Everything businesses need to know about account takeover (ATO) fraud
Account takeover (ATO) is a type of fraud that occurs when a bad actor uses stolen or hacked credentials to access legitimate customer accounts. Once bad actors access accounts, they can do a lot of damage. Not only can they access personally identifier information, but they can drain loyalty points, steal customer data, or purchase goods or services fraudulently.
ATO losses are up 72% year over year, according to Javelin’s 2020 Identity Fraud Report. And it’s not hard to see why. Bad actors can take over an account with just a few data elements: full name, date of birth, password, account number, username, email address, or Social Security number.
Overall, account takeover is a major concern for companies across industries that conduct business online or store customer information behind locked accounts. So let’s explore the signs of an ATO attack, what makes account takeover possible, how ATO attacks affect different industries, the effects of account takeover, and how to prevent account takeover attacks.
3 signs of an account takeover attack
Businesses that don’t have an account takeover solution may find it hard to detect an account takeover attack. This is most true in the case of more sophisticated account takeover attacks. For example, in a headless attack, a bad actor may launch an attack without using a web browser.
Overall, the best way to detect an ATO attack is to implement an account takeover protection solution. A solution can help businesses detect attacks before they can do any damage. Short of that, there are a few indicators of ATO fraud that businesses can watch for.
1. Increased traffic: It’s not uncommon for bad actors to launch attacks at peak times (i.e., during holidays or major marketing events) to blend in with the crowd. But if a business sees a spike in traffic at an off-peak time, it may indicate a credential stuffing attack, which can lead to an account takeover attack. An off-peak time is any time when a business doesn’t anticipate increased web traffic or isn’t running any promotional campaigns that might increase traffic.
2. A high volume of failed logins: In an ATO attack, a bad actor will attempt to access accounts through credential stuffing or password spraying. This may result in an increased number of failed login attempts. An ATO attack is especially possible if users are trying to access accounts with usernames that aren’t in the business’s system.
3. Increased customer complaints or call center activity: A spike in customer support calls or help tickets, particularly around account access or activity, may indicate an ATO attack. When a bad actor gains unauthorized access to a customer’s account, they may change the account password and lock out the customer, prompting customers to contact customer support.
On the flip side, customer support agents may listen for phishing calls that may be precursors to account takeover. For example, a caller may claim they didn’t receive goods for a non-existent promotion. Or they may claim they’re calling in response to an email the business didn’t send.
What makes account takeover attacks possible
There are many ways for bad actors to conduct an account takeover attack. But, generally, account takeover attacks require a four-step process: data breach, combo list, hits, and monetization.
1. Data breach: This is the core of any account takeover attack. In data breaches, bad actors unlawfully access corporate databases in search of customer data.
2. Combo list: From a data breach comes a combo list, or a list of usernames, email addresses, and passwords for upwards of thousands of customer accounts. One bad actor may sell a combo list from a data breach to any number of other bad actors.
3. Hits: When other bad actors acquire combo lists, they may use software or tools to test combos for hits. A hit is a confirmed combination of a customer’s username or email and password. The average hit rate is between 1% and 2%. So for every 100,000 tests, a bad actor can confirm at least 1,000 combos.
4. Monetization: Once a bad actor has confirmed hits, they can take over customer accounts and drain loyalty points, steal customer data, or purchase goods or services fraudulently. Or they can sell their hits list to the next buyer.
Outside large-scale data breaches, bad actors can attempt to take over customer accounts through a variety of attacks. Common attacks that make account takeover possible include credential stuffing, brute force, password spraying, phishing, spear phishing, identity theft or social engineering, and phishing.
Credential stuffing attacks
In a credential stuffing attack, bad actors test hundreds of thousands of combinations of usernames, emails, and passwords in quick succession on a target website. In many cases, they’re trying to confirm that the credentials on a combo list will unlock an account. A bad actor using more advanced methods for credential stuffing may launch a botnet attack. In a botnet attack, bad actors infect computers or Internet of Things (IoT) devices with malware to carry out a credential stuffing attack.
If a bad actor can unlock a customer’s account on one website, there’s a good chance they can unlock other accounts with the same credentials. This is especially true, considering that the average American has 27 online accounts, according to a 2019 Harris Poll and Google study. Among survey participants, 66% said they use the same password on more than one website.
