Everything businesses need to know about account takeover (ATO) fraud
Account takeover (ATO) is a type of fraud that occurs when a bad actor uses stolen or hacked credentials to access legitimate customer accounts. Once bad actors access accounts, they can do a lot of damage. Not only can they access personal identifier information, but they can drain loyalty points, steal customer data, or purchase goods or services fraudulently.
ATO losses are up 72% year over year, according to Javelin’s 2020 Identity Fraud Report. And it’s not hard to see why. Bad actors can take over an account with just a few data elements: full name, date of birth, password, account number, username, email address, or Social Security number.
Overall, account takeover is a major concern for companies across industries that conduct business online or store customer information behind locked accounts. So let’s explore the signs of an ATO attack, what makes account takeover possible, how ATO attacks affect different industries, the effects of account takeover, and how to prevent account takeover attacks.
3 signs of an account takeover attack
Businesses that don’t have an account takeover solution may find it hard to detect an account takeover attack. This is most true in the case of more sophisticated account takeover attacks. For example, in a headless attack, a bad actor may launch an attack without using a web browser.
Overall, the best way to detect an ATO attack is to implement an account takeover prevention solution. A solution can help businesses detect attacks before they can do any damage. Short of that, there are a few indicators of ATO fraud that businesses can watch for.
1. Increased traffic: It’s not uncommon for bad actors to launch attacks at peak times (i.e., during holidays or major marketing events) to blend in with the crowd. But if a business sees a spike in traffic at an off-peak time, it may indicate a credential stuffing attack, which can lead to an account takeover attack. An off-peak time is any time when a business doesn’t anticipate increased web traffic or isn’t running any promotional campaigns that might increase traffic.
2. A high volume of failed logins: In an ATO attack, a bad actor will attempt to access accounts through credential stuffing or password spraying. This may result in an increased number of failed login attempts. An ATO attack is especially possible if users are trying to access accounts with usernames that aren’t in the business’s system.
3. Increased customer complaints or call center activity: A spike in customer support calls or help tickets, particularly around account access or activity, may indicate an ATO attack. When a bad actor gains unauthorized access to a customer’s account, they may change the account password and lock out the customer, prompting customers to contact customer support.
On the flip side, customer support agents may listen for phishing calls that may be precursors to account takeover. For example, a caller may claim they didn’t receive goods for a non-existent promotion. Or they may claim they’re calling in response to an email the business didn’t send.
What makes account takeover attacks possible
There are many ways for bad actors to conduct an account takeover attack. But, generally, account takeover attacks require a four-step process: data breach, combo list, hits, and monetization.
1. Data breach: This is the core of any account takeover attack. In data breaches, bad actors unlawfully access corporate databases in search of customer data.
2. Combo list: From a data breach comes a combo list, or a list of usernames, email addresses, and passwords for upwards of thousands of customer accounts. One bad actor may sell a combo list from a data breach to any number of other bad actors.
3. Hits: When other bad actors acquire combo lists, they may use software or tools to test combos for hits. A hit is a confirmed combination of a customer’s username or email and password. The average hit rate is between 1% and 2%. So for every 100,000 tests, a bad actor can confirm at least 1,000 combos.
4. Monetization: Once a bad actor has confirmed hits, they can take over customer accounts and drain loyalty points, steal customer data, or purchase goods or services fraudulently. Or they can sell their hits list to the next buyer.
Outside large-scale data breaches, bad actors can attempt to take over customer accounts through a variety of attacks. Common attacks that make account takeover possible include credential stuffing, brute force, password spraying, phishing, spear phishing, identity theft or social engineering, and phishing.
Credential stuffing attacks
In a credential stuffing attack, bad actors test hundreds of thousands of combinations of usernames, emails, and passwords in quick succession on a target website. In many cases, they’re trying to confirm that the credentials on a combo list will unlock an account. A bad actor using more advanced methods for credential stuffing may launch a botnet attack. In a botnet attack, bad actors infect computers or Internet of Things (IoT) devices with malware to carry out a credential stuffing attack.
If a bad actor can unlock a customer’s account on one website, there’s a good chance they can unlock other accounts with the same credentials. This is especially true, considering that the average American has 27 online accounts, according to a 2019 Harris Poll and Google study. Among survey participants, 66% said they use the same password on more than one website.
