Contact us

BOOK A PRESENTATION

Account Takeover Detection solutions

The thing that makes Account Takeover fraud so troublesome for businesses and consumers is the fact that it produces further fraud. To stay ahead of Account Takeover, keep reading.

What is Account takeover Fraud?

Account Takeover Fraud (ATO) is happening when a fraudster uses somebody else's credentials in order to gain unauthorized access to an account and uses it to their own advantage. The fraudster monetizes the account by either transferring funds, making unauthorized purchases, or selling the account data elsewhere. The main problem of this particular type of fraud is that the credentials used for taking over one account are usually used to access multiple other accounts and cause that much more damage. This makes it distinct from card-not-present fraud, where only one relationship is endangered.
A typical ATO attack works as follows:

The fraudster uses stolen credentials and logs into the victim's account.

The attacker changes the account details, email, and phone number, for instance.

The fraudster uses the account to make unauthorized transactions or sells the account data to someone else.

What makes ATO fraud more dangerous than card-not-present fraud is the fact that with a single combination of credentials (e.i. username and password), the fraudster is able to access multiple accounts. 

The truth is, we are terrible with passwords. We constantly reuse them and make a low effort to guard our online security.

Obtaining the credentials

There are a few different methods fraudsters use in order to get a hold of the user's credentials. More sophisticated methods, such as phishing and malware, are used to obtain more valuable credentials. It enables the fraudster to take over a victim's bank account, for instance. Other methods use credential stuffing and brute force attacks in order to obtain an account and target eCommerce accounts.
1.

PHISHING ATTACKS

A phishing scam consists of sending a link via email, text message, or social media containing malware that collects the victim's credentials. This method usually uses well-established website interfaces that the users trust. And while the interface seems familiar and legitimate, there is a fraudster in the background that is harvesting your credentials and accessing your account in order to use it to their own advantage.
2.

CREDENTIAL STUFFING

Another known method for conducting account takeover fraud is purchasing stolen credentials on the dark web in bulk. This information is usually published after a data breach and damages both users and businesses. The most valuable information published after a data breach consists of emails and their corresponding passwords.

For how many accounts do you use your email address and the same password? Think about it. By using automated scripts and bots, the fraudster is able to quickly scan through a multitude of account-based websites. They collect further information such as saved credit card numbers, social security numbers, etc.
3.

MALWARE

Malware is software specifically designed to cause harm and damage in order to gain unauthorized access. By downloading content from sketchy sites, you are at risk of unknowingly installing malware on your device. That malware is able to track everything the user types. Now the fraudster just needs to be patient and wait for you to enter your credentials.
4.

MAN-IN-THE-MIDDLE ATTACKS

A man-in-the-middle attack is based on intercepting a message and altering it to the fraudster's advantage. By using malware, the fraudster is able to intercept, edit, and resend an altered message sent between the victim's device and the bank's server.

Account takeover fraud: The consequences

The consequences of ATO fraud affect both businesses and customers.

The fact that the fraudster used legitimate credentials in order to log in to an account makes it that much harder to detect whether it is an unauthorized person behind the username. The fraudsters are getting better and better at mimicking the "usual" user behavior by carefully choosing the amount to be spent, time of login, time of order, and other details visible in the account history.
By the time the rightful owner of the account notices any strange activity, they are probably already locked out of their account because the fraudster rushed to change the vital account recovery details as soon as they gained control of the account. Even if victims manage to retrieve their accounts, their personal information is most probably already compromised.

When talking about businesses whose customers are victims of an account takeover attack, we need to mention great financial and reputational losses. The financial loss is due to incoming chargeback costs accompanied by inventory costs. The data breach itself ruins the company's reputation with clients, while higher chargeback rates cause problems with issuers and card schemes. Customers lose trust in such businesses and tend to turn to the competition, which means that customer loyalty is also at stake. The overall reputation of the business suffers, and the options for damage control are scarce when overturning such an unfortunate course of events.
The consequences of ATO fraud affect both businesses and customers. The fact that the fraudster used legitimate credentials in order to log in to an account makes it that much harder to detect whether it is an unauthorized person behind the username. The fraudsters are getting better and better at mimicking the "usual" user behavior by carefully choosing the amount to be spent, time of login, time of order, and other details visible in the account history.