In a brute-force attack, a bad actor will attempt to force their way into a user account by testing hundreds or thousands of passwords until the account unlocks. The goal is to test as many passwords as possible at the highest possible velocity to break into an account. Today, bad actors can automate brute-force attacks with bots or other software.
A brute-force attack attempts passwords in as many user accounts as possible. But a password-spraying attack is a more refined brute-force attack. In a password-spraying attack, a bad actor will attempt to unlock valid user accounts with the most common passwords.
Over the years, large-scale data breaches have revealed some of the most common passwords, which bad actors can purchase and test across the web. The Harris Poll study found that 22% of respondents use their name as a password for at least one account. And in 2020, data breaches exposed the most common password — “123456” — over 23 million times. And it takes less than a second to crack.
In a phishing attack, bad actors will use deceptive email or text messages to trick someone into giving up account usernames and passwords. For example, a bad actor will acquire email addresses or phone numbers for customers or employees of big companies. Then they’ll design and send a message to each person, claiming that they need to update their passwords. In each message, the bad actor will include a link to a malicious website. Then they’ll wait for their victims to open those links and enter their credentials.
In 2019, 65% of U.S. organizations experienced a successful phishing attack, according to Proofpoint’s 2020 State of the Phish report. That was well over the 55% global average. And 60% of U.S. organizations experienced successful credential phishing attacks. Out of those attacks, respondents say their organizations lost data and were infected with malware and ransomware.
Whereas phishing attacks cast a wide net for unsuspecting victims, spear-phishing attacks are more targeted. In this kind of attack, a bad actor attempts an account takeover against high-value targets like CEOs or elected officials. To launch an attack, the bad actor will do more research on their targets and their targets’ accounts. And they’ll research the people closest to the targets to design more aggressive social engineering campaigns.
Identity theft and social engineering
In an identity theft or social engineering attack, a bad actor may attempt to manipulate a customer service agent into helping them access someone else’s account. While not as automated as some other ATO-related attacks, social engineering can be very targeted. And it can be hard to detect if a bad actor already knows someone’s personal information, like their birthdate or Social Security number. Customer service agents, in particular, will want to be wary of these kinds of attacks, especially if the bad actor claims they can’t perform multi-factor authentication with their mobile phone.
How account takeover attacks affect major industries
Some account takeover scenarios can affect just about any online business. Not just retail and eCommerce businesses, account takeover is prevalent in gaming, streaming, travel, and more. Here are some of the most common industry scenarios.
Account takeover in gaming
Account takeover in gaming primarily affects competition-based gaming accounts and gambling accounts. In each scenario, players may have high-value winnings in their user accounts. This is similar to bank fraud in that if a bad actor takes over a winner’s account, they can steal their winnings.
In Spring 2020, Nintendo gamers took to social media to report funds missing or misused on their accounts. It wasn’t long before Nintendo reported that bad actors breached 160,000 accounts using stolen network IDs.
Account takeover in streaming
Whether it’s video or music streaming, account takeover in this industry typically leads to account arbitrage. In this case, a bad actor accesses legitimate accounts with known credentials, locks out the user, and sells access to the user’s account on a third-party site. As long as the account takeover goes undetected, bad actors can monetize the sale of legitimate customer accounts.
In November 2020, Spotify reported a breach of 300,000 user accounts, exposing users’ email addresses, display names, passwords, genders, and dates of birth. Music news sources report that bad actors put millions of hacked Spotify accounts on the dark web for as little as $1.
Account takeover in retail and eCommerce
Account takeover in retail and eCommerce most commonly results in loyalty points drain and eGift card fraud. That’s in addition to revealing stored customer payment information. In July 2020, Instacart reported a credential stuffing attack that resulted in the theft of customer data that later appeared for sale on the dark web.
A few months later, warehouse retailer Sam’s Club automatically sent password-reset notifications to customers. The notification warned that customer accounts may have been compromised through credential stuffing, data breaches, or phishing.