In a brute-force attack, a bad actor will attempt to force their way into a user account by testing hundreds or thousands of passwords until the account unlocks. The goal is to test as many passwords as possible at the highest possible velocity to break into an account. Today, bad actors can automate brute-force attacks with bots or other software.
A brute-force attack attempts passwords in as many user accounts as possible. But a password-spraying attack is a more refined brute-force attack. In a password-spraying attack, a bad actor will attempt to unlock valid user accounts with the most common passwords.
Over the years, large-scale data breaches have revealed some of the most common passwords, which bad actors can purchase and test across the web. The Harris Poll study found that 22% of respondents use their name as a password for at least one account. And in 2020, data breaches exposed the most common password — “123456” — over 23 million times. And it takes less than a second to crack.
In a phishing attack, bad actors will use deceptive email or text messages to trick someone into giving up account usernames and passwords. For example, a bad actor will acquire email addresses or phone numbers for customers or employees of big companies. Then they’ll design and send a message to each person, claiming that they need to update their passwords. In each message, the bad actor will include a link to a malicious website. Then they’ll wait for their victims to open those links and enter their credentials.
In 2019, 65% of U.S. organizations experienced a successful phishing attack, according to Proofpoint’s 2020 State of the Phish report. That was well over the 55% global average. And 60% of U.S. organizations experienced successful credential phishing attacks. Out of those attacks, respondents say their organizations lost data and were infected with malware and ransomware.
Whereas phishing attacks cast a wide net for unsuspecting victims, spear-phishing attacks are more targeted. In this kind of attack, a bad actor attempts an account takeover against high-value targets like CEOs or elected officials. To launch an attack, the bad actor will do more research on their targets and their targets’ accounts. And they’ll research the people closest to the targets to design more aggressive social engineering campaigns.
Identity theft and social engineering
In an identity theft or social engineering attack, a bad actor may attempt to manipulate a customer service agent into helping them access someone else’s account. While not as automated as some other ATO-related attacks, social engineering can be very targeted. And it can be hard to detect if a bad actor already knows someone’s personal information, like their birthdate or Social Security number. Customer service agents, in particular, will want to be wary of these kinds of attacks, especially if the bad actor claims they can’t perform multi-factor authentication with their mobile phone.
How account takeover attacks affect major industries
Some account takeover scenarios can affect just about any online business. Not just retail and eCommerce businesses, account takeover is prevalent in gaming, streaming, travel, and more. Here are some of the most common industry scenarios.
Account takeover in gaming
Account takeover is a form of online gaming fraud that primarily affects competition-based gaming accounts and gambling accounts. In each scenario, players may have high-value winnings in their user accounts. This is similar to bank fraud in that if a bad actor takes over a winner’s account, they can steal their winnings.
In Spring 2020, Nintendo gamers took to social media to report funds missing or misused on their accounts. It wasn’t long before Nintendo reported that bad actors breached 160,000 accounts using stolen network IDs.
Account takeover in streaming
Whether it’s video or music streaming, account takeover in this industry typically leads to account arbitrage. In this case, a bad actor accesses legitimate accounts with known credentials, locks out the user, and sells access to the user’s account on a third-party site. As long as the account takeover goes undetected, bad actors can monetize the sale of legitimate customer accounts.
In November 2020, Spotify reported a breach of 300,000 user accounts, exposing users’ email addresses, display names, passwords, genders, and dates of birth. Music news sources report that bad actors put millions of hacked Spotify accounts on the dark web for as little as $1.
Account takeover in retail and e-commerce
Account takeover in retail and eCommerce most commonly results in loyalty points drain and e-gift card fraud. That’s in addition to revealing stored customer payment information. In July 2020, Instacart reported a credential stuffing attack that resulted in the theft of customer data that later appeared for sale on the dark web.
A few months later, warehouse retailer Sam’s Club automatically sent password-reset notifications to customers. The notification warned that customer accounts may have been compromised through credential stuffing, data breaches, or phishing.
Account takeover in telecommunications
Bad actors know that if they can take over someone’s phone, they have the keys to that person’s life. Account takeover in telecommunications can result in bad actors purchasing new phones or technology under a false identity or porting someone’s SIM into their own devices. When a bad actor ports a SIM, they can access a victim’s contacts, conduct social engineering scams, or access any two-factor authentications that go to the victim.
