Guide to Account Takeover Fraud Detection & Prevention

Having trouble protecting your user accounts? In this guide, we’ll see why accounts are targeted, how fraudsters acquire them, and, of course, which steps you should take to secure them.

This is your complete guide to understanding and preventing account takeover (ATO) attacks.

What Is Account Takeover Fraud?

In layman’s terms, users may refer to account takeover fraud as account hacking – when they realize someone stole their online credentials. It is also considered a form of identity theft, because it happens when someone logs into an account that isn’t theirs to exploit it.

Most ATO attacks are designed for financial gain, but there are other reasons why fraudsters steal logins:

• to acquire sensitive personal information
• to impersonate the account owner
• to gain access to funds and/or payment cards
• as a springboard to defraud the owner’s contacts
• to conduct schemes such as phishing or CEO fraud

Account takeover fraud can be hard to identify, especially if the fraudsters attempt to imitate the behavior of the original account owner. Moreover, there is no barrier to the kinds of accounts fraudsters will steal, including streaming accounts, e-wallets, betting accounts, BNPL, online banking credentials, online dating accounts, and many more.

How Does Account Takeover Fraud Work?

There are many paths to successful ATO fraud. Different things can happen, depending on the attack vector:

• Opportunistic: A fraudster stumbles upon someone’s login details. This could be accidental, or more sophisticated, for example following a mass phishing email campaign. It could be because of an easy-to-guess password, brute force, or via malware such as a keylogger
• Bought credentials: Every huge data breach means a proliferation of ATO attempts is sure to follow due to the account details being sold in bulk for cheap on the darknet
• Credential stuffing: This is when fraudsters automate attacks (usually with bots) using login details they bought from a leaked database.
• Exploiting security vulnerabilities: This is where unpatched security holes are used to gain unauthorized access to a system. For example, Cross-Site Scripting (XSS) and Server Side Request Forgery (SSRF)
• Targeted attack: Fraudsters will often target specific accounts which they know to be valuable. In social media and gaming, for instance, there is a huge market for what is known as OG accounts or accounts with a rare, short handle. To target these accounts, fraudsters often rely on spear-phishing techniques (targeted phishing), or SIM-Swapping attacks.

Examples of Account Takeover Fraud

There is no shortage of options for criminals who want to acquire user accounts. Some of the most common methods include:

• Credential stuffing attack: This is where a fraudster tries all the combinations of passwords and email addresses they’ve found in a large data dump.

• ATO from phishing: Criminals send an SMS or email asking you to log into a clone of a known website. From here they redirect you to a page where a keylogger captures your password or other personal details. Having this data gives creative criminals a wide range of options!

• Social engineering attacks: Fraudsters contact people in person and attempt to extract login information. This works not only for end-users but also for employees and business executives

• Man in the middle attack (MitM): This is where fraudsters intercept data between your site and end-users. It’s the digital equivalent of eavesdropping on a conversation and uses techniques such as SSL stripping or Evil Twin attacks, that mirror WiFi access points to capture data

• SIM-Swapping: Most of the accounts for the high-profile names at the beginning of this guide were stolen using SIM-swapping or SIM-jacking attacks. This is when fraudsters contact telecom operators and manage to take control of a mobile phone number. Because so many accounts are verified via Two Factor Authentication (2FA), gaining access to a number means you can log into someone’s Instagram, Twitter as well as a range of other potential services.

• XSS to ATO: XSS stands for Cross-Site Scripting. It allows criminals to target a website by executing malicious scripts in a victim’s browser. This is often with the goal of setting up new passwords on pre-existing accounts.

How Much Does it Cost Businesses?

According to research from Kaspersky, more than half of all fraudulent attacks are in fact an account takeover.

While it’s harder for businesses to put a monetary value on ATO losses than, say, credit card fraud, it doesn’t mean it’s a victimless crime. There are very real consequences for affected businesses:

• Hacks and security issues put a strain on your IT team.

• Support is overwhelmed by customer requests while attempting to reclaim their account.

• The finance department must fight chargebacks.

• Users turn to competitors due to a loss of reputation and brand trust.

In the worst-case scenario, stocks can even plummet after a publicized breach. According to Bitglass research, this can be down by as much as 7.5%.

How to Prevent & Detect Account Takeover Fraud

Preventing account takeover fraud is a unique risk management challenge inasmuch as it requires cooperation between your business, users, and cybersecurity team. Let’s look at all the lines of defense you should put into place below:

ATO Prevention techniques:

Educate Your Users 

It’s always worth emphasizing the value of their accounts to your users. For instance, you can remind them to:

• Be vigilant with their passwords: they should stop reusing old passwords, update them regularly, or even use password managers. It’s also possible to check for breached passwords and flag them at the signup stage.
  
• Double-check links and URLs: especially those from unknown email senders, containing poorly written text, or those with links that are designed to look like your company’s (for instance, www.paypall.com)
  
• Enable MFA (multi-factor authentication): two-step verification (2SV) or two-factor authentication (2FA) is easier to use than ever thanks to third-party apps like Google Authenticator.
  