Account takeover in telecommunications
Bad actors know that if they can take over someone’s phone, they have the keys to that person’s life. Account takeover in telecommunications can result in bad actors purchasing new phones or technology under a false identity or porting someone’s SIM into their own devices. When a bad actor ports a SIM, they can access a victim’s contacts, conduct social engineering scams, or access any two-factor authentications that go to the victim.
Account takeover in travel
The multibillion-dollar travel industry is a prime target for account takeover attacks. Frequent flyers can have thousands of dollars’ worth of miles or points behind their accounts. And if a bad actor takes over accommodation-hosting accounts, they may be able to manipulate per-night prices, change payment accounts, and duplicate ads to scam travelers.
Account takeover in oil and gas
Traditionally, bad actors relied on card skimmers to steal credit card data at the gas pump. But with the rise of card-not-present (CNP) transactions, account takeover attacks target gas rewards or stored value cards. When bad actors take over gas rewards, they can resell their value or use them to fill their tanks.
Account takeover in financial services
Bad actors who launch account takeover attacks on banks and financial institutions can open fraudulent accounts and take out loans without authorization. In this case, a financial institution may fund a loan that a consumer doesn’t know about and can, ultimately, default on. Not only can this ruin a consumer’s credit, but it can also expose a bank or credit union’s security weaknesses and damage relationships with consumers. In some cases, bad actors can even open mule accounts for money laundering or to fund criminal or terrorist organizations.
Account takeover in food services
It’s no secret that quick-service restaurants (QSRs) have a digital fraud problem. Credential stuffing and ATO attacks have increased with the rise in mobile order-ahead app usage. Customers who use QSR apps often may have a high number of loyalty points that bad actors may drain when they take over accounts. And it’s not just customer accounts at risk.
Mobile order-ahead apps are prime targets for card testing too. In September 2019, DoorDash reported a data breach that compromised 4.9 million customer, Dasher, and merchant accounts. The breach compromised the last four digits of user payment cards.
Account takeover in health and beauty
Account takeover in health is most prevalent in insurance fraud and compromising health records. Bad actors may use account takeover to assume an identity, open policies, and submit false claims. In the case of compromising health records, a bad actor can use the information in social engineering or spear-phishing attacks.
Account takeover in leisure and entertainment
ATO in leisure and entertainment is similar to ATO in streaming in that it typically leads to account arbitrage. A bad actor may access legitimate accounts with known credentials, lock out users, and sell access to the accounts on a third-party site. As long as the account takeover goes undetected, bad actors can monetize the sale of legitimate customer accounts.
In November 2019, within hours of the Disney+ launch, thousands of user accounts were taken over and put up for sale on the dark web. A ZDNet investigation revealed that bad actors sold accounts for between $3 and $11 for three-year subscriptions.
The effects of account takeover attacks
With the rise in account takeover attacks across industries, businesses are finding some of the most devastating effects aren’t from chargebacks, lost revenue, or brand damage. As more states hold businesses accountable for corporate takeover attacks, businesses face heavy fines and legal fees.
For example, attorney generals have begun to file lawsuits against national corporations that don’t adequately prevent fraud. These lawsuits claim that companies violate consumer protection laws when they fail to prevent cyberattacks. These cases are setting new precedents in consumer protection laws that could hold businesses accountable for not protecting against account takeover attacks.
Essentially, when a bad actor takes over an account, they can:
- Expose personal identifier information
- Change passwords and lock out users
- Drain accounts of monetary funds or loyalty points
- Buy goods, services, and gift cards
- Create new accounts fraudulently
- Trade value between accounts
- Stream digital content illegally
Each of these can come back on the business. A Kount 2020 survey revealed that 6 in 10 consumers are most concerned about an online retailer’s credibility following a data breach. And when bad actors purchase goods or services fraudulently, they manipulate inventory and expose businesses to chargebacks and related fees.
Not to mention, account takeover can damage brands permanently. And it can erode the trust and loyalty of good customers, especially when businesses increase customer friction and false positives to prevent fraud. The same Kount survey found that 25% of respondents wouldn’t return to a website if it turned away their legitimate transaction.
How Kount Control takes a multi-layered approach to account takeover prevention
The best way to prevent account takeover is to implement an account takeover solution. The right solution can help businesses prevent fraud without adding unnecessary friction to the customer experience. Kount Control for account takeover protection takes a multi-layered approach to stop malicious logins, detect bots, and customize customer experiences by accepting, blocking, or challenging login activity.