Account takeover in travel
The multibillion-dollar travel industry is a prime target for account takeover attacks. Frequent flyers can have thousands of dollars’ worth of miles or points behind their accounts. And if a bad actor takes over accommodation-hosting accounts, they may be able to manipulate per-night prices, change payment accounts, and duplicate ads to scam travelers.
Account takeover in oil and gas
Traditionally, bad actors relied on card skimmers to steal credit card data at the gas pump. But with the rise of card-not-present (CNP) transactions, account takeover attacks target gas rewards or stored value cards. When bad actors take over gas rewards, they can resell their value or use them to fill their tanks.
Account takeover in financial services
Bad actors who launch account takeover attacks on banks and financial institutions can open fraudulent accounts and take out loans without authorization. In this case, a financial institution may fund a loan that a consumer doesn’t know about and can, ultimately, default on. Not only can this ruin a consumer’s credit, but it can also expose a bank or credit union’s security weaknesses and damage relationships with consumers. In some cases, bad actors can even open mule accounts for money laundering or to fund criminal or terrorist organizations.
Account takeover in food services
It’s no secret that quick-service restaurants (QSRs) have a digital fraud problem. Credential stuffing and ATO attacks have increased with the rise in mobile order-ahead app usage, encouraging more restaurants to invest in mobile fraud detection for food service. Customers who use QSR apps often may have a high number of loyalty points that bad actors may drain when they take over accounts. And it’s not just customer accounts at risk.
Mobile order-ahead apps are prime targets for card testing too. In September 2019, DoorDash reported a data breach that compromised 4.9 million customer, Dasher, and merchant accounts. The breach compromised the last four digits of user payment cards.
Account takeover in health and beauty
Account takeover in health is most prevalent in insurance fraud and compromising health records. Bad actors may use account takeover to assume an identity, open policies, and submit false claims. In the case of compromising health records, a bad actor can use the information in social engineering or spear-phishing attacks. Account takeover is also a growing risk in the health and beauty and direct sales markets where fraudsters target prominent seller accounts.
Account takeover in leisure and entertainment
ATO in leisure and entertainment is similar to ATO in streaming in that it typically leads to account arbitrage. A bad actor may access legitimate accounts with known credentials, lock out users, and sell access to the accounts on a third-party site. As long as the account takeover goes undetected, bad actors can monetize the sale of legitimate customer accounts.
In November 2019, within hours of the Disney+ launch, thousands of user accounts were taken over and put up for sale on the dark web. A ZDNet investigation revealed that bad actors sold accounts for between $3 and $11 for three-year subscriptions.
The effects of account takeover attacks
With the rise in account takeover attacks across industries, businesses are finding some of the most devastating effects aren’t from chargebacks, lost revenue, or brand damage. As more states hold businesses accountable for corporate takeover attacks, businesses face heavy fines and legal fees.
For example, attorney generals have begun to file lawsuits against national corporations that don’t adequately prevent fraud. These lawsuits claim that companies violate consumer protection laws when they fail to prevent cyberattacks. These cases are setting new precedents in consumer protection laws that could hold businesses accountable for not protecting against account takeover attacks.
Essentially, when a bad actor takes over an account, they can:
- Expose personal identifier information
- Change passwords and lock out users
- Drain accounts of monetary funds or loyalty points
- Buy goods, services, and gift cards
- Create new accounts fraudulently
- Trade value between accounts
- Stream digital content illegally
Each of these can come back to the business. A Kount 2020 survey revealed that 6 in 10 consumers are most concerned about an online retailer’s credibility following a data breach. And when bad actors purchase goods or services fraudulently, they manipulate inventory and expose businesses to chargebacks and related fees.
Not to mention, account takeover can damage brands permanently. And it can erode the trust and loyalty of good customers, especially when businesses increase customer friction and false positives to prevent fraud. The same Kount survey found that 25% of respondents wouldn’t return to a website if it turned away their legitimate transaction.
How Kount Control prevents account takeover attacks
The best way to prevent account takeover is to implement an account takeover solution like Kount Control. The right solution can help businesses stop malicious logins, detect bot attacks, and manage trusted devices without adding unnecessary friction to the customer experience.