• Use a VPN: This may be helpful when connected to public WiFi networks, for instance when traveling abroad. 

You should also be open about the risks of ATO with your users, and communicate regularly with them about changes that may affect their accounts. 

Boost Your Cybersecurity

As a business, it’s always worth meeting the best cybersecurity measures. This extra layer of protection is also effective against account takeover fraud, especially if you can: 

• Use SSL: for instance on pages that collect sensitive or personally identifiable information such as credit cards, social security numbers, or addresses.
  
• Use encryption wherever possible: not just for logins, but also for communications.
  
• Secure physical devices: this is particularly important for company phones, laptops, and desktop computers – especially in a work-from-home setup.
  
• Hire white hat (ethical) hackers: for instance, Facebook has a bug bounty that rewards independent researchers up to $40,000 for finding vulnerabilities that could result in an account takeover.
  
• Double-check user passwords: you can use third-party services to check if a user’s credentials have been leaked before, for example, Troy Hunt’s Pwned Passwords2 or K-Anonymity if you’re a Cloudflare customer.
  
• Restrict user input: this includes limiting HTML input, sanitizing values entered, and the use of Allowlists to ensure your site code is clean and not vulnerable to SQL or HTML injection attacks.
  

ATO Detection Techniques:

Confirm Account Changes 

A good way to nip account takeover fraud in the bud is to flag suspicious account changes in real time. More and more companies use the strategy, for instance by sending a confirmation email to let users know a new phone number has been registered or to confirm their recent conversation with a customer service representative. 

Just make sure you note the changes via an alternative communication method, or one a fraudster is unlikely to have access to. For instance, if the phone number is changed in the account, do not send the said confirmation via SMS.

Deploy a Fraud Prevention Software

While there is a lot you can do to prevent account takeover fraud without deploying specific anti-fraud tools, the breadth of features that purpose-built software affords makes it worthwhile for most companies. You will gain access to tools designed to extract more user information, which helps:

• Identify returning customers without their credentials: for instance by using a combination of IP analysis and device fingerprinting (more on that below).
  
• Flag suspicious behavior: for instance, a rapid succession of changes made to their account.
  
• Spot connections between users: this helps identify fraud rings and sophisticated multi-accounting users who jump from one account to the next.

Best of all, account takeover fraud prevention software is easier to deploy than ever via API calls and SaaS pricing models, meaning you don’t have to go through a complex integration process, regardless of your business vertical. 

Solutions for Account Takeover Fraud Detection & Prevention

A key challenge in detecting suspicious logins is that the data available is often limited. However, fraud detection software can help you extract more information to get a better understanding of who exactly is logging into the account. This can be done via:

Device fingerprinting: 

Device fingerprinting is essentially an identifying method that looks at the user’s configuration of software and hardware. A device hash/ID can be created using data from the browser, the kind of plugins installed, the operating system, and more…

This is highly effective in preventing users from logging in with unknown devices or browsers. It can also detect the use of suspicious emulators or virtual machines, which fraudsters often use to make multiple login requests.

IP analysis

IP analysis helps understand where the user is logging from. You can track their usual geolocation and highlight unusual connections. This isn’t limited to the location the IP points to. For instance, a new VPN or a Tor connection may raise red flags.

Note that logging the data obtained can also be useful to create whitelists for your users in order to reduce false positives. For instance, if a user was able to let you know that they’re traveling in advance, it could be reflected in their IP address being whitelisted.

Behavior Analysis with Velocity Rules

If an account takeover is already underway, you can still catch it by spotting suspicious user behavior. Whether it’s inspected through a dedicated fraud prevention system or through manual investigation, here are some of the signs that an ATO attack might have happened.

As you can see from the graphic above, most of these suspicious attempts have to do with the frequency of user actions. This is exactly where velocity rules shine, allowing you to keep track of how often a user attempts a login, changes location, or makes a purchase, for instance.

Machine Learning Analysis

The most sophisticated fraud prevention system can not only help you create risk rules to spot suspicious logins but also suggest them based on your historical data.

This is done via machine learning systems, which analyze past fraud cases in order to spot patterns and offer solutions. The more data you can feed into the system, the more precise the rule suggestions will be – completely tailored to your unique account takeover risk challenge.

How ATO Protection Works with SEON 

At SEON, we’ve built a number of ATO prevention features into the core of our end-to-end fraud detection platform. We also took great care to put user experience front and center, reducing the processing time to a minimum while allowing you to leverage:

• Powerful device fingerprinting: Instantly know when a user is connecting with a suspicious combination of software and hardware

• Whitebox machine learning: SEON’s algorithm learns from your ATO patterns and retrains itself numerous times a day. You get results via human-readable rules, which you can use to backtest your login data to identify false-positive rates.

• Velocity rules: Collect and screen complete user activity on your website via custom API calls relating to any data point you wish to send. It’s the closest thing to behavior analysis to help you understand precisely when someone is acting suspiciously. 

The good news is that protecting individual user accounts and your general business interests can be done using the same tools. Using the flexibility and customization options provided by both  SEON risk rules and our API calls provides your business with the level of fraud protection you need.

Frequently Asked Questions