The protection layer
At the protection layer, Kount Control evaluates user behavior, device, and network anomalies through tools like Trusted Device, IP risk detection, and anomaly detection. This linked analysis can detect high-risk, irregular login activity from bots, credential stuffing, and brute-force attacks.
With Trusted Device, Kount Control customers can identify the relationship between a device and a customer. Typically, customers use a few trusted devices to log in to accounts. When businesses can see a customer’s trusted devices, they can set policies that challenge logins coming from non-trusted devices at certain velocities.
Let’s say a good customer attempts to log in to an account. If the business uses Kount Control, it can know if the user is logging in from a trusted device. If it’s a trusted device, the customer can log in without friction. If the device isn’t trusted, businesses can challenge customers with step-up or multi-factor authentication. If the customer passes the challenge, they can proceed to their account, and Kount Control can trust the device.
Trusted Device helps businesses do three important things:
- Recognize customers or bad actors as soon as they attempt to log in.
- Deliver customized and frictionless experiences.
- Improve retention and customer loyalty.
Meanwhile, bots used in account takeover attacks often use high-risk IP addresses, which Kount Control’s IP risk capabilities can help detect. And if an IP address starts to exhibit anomalous behavior, Kount Control’s IP anomaly detection can identify it. Kount’s machine learning identifies anomalous attributes from across the Identity Trust Global NetworkTM. So if a business sees, for example, higher-than-average transaction or chargeback velocities from one IP address in a short time, it may indicate a bot attack.
And it’s not just one or two potentially anomalous events Kount’s network can identify. The Identity Trust Global Network links signal data from 32 billion annual interactions across 250 countries and territories, over 75 industries, and over 50 payment processors and card networks. The result is businesses can block payments fraud and account takeover prevention in real time.
The policy and customization layer
In the policy and customization layer, businesses can customize user experiences and reduce friction. And they can do it by identifying users based on a dataset of common characteristics, such as user type (i.e., loyal, VIP versus trial users), device specifics, IP risk, geolocation, and more.
From there, businesses can set policies according to how they define high-risk, minimal-risk, or no-risk activity. When login activity triggers a policy, Kount Control responds accordingly. Additionally, Kount customers may have internal business policies or regulatory guidelines to maintain at login. They can manage, customize, and adjust those through Profiles and Policies without costly development efforts. With Kount Control, businesses can fine-tune their ATO fraud strategies and decide what type of experience to deliver to their customers.
The step-up authentication layer
The step-up authentication layer allows businesses to select from two forms of MFA to challenge login activity. A business’s account security requirements will determine if it needs to challenge all login activity with step-up authentication. Kount Control’s MFA options take authentication security to the next level by verifying users through a one-time passcode (OTP) via email or SMS.
Kount Email MFA for one-time passcodes (OTP)
Kount Email MFA challenges the user by sending a numeric passcode to the email address associated with the user account. If the user can retrieve and enter the passcode, they can prove that they’re the owner of the registered email account. Kount Email MFA uses this knowledge to further authenticate and verify the user’s identity.
Equifax Secure MFA
For use cases that require additional security or mobile-first support, Kount customers can access Equifax Secure MFA. Equifax Secure MFA links a user’s mobile number and device or SIM card through a dynamic hyperlink delivered via SMS. This MFA option confirms that the user engaging with the business application possesses the device and SIM associated with the phone number, providing an additional layer of identity trust.
The reporting and data presentation layer
Kount’s Control’s reporting and data presentation layer provides multi-dimensional data and real-time reporting that can reveal valuable customer insights. Kount customers can use these insights to fine-tune business policies and further customize experiences. The reporting and data layer provides login trend data, including device and IP information. Quickly identifying and reporting on failed login attempts, risky IPs, compromised accounts, and inbound anomalies allows businesses to stop account takeover attempts.
And customers can customize Kount Control’s decision responses to send specific response data back to the business’s internal systems. This flexibility allows internal teams to automate processes based on Control’s output data. Overall, Kount Control’s reporting capabilities can reveal valuable customer insights that businesses can use to fine-tune business policies and further customize experiences.