It uses machine learning to detect abnormal login behavior
Kount Control evaluates user behavior, device, and network anomalies through machine learning capabilities like device intelligence, IP risk detection, and anomaly detection. This linked analysis can detect high-risk, abnormal login activity from bots, credential stuffing, and brute-force attacks.
Device intelligence capabilities identify the relationship between a device and a customer. Typically, customers use a few devices to log in to accounts. When businesses can see a customer’s trusted devices, they can set policies that challenge logins from non-trusted devices.
Let’s say a good customer attempts to log in to their account. If the business uses Kount Control, it can know if the user is logging in from a trusted device. If it’s a trusted device, the customer can log in without friction.
If the device isn’t trusted, the business can challenge the customer with step-up or multi-factor authentication (MFA). If the customer passes the challenge, they can proceed to their account, and Kount Control can trust the device.
Device intelligence helps businesses do three important things:
- Recognize customers or bad actors as soon as they attempt to log in.
- Deliver customized and frictionless experiences.
- Improve retention and customer loyalty.
Meanwhile, bots used in account takeover attacks often use high-risk IP addresses, which Kount Control’s IP risk capabilities can help detect. If an IP address starts to exhibit anomalous behavior, Kount Control’s IP anomaly detection can identify it.
Kount’s machine learning identifies anomalous attributes from across the Identity Trust Global NetworkTM. So if a business sees, for example, higher-than-average transaction or chargeback velocities from one IP address in a short time, it may indicate a bot attack.
And it’s not just one or two potentially anomalous events Kount’s network can identify. The Identity Trust Global Network links signal data from billions of annual interactions across 250 countries and territories, over 75 industries, and over 50 payment processors and card networks. So businesses can block payments fraud and account takeover attacks in real time.
Its customizable business policies reduce friction
Kount Control customers can customize user experiences and reduce friction. And they can do it by identifying users based on common characteristics, such as user type (i.e., loyal, VIP versus trial users), device specifics, IP risk, geolocation, and more.
From there, businesses can set policies according to how they define high-risk, minimal-risk, or no-risk activity. When login activity triggers a policy, Kount Control responds accordingly. Additionally, Kount customers may have internal business policies or regulatory guidelines to maintain at login.
They can manage, customize, and adjust those inside the platform — no costly development efforts necessary. With Kount Control, businesses can fine-tune their ATO fraud strategies and decide what types of experience to deliver to their customers.
It can challenge malicious logins with MFA
Kount Control customers can challenge login activity through the platform’s MFA capabilities. A business’s account security requirements will determine if it needs to challenge all login activity with step-up authentication.
For example, Kount customers can access Equifax Secure MFA. Equifax Secure MFA links a user’s mobile number, device, or SIM card through a dynamic hyperlink delivered via email or SMS. This MFA option confirms that the user engaging with the business possesses the device, SIM, or email associated with the customer account.
It can present account activity data in real time
Kount’s Control’s data presentation capabilities provide real-time reporting that can reveal valuable customer insights. Access reports on login trend data, including device and IP information, in real time. Quickly identifying and reporting on failed login attempts, risky IPs, compromised accounts, and inbound anomalies helps businesses identify and reinforce protection policies.
And customers can customize Kount Control’s decision responses to send specific response data back to the business’s internal systems. This flexibility allows internal teams to automate processes based on Control’s output data. Overall, Kount Control’s reporting capabilities can reveal valuable customer insights that businesses can use to fine-tune business policies and further customize experiences.
It helped one enterprise-level retailer prevent over $1.8 million in account takeover losses
Before implementing Kount’s solutions, one enterprise-level retail organization was using a mixture of in-house, manual fraud controls combined with a traditional rules-based solution. However, this system proved too rigid and lacked the nuance to stop massive account takeover attacks.
With Kount’s account takeover and machine learning solutions, the retailer improved risk analyses and implemented multi-factor authentication. Over three years, these solutions prevented over $1.8 million in account takeover losses, according to the latest Forrester Total Economic Impact report.
“With the account takeover pieces that came with Kount, we saw a dramatic, and I mean dramatic, almost off-the-cliff reduction in that type of behavior,” the company’s VP of e-commerce retail told Forrester.