, and accessed. A non-exhaustive list of examples includes:

• Use SSL: Especially on pages that collect sensitive or personal identifiable information such as credit cards, social security numbers, or addresses

• Use encryption wherever possible: Not just for logins, but also for communications.

• Secure physical devices: This is particularly important for company phones, laptops, and desktop computers – especially in a work-from-home setup.

• Hire white hat (ethical) hackers: For instance, Facebook has a bug bounty that rewards independent researchers up to $40,000 for finding vulnerabilities that could result in an account takeover.

• Double-check user passwords: You can use third party services to check if a user’s credentials have been leaked before, for example Troy Hunt’s Pwned Passwords2 or K-Anonymity if you’re a Cloudflare customer. This is useful to warn your users on registration if they are about to use a leaked password, or to trigger an email verification on logins to make sure they are not a victim of an ATO.

• Restrict user input: This includes limiting HTML input, sanitizing values entered, and the use of Allowlists to ensure your site code is clean and not vulnerable to SQL or HTML injection attacks.

• Consider User Friction: In an ideal world, you’d be able to set up as many authentication and verification steps as you need to ensure your users are who they say they are.

In practice, however, these steps are serious obstacles in your customer’s journey and can provide a poor user experience. Adding more friction, whether at signup or login, is the surest way to send users towards more lenient competitors – especially in today’s always-on economy.

So how do you balance the right level of security with low customer friction? By deploying invisible authentication tools.

Fraud Detection Software for Account Takeovers

A key challenge of detecting suspicious logins is that the data available is often limited. In fraud prevention, the more data points you have, the more accurate your decision can be. At the point of logging on, we usually have an IP address, device information, and basic customer behavior.

However, a single data point can be enough to blacklist login attempts, provided that data is enriched in real-time to confirm its validity.

• Device fingerprinting: A device hash/ID can be created using data from a browser, operating system, device, and network and this can flag suspicious connections. This is something that doesn’t require excessive calculations, yet can be highly effective in preventing users from logging in with unknown devices or browsers. It can also detect the use of suspicious emulators or virtual machines, which fraudsters often use to make multiple requests from the same original computer.

• IP analysis: This classic fraud prevention method can be enriched to reveal suspicious VPN proxies or TOR usage.

Logging the data obtained can also be useful to create whitelists for your users in order to reduce false positives. For instance, if a user was able to let you know that they’re traveling in advance, it could be reflected in their IP address being whitelisted.

You can learn more about fingerprints in your browser here.

Prevent ATO Fraud with Behavior Analysis with Velocity Rules

If an ATO is already underway, your only chance is to spot suspicious user behavior. Whether it’s inspected through a dedicated fraud prevention system or through manual investigation, here are some of the signs that an ATO attack might have happened.

It is essential to have rules in place that let you understand what is considered safe behavior and what should raise warning flags.

Dynamic Friction

In spite of your best efforts to deploy invisible security layers, there will still be some times when grey areas may confuse any systems you may have in place.

In these circumstances, you shouldn’t be afraid to bring out the big guns and use heavier authentication methods. These include:

• video verification or selfie
• voice message
• 2FA

However, as we’ve previously mentioned, these high-friction tools should really be a last resort only. It’s much easier to offer a smooth authentication experience if your anti-fraud tools allow you to control the thresholds between what’s acceptable and what demands more investigation.

At SEON, for instance, we allow fraud managers to adjust the thresholds of their risk scores, so that they may allow or reject logins based on the company’s appetite for risk.

How ATO Protection Works with SEON 

At SEON, we’ve built a number of ATO prevention features into the core of our end-to-end fraud detection platform. We also took great care to put user experience front and center, reducing the processing time to a minimum while allowing you to leverage:

• Powerful device fingerprinting: Instantly know when a user is connecting with a suspicious combination of software and hardware

• Whitebox machine learning: SEON’s algorithm learns from your ATO patterns and retrains itself numerous times a day. You get results via human-readable rules, which you can use to backtest your login data to identify false-positive rates.

• Velocity rules: Collect and screen complete user activity on your website via custom API calls relating to any data point you wish to send. It’s the closest thing to behavior analysis to help you understand precisely when someone is acting suspiciously. 

The good news is that protecting individual user accounts and your general business interests can be done using the same tools. Using the flexibility and customization options provided by both  SEON risk rules and our API calls provides your business with the level of fraud protection you need.

Frequently Asked Questions