Account Takeover Definition (ATO)
Account Takeover (ATO) is an attack whereby cybercriminals take ownership of online accounts using stolen passwords and usernames. Cybercriminals generally purchase a list of credentials via the dark web – typically gained from social engineering, data breaches and phishing attacks. They use these credentials to deploy bots that automatically access travel, retail, finance, eCommerce, and social media sites, to test password and username combinations and attempt to login.
Eventually, attackers arrive at a list of verified credentials and make a profit by selling these credentials to other people or by abusing the account. Attacks involving account takeovers cause a type of identity theft.
Users typically don’t modify passwords regularly, and they reuse login details over various sites. Attackers can use bots to easily carry out credential stuffing and brute force attacks, by rolling through many password and username combinations to accomplish account takeover.
Cybercriminals can also break into verification login pages on mobile sites, websites and native mobile application APIs. After the cybercriminals achieve access they can carry out account takeover abuse and fraud, for instance using the user’s loyalty points.
What Types of Organizations Do ATO Attacks Target?
Historically, financial institutions were the most concerned about fraudulent access to user accounts. Today, ATO attacks can influence all organizations that have a user-facing login. The most prevalent cybercriminal motivation is financial – cybercriminals typically seek out the quickest and simplest means for financial gain. Today, this involves stealing cryptocurrency, selling personal information, or tricking victims into installing ransomware.
In different situations, the cybercriminal’s aim is to gather personally identifiable information (PII). Personal information is highly sought after because it may be used to carry out identity theft via various methods, for example, committing insurance fraud, obtaining credit card details, and for lines of credit.
Personal details can be employed in spam and phishing campaigns to make the fraudulent communications appear more realistic, and to help cybercriminals reach their victims. These forms of attacks generally target the public sector, healthcare and academic institutions.
ATO attacks also affect eCommerce sites. Cybercriminals can take over an existing account and use it to purchase goods on the user’s behalf. After compromising the account, attackers will log in, quickly add high-value goods to the shopping cart and pay using the user’s stored payment credentials, changing shipping address to their own.
How Account Takeover Fraud Happens
Here are some common attack vectors for account takeovers:
Theft of Login Credentials via a Data Breach
Billions of documents about personal data are accessed via data breaches on a yearly basis. The leaked usernames and passwords are generally what cybercriminals require to take over an account. Given that many individuals use identical login details for several websites or services, cybercriminals will attempt to gain access to different online services using the leaked usernames and passwords.
Brute Force Credential Cracking
Cybercriminals can access your personal details by trying various passwords to discover which one is correct. To make the process faster, they employ bots that can check a large number of password combinations. Using current tools available to hackers, 8-character passwords can be cracked in an hour or less.
Phishing for Login Information
Cybercriminals might also simply ask victims to grant them their login details. This is achieved via phishing scams, during which victims are tricked into providing their data. Phishing attempts may be executed via SMS, emails, scam websites, chat conversations, malicious phone applications, phone calls and more.
Data Theft via Viruses and Malware
Viruses and malware can achieve many functions. They commonly steal information from a victim’s device. A lot of viruses can track your keystrokes as you enter in your passwords and others can hijack bank details by spying on your browser. You can stop this with antivirus software.
Man in the Middle (MitM) Attacks
Your internet traffic goes through a lot of servers before it gets to a website. If an individual intercepts your traffic while it is on route, and it is not encrypted, they could view all your movements on the internet, including your usernames and passwords. Generally, these man-in-the-middle attacks are carried out via home internet routers or public Wi-Fi networks. You can safeguard yourself with reliable VPN software.
Detecting Account Takeover Fraud in Financial Institutions
In financial institutions, ATO is more severe because it can directly lead to theft and compromise of an individual’s financial accounts. Ongoing monitoring gives organizations the chance to see indications of fraudulent behavior representing an account takeover before it takes hold.
A good fraud detection system will provide financial institutions with complete visibility into the activity of a user, throughout the transaction process. The most effective defense is a system that checks all activities on a bank account – before a cybercriminal can take money, they have to undertake other activities first, including creating a payee.
By monitoring every action on an account, you can isolate patterns of behavior that point to the likelihood of account takeover fraud. Cybercriminals have to complete various actions before they transfer money from an account, so a fraud detection process that continuously monitors behavior can identify clues and patterns to see if a customer is under attack.
This sort of fraud detection process can also monitor risk based on information, including location. For instance, if a customer initially accesses their account from South America and then 20 minutes later from Asia, this may be suspicious and might show that two distinct individuals are making use of the same account.
Account Takeover Protection
Here are a few ways you can protect your organization against ATO.
At this point, ask your user to authenticate using something in addition to their password:
- Something they know – a security question, such as their mother’s maiden name, first pet’s name, etc.
- Something they possess – a token, dongle or other physical object.
- Something they are – face ID, iris scan, fingerprint, or the like.
You don’t have to continuously request this MFA, and you could create an adaptive process – that varies according to perceived risk. For instance, you might ask for two-factor authentication after a user tries to access the account with a distinct login device or from an unusual location.
Account Tracking System
When an account is compromised, you must have a process that will stop further attacks. By sandboxing an account deemed to be suspicious, you may check all activities connected to this account and suspend the account if needed.
AI-based ATO protection and detection processes can find more sophisticated account takeover attempts and bot attacks. ATO attempts often involve the use of fourth-generation bots that are capable of mimicking people’s behaviours, and thus are harder to isolate. Advanced AI-based technology is needed to identify sophisticated ATO attempts and to successfully monitor a site for suspicious behavior.
Web Application Firewall (WAF)
A Web Application Firewall (WAF) protects web applications by filtering HTTP traffic. WAFs can identify malicious traffic and block it. WAFs can help mitigate ATO attacks by one or more of the following methods:
- Identifying and blocking requests from known attackers
- Detect bad bots used for by attackers as part of ATO attacks
- Identify credential stuffing on login portals
- Detect and block brute force attacks by identifying sessions passing an unusual number of credentials
- Enabling multi factor authentication (MFA) or authentication via third-party identity providers like Google
- Scan traffic for “fingerprints” indicating credential stuffing tools
Account Takeover Protection with Imperva
Imperva Advanced Bot Protection prevents business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover, competitive price scraping and other automated threats. The Account Takeover module provides login protection with no added latency and minimal user disruption.
Beyond ATO protection, Imperva provides comprehensive protection for applications, APIs, and microservices:
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.