Account Takeover Fraud: Greenfield Opportunities for Fraudsters

June 20, 2018

The allure of account takeover (ATO) fraud is growing. In today’s evolving fraud market, ATO provides fraudsters the greatest return on investment with the least amount of work and a low probability of getting caught.  ATO fraud is a form of identity theft where a fraudster gains access to the unique details of a trusted user’s online accounts. By posing as the real customer, fraudsters can change account details, make purchases, withdraw funds, and even leverage stolen information to access other accounts.

Unlike traditional fraud that starts with securing sensitive information, such as a social security number or PIN, ATO fraud can start with a small bit of personal data. This includes an email address, a full name, a date of birth — any identifier entered during the validation process can work. Fraudsters identify the weakest link in the chain, and the takeover begins.

Several factors have driven fraudsters toward ATO fraud, including: the advent of the EMV chip in credit cards, data breaches exposing everyone’s confidential information, evolution of bot technology, as well as the ability to gather data by simply researching social networks.

Today, information regarding all types of ATO fraud’s best practices is freely shared via the web.  Some fraudsters spell out exactly how they are committing specific types of ATO fraud with “how-to” videos that are shared via YouTube.

The use of malicious bots is perhaps the most common.  According to a recent report from Akamai, more than 40% of global login attempts are malicious bots. Identity thieves buy thousands of hacked usernames and passwords and then just run bots to see where that login succeeds. In fact, of the 17 billion login requests Akamai tracked in November and December of last year, nearly half (43%) were used for credential abuse.

How can you protect yourself from becoming a victim of ATO? From a consumer perspective, there are five recommended tips.  As you can imagine, most of them are centered on password protection.  These tips include:

  • Assign unique passwords for each account: By doing this, users are limiting their exposure to a successful takeover attack and limiting any damage to one specific account.
  • Change important passwords frequently: Passwords should be changed every four to six weeks for any account which carries sensitive information. This includes banking and credit accounts, ecommerce, social media or ecommerce apps in which payment information is saved.
  • Limit public access to information on social media: Society’s need to publish personal information via social sites has created a feeding ground for fraudsters to collect information. Consumers should think twice before they publish sensitive information and limit access to information like birth dates and phone numbers.
  • Balance accounts regularly: Credit card statements and bank balances should be checked as often as possible. Any suspicious activity should be reported immediately.
  • Use a password manager: Products like LastPass, Dashlane, and other comparable services will generate complex usernames and passwords, then store them securely for users. Consumers get the benefit of unique, impossible-to-guess passwords for each account, but the convenience of only having to remember one main login.

Don’t miss Kount’s next live webinar “How to Stop Malicious Account Takeover Attacks”, as we share strategies to detect malicious bots and other fraudulent behavior with account takeover attacks.

ATO Webinar