How to Detect Account Takeover Fraud?

Protect your business and your customers

Account takeover fraud is an emerging type of attack targeting customers' accounts with valuable information such as saved credit card data, personal information, loyalty points, etc. In this way, the fraudster is able to monetize the account by either stealing the funds or the account data and reselling it on the dark web.
Account takeover fraud is extremely harmful to the business. Not only does it cause chargebacks and ruin their chargeback rates, but it has a detrimental effect on the company's reputation and customer loyalty.

Even though we are dealing with a type of fraud that is incredibly hard to detect, we gathered best practices regarding account takeover fraud detection. Watch out for these signs of an ATO attack, and protect your business and your customers.

How to Detect Account Takeover Fraud?

Account takeover fraud is an emerging type of attack targeting customers' accounts with valuable information such as saved credit card data, personal information, loyalty points, etc. In this way, the fraudster is able to monetize the account by either stealing the funds or the account data and reselling it on the dark web.
Account takeover fraud is extremely harmful to the business. Not only does it cause chargebacks and ruin their chargeback rates, but it has a detrimental effect on the company's reputation and customer loyalty.

Even though we are dealing with a type of fraud that is incredibly hard to detect, we gathered best practices regarding account takeover fraud detection. Watch out for these signs of an ATO attack, and protect your business and your customers.
1.

EDUCATE YOUR CUSTOMERS AND STAFF

Users and companies who have account-based websites are the prime targets for fraudsters. A common puzzle piece of account takeover fraud is phishing. For instance, the victim receives a legitimate-looking email containing a link leading to a familiar site that requires login. The unsuspecting victim enters their credentials, while the fraudster on the other side of the screen harvests their usernames and passwords. Regularly educate both your customers and staff regarding online security threats such as this one. Be proactive about security measures and implement best practices such as regular changes of user passwords and tips on how to protect user credentials.
2.

WELL-INFORMED CUSTOMER SUPPORT STAFF

Fraudsters are no strangers to contacting the call center of a company directly in order to get more information about sensitive data necessary for login. Train your staff to ask questions that are specific, i.e., questions that only a legitimate account holder could know the answer to.
3.

MULTIPLE ACCOUNTS HAVING THE SAME ACCOUNT DETAILS

When a fraudster takes over an account, their goal is to keep it. In order to do that, they need to change specific details necessary for the account recovery process, such as email or mobile phone number. If you notice multiple accounts having the same account details listed, e.g., mobile phone number, the chances of an account takeover fraud are pretty high.
4.

MONITOR CUSTOMER BEHAVIOR FOR POsSIBLE ACCOUNT TAKEOVER FRAUD

By observing the account history, you are able to detect certain anomalies in customer behavior. If a user suddenly spends an amount larger than usual or places a suspicious number of orders in a short period of time, investigate further and see if any of the account details have been recently changed. If yes, that might indicate account takeover fraud.
5.

IMPLEMENT BACKEND MONITORING

Another way of protecting your business and your customers is by implementing backend monitoring. Detect fraudulent activity regarding suspicious IP addresses and analyze timestamp data transfers. This enables you to identify whether a fraudster is trying to intercept any communication happening between the site’s form and the backend of the website.
6.

MULTIPLE ACCOUNTS – SAME DEVICE

Sometimes, fraudsters tend to be lazy, and they don't mask their device data. They carelessly log in to multiple accounts, and the recorded activity shows the same device number – belonging to the fraudster. Keep an eye on this one, but don't act too quickly because family members and work colleagues often share the same device. Look for more clues in order to make sure that you are witnessing legitimate account takeover fraud.
7.

PAY ATTENTION TO DEVICE SPOOFING

Staying on the same topic, there are also fraudsters who mask their device data by using device spoofing. Usually, if they implement device spoofing, the device details show up as ''unknown''. There is a pattern where the victim's accounts are usually connected to more ''unknown'' devices than legitimate ones where you are able to see the exact device model. Look out for this one!

8.

MULTIPLE IP ADDRESS COUNTRIES

Following a data breach, multiple user credentials are published/purchased on the dark web. That also means that fraudsters are trying to log in to the user account using that fresh information. Since they can't possibly know the exact location of each customer, they also can't match their IP address country to fit the profile. Observe accounts that have an unusually high number of IP address counties connected to them. It is a clear sign of account takeover fraud.
9.

