Account Takeover Fraud (ATO) – How to Stop It Before It Hurts Your Business and Users

Account Takeover Fraud (ATO) – How to Stop It Before It Hurts Your Business and Users

Author avatar

February 12, 2021 by Tamas Kadar

The news cycle runs so fast these days, it’s easy to forget that 2020 saw one of the biggest account takeover attacks in living memory.

Jump Straight To The Infographic.

We’re talking about the July 15 Twitter hack, which saw high-profile accounts such as Elon Musk, Bill Gates, Joe Biden and Jeff Bezos tweet about bitcoin scams.

Jeff Bezos's twitter suffered from an account takeover attack in 2020

But it wasn’t just embarrassing for the social media platform and its CEO, Jack Dorsey (whose account was also taken over). It caused a complete security overhaul at the company, highlighting some critical system failures at every level.

The question is: if one of the biggest tech companies in the world can fall victim to an ATO attack, what about yours? And how should you protect yourself against future attacks? 

In this guide, we’ll attempt to give you some clear tips and tricks, both in terms of educating people at your company, your users and on how to deploy the best anti-fraud tools for better login monitoring.

What is Account Takeover Fraud?

Account takeover fraud happens after someone logs into an account that isn’t theirs. In layman’s terms, it is often referred to as account hacking. 

Account takeover fraud happens anytime the person who accesses the account tries to:

  • Use the account to scam others (as in our opening example),
  • Buys goods or services using the account,
  • Mine the account for personal data,
  • Sell the account login details.

We’ll break down these four scenarios into more detail below, but first, let’s see how ATOs happen in the first place.

What is Account Takeover Protection?

Account takeover protection, or account takeover prevention is the collection of processes designed to secure accounts for their rightful owners. It includes fraud detection techniques, as well as education about the value of each account.

What Occurs During an Account Takeover?

There are many paths to successful ATO fraud. Let’s see what happens, depending on the attack vector.

  • Opportunistic: a fraudster stumbles upon someone’s login details. This could be accidental, or sophisticated, for example following a mass phishing email campaign. It could be because of an easy-to-guess password, brute force, or via malware such as a keylogger.
  • Bought credentials: Every huge data breach you hear about means a proliferation of ATO attempts is sure to follow suit. This is because these accounts are sold in bulk for cheap on the darknet.
The 5 biggest data breaches of all time
  • Credential stuffing: this is when fraudsters automate attacks (usually with bots), to try all the login details they bought on a leaked database.
  • Exploiting security vulnerabilities: There are a few technical steps you should take to patch holes in your security, such as looking at XSS and SSRF vulnerabilities.
  • Targeted attack: fraudsters will often target specific accounts which they know to be valuable. In social media and gaming, for instance, there is a huge market of what is known as OG accounts, or accounts with a rare, short handle. To target these accounts, fraudsters often rely on spear phishing techniques (targeted phishing), or SIM-Swapping attacks.
A clearnet fraudulent marketplace for Instagram OG accounts
A clearnet marketplace for Instagram OG accounts

Scenario 1: ATO + Scams

The teenager who managed to take over Twitter accounts from the biggest names on the planet allegedly netted $117,000 in BTC. 

Even if the attack was sophisticated, the scam itself was pretty rudimentary: tweet a wallet address and ask people for money. 

Things could have been much worse. Being in control of Joe Biden’s Twitter account, the fraudster could have attempted to phish personal information from high-security accounts and caused devastating chaos. 

Moreover, it was immediately apparent that something wasn’t right, which might have helped with damage control.

So in a way, scams that are run from stolen accounts are some of the easiest to manage. But it doesn’t mean there aren’t any negative consequences for your business.

Consequences for your business: loss of business reputation, customer insult rate goes up, IT resources lost to recovering accounts.

Scenario 2: ATO + Buying Goods and Services

If you operate as a digital wallet, losing an account opens a whole new can of worms. First of all, it already means you are a much more valuable target for fraudsters, and that you have a lot more to lose.

We’re talking of course about the costs of chargebacks, which not only incur admin fees but can even put you on a high-risk list from credit card networks, with added transaction fees. This is potentially a death knell for businesses with low margins.

On the bright side, this kind of ATO attack is easier to stop at the withdrawal or transaction stage, for example by identifying a suspicious shipping address or spotting a change of IP address that points to VPN use.

Consequences for your business: high chargeback rates, put on high-risk lists by credit card networks, reputation damage, higher transaction costs, IT resources lost to recovering accounts.

The value of stolen accounts on the dark web, as reported by TrendMicro
The value of stolen accounts on the dark web, as reported by TrendMicro

Scenario 3: ATO + Mining for Personal Data

The more sophisticated fraudsters will understand how to extract more value from an account by mining it for personal data. They will know how to reset 2FA security for other accounts, or how to download previously submitted KYC documents. 

This kind of fraud is much more damaging because it can remain invisible for a long time. And it also snowballs into more fraud down the line, because the personal information will end up as Synthetic ID on other sites. 

Consequences for your business: become patient 0 for all kinds of other fraud attacks, reputation loss, in some cases potentially linked to data protection fines, IT resources lost to recovering accounts.

Is Account Takeover a Form of Identity Theft?

So if someone logs into someone else’s account, is it considered identity theft? Technically, no. However, account takeover makes it a lot easier for fraudsters to access information related to someone’s identity, such as passwords, or bank account and other financial services details. When that data is used to, say, start an online loan application, it does constitute identity fraud – and you’re partially responsible.

Scenario 4: ATO + Reselling Login Details

Another challenging scenario arises when fraudsters manage to log into an account, and simply resell the details to other unscrupulous individuals.

In that case, the ATO may appear dormant for a long time, until one of the 3 aforementioned actions is performed. Moreover, if accounts from your site end up on marketplaces, their value may go up in the eyes of other fraudsters.

You can read more about the problem in our post on how fraud marketplaces fuel account takeovers.

Consequences for your business: become a higher target for fraudsters, reputation loss, IT resources lost to recovering accounts.

How To Boost Account Takeover Fraud Prevention

As we’ve seen above, one of the worst things about account takeovers is that they open the door to many fraudulent possibilities. The good news, however, is that a combination of education, identity verification and powerful anti-fraud tools should help you with effective login monitoring to prevent account takeovers.

Ensure You Have A Secure Service

Starting with the basics, it’s all about good online hygiene and ensuring your site is secure. Here are a few examples of things to consider:

  • Follow the best data protection practices: this is for data that is collected, transferred, processed, and accessed from your site.
  • Use SSL: especially on pages that collect sensitive information such as credit cards, social security numbers, or addresses.
  • Encrypt if possible: this is just as important for data that’s sent via staff members and employees as customer data.
  • Enforce more strict employee permissions: one of the first steps Twitter took after its massive ATO attack was to get a better grip on what employees could access and what they couldn’t.
  • Physical device security: particularly valuable for company phones, laptops and desktop computers. Here again, it’s something Twitter did to mitigate future risk by distributing physical security keys.

For companies with extra cybersecurity resources, you could even consider hiring white hat hackers. For instance, Facebook has a bug bounty that rewards independent researchers up to $40,000 for finding vulnerabilities that could result in an account takeover. 

Educate Users About the Risks

Another good way to boost account takeover fraud prevention: let your users know it’s a threat. This is done via regular security notifications, encouraging 2FA authentication, and highlighting the value of their accounts.

How games marketplace Steam encourages 2FA use to prevent account takeover fraud
How games marketplace Steam encourages 2FA use
Facebook’s ATO reporting feature to boost account takeover fraud prevention
Facebook’s ATO reporting feature

Remember that the sooner you detect an ATO, the sooner you can go into damage control mode and isolate the fraudsters before they cause long term harm. 

Deploy Proper Login Monitoring Tools

However your business operates, the first step to preventing ATOs is to monitor the login stage. Put simply, it’s all about collecting user data any time there is a login attempt, be it successful or denied. 

At that touchpoint, you should be able to detect an IP address, device information, and basic customer behaviour using the following data analysis tools:

  • Device fingerprinting: SEON uses device fingerprinting to create hash/ID using data from a browser, operating system, device and network. This is something that doesn’t require excessive calculations, yet can be highly effective in preventing the users from logging in with unknown devices, browsers or devices. It will also detect the use of suspicious emulators or virtual machines, which fraudsters use to multiply attempts from the same device.
  • IP analysis: A common fraud detection method that can work great by revealing geolocation, but also suspicious proxies, blacklisted servers, VPNs and TOR usage.

These two powerful tools become even more adept at highlighting suspicious usage when you look at how many attempts stemmed from the same device + IP, or different devices with the same IP. 

How suspicious should you be of failed login attempts pointing to account takeover fraud?

Analyse User Behaviour With Velocity Rules

If the fraudster has performed a successful ATO without triggering any alarm bells, you can still spot suspicious activity. This would be done by looking at every user action and assigning them a risk score.

With SEON, this is done via velocity rules, or user behaviour rules, which are designed to score anything, from a suspicious address change to adding a combination of high-value items in their checkout.

The beauty of these rules is that you have complete customisation control over which data point is analysed, so you could look at known ATO behaviour such as:

  • Unusual number of chargeback requests
  • Mass password reset requests
  • Shipping address changes
  • Very large purchases
  • Multiple changes to an account in one session
  • Transfers of a large number of reward points
  • Keystroke velocity
Custom ATO Rules in the SEON System to reduce account takeover fraud
Custom ATO Rules in our system

But you can also tailor rules that are very specific to your business. For instance, an online store may have a list of products that are considered high-risk, even if they’re not high value. 

Last but not least, by labelling each case where your ATO prevention system caught an attempt and where it didn’t, you could use machine-learning to suggest rules that might not be obvious to the human eye. 

Leverage Dynamic Friction

One of the key challenges in preventing account takeover is that it’s a balancing act with user friction. You don’t want security systems that are so stringent that they frustrated your users, especially for something that should be as straightforward as logging in.

The good news? You can use risk scores and set thresholds that will automatically allow login, block it, or require extra verification.

For instance, you could choose to only trigger CAPTCHA verification only after a couple of failed login attempts. Similarly, you could set up rules to allow IP changes if you know your customers are frequent travellers. 

The key is to avoid false positives/customer insult rate and to allow legitimate logins to be as easy as possible.

One quick note: if you rely on geolocation to score risk, should have a system in place for users and employees to let you know of a future IP change (for instance when travelling).

Key Takeaway: Protect User and Employee Accounts to Secure Your Business

The sad truth is that there is no company on earth which isn’t a target to fraudsters. It doesn’t matter which vertical you’re in, how successful you are, or how you do business. If you have user or employee accounts of any sort, someone will try to steal them.

And while it may seem daunting to set up account takeover fraud prevention measures, it does pay in the long term. Nobody will reward you for having a safe system, but customers, partners and investors will certainly hear about it when something goes wrong.

Hopefully, this guide is a good primer on how to set up simple and complex systems to protect your accounts – and your company’s reputation.

Share article

Learn more about our products

Products

Author avatar
Tamas Kadar
CEO

Tamas is the founder and CEO of SEON and an expert in all the technological aspects of fraud prevention.


Sign up to our newsletter