9. DETECT CREDENTIAL STUFFING

As mentioned earlier, a data breach results in a multitude of user credentials ending up on the dark web. When fraudsters get a hold of those credentials, they use credential stuffing in order to quickly check if any of the purchased usernames and passwords actually work. This is done by checking for both technical and behavioral tracking of bot activity.
10.

FRAUDSTER BEHAVIOR DURING ACCOUNT TAKEOVER FRAUD

We mentioned the necessity to track customer behavior, but if an attacker is behind the observed activity, we are talking about fraudster behavior. The (un)fortunate course of events is pretty predictable, and it is the following:
- Account details have changed (email, mobile phone number, address, etc.)
- Within 24 h of the initial account changes, a login from a new device is visible.
- The fraudster places an order to a new delivery address.
11.

FRAUDSTER BEHAVIOR DURING ACCOUNT TAKEOVER FRAUD

Upon taking over an account, fraudsters tend to leave the details untouched for some time. They gained access and will take care of the rest later. But if there is a notification sent to the user, alerting them about suspicious activity, fraudsters end up in panic mode. They rush to change details such as email and password in order to keep the stolen account. Track these changes triggered by a security alert. Password reset requests might soar.
12.

LOOK OUT FOR SUSPICIOUS LOYALTY PROGRAM ACTIVITY

Loyalty points are often overlooked by legitimate users and remain untouched. Fraudsters often target accounts solely because of loyalty programs. Stay alert and track if there is any sudden activity involving the use of loyalty points.

Account Takeover Fraud Detection Wrap Up

With Account takeover fraud, timing is crucial. It is extremely important to stop the attack in the earliest stage of the fraud lifecycle. By continuous monitoring of account history and customer behavior, it is possible to detect anomalies and extract activities that do not match previous patterns. Mentioned best practices, accompanied by Strong Customer Authentication (SCA) and 3D Secure technology, promise the highest level of security.

Account takeover detection FAQ

1. What is account takeover detection?
Account Takeover Fraud (ATO) is happening when a fraudster uses somebody else's credentials in order to gain unauthorized access to an account and uses it to their own advantage. The fraudster monetizes the account by either transferring funds, making unauthorized purchases, or selling the account data elsewhere.
2. What are some common indicators of an account takeover?
Account details have changed (email, mobile phone number, address, etc.) within 24h of the initial account changes, a login from a new device is visible, the fraudster places an order to a new delivery address.
3. What is account takeover in banking?
Account takeover in banking refers to a hacker gaining unauthorized access to your online bank account and making illicit actions such as stealing personal information, rerouting transfer details, withdrawing funds without permission, etc.
4. How do hackers take over accounts?
Hackers usually obtain user credentials through published lists on the dark web after major data breaches. They would typically use a script and feed the credentials with corresponding passwords to popular websites that require login information. Once they scored a hit, they would try the same combination of user credentials for other services that offer payment options (e.g., online banking, online shopping) in order to steal credit card numbers, make purchases, or simply tamper with the victim's account.
5. What are the stages of account takeover?
A typical ATO attack works as follows:
  • The fraudster uses stolen credentials and logs into the victim's account.
  • The attacker changes the account details, email, and phone number, for instance.
  • The fraudster uses the account to make unauthorized transactions or sells the account data to someone else.
6. What is the risk of an account takeover?
When talking about businesses whose customers are victims of an account takeover attack, we need to mention great financial and reputational losses. The financial loss is due to incoming chargeback costs accompanied by inventory costs. The data breach itself ruins the company's reputation with clients, while higher chargeback rates cause problems with issuers and card schemes. Customers lose trust in such businesses and tend to turn to the competition, which means that customer loyalty is also at stake. The overall reputation of the business suffers, and the options for damage control are scarce when overturning such an unfortunate course of events.
7. What is the difference between identity theft and account takeover?
The main difference between Account Takeover (ATO) and identity theft lies in the motive. While ATO fraud takes place online and usually involves the victim's online banking accounts, identity theft is broader and allows the criminal to use the victim's identity for various fraudulent activities that can take place offline as well.

Online payments security suite by ASEE

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram