Account takeover (ATO) plagues digital businesses and cause significant financial and reputational losses. This persistent and often sophisticated tactic affects individuals and industries across demographics and industries. According to Consumer Affairs, 72% of financial institutions reporting that account takeovers are their primary security concern.
As more of our daily lives move online, ATO attempts are skyrocketing, rising a staggering 282% between 2019 and 2020. With the rise of ATO comes massive losses, affecting 24 million households at an average of $12,000 in losses, per Security.org's annual ATO report.
Account takeover is a type of identity theft where account access is compromised, and someone who is not the legitimate owner of the account takes control of the account. An account takeover allows cybercriminals to modify important account settings, send phishing messages, make unauthorized withdrawals, steal sensitive data, access company accounts, and more.
Despite the prevalence of account takeovers, most people don't understand what to watch for or how it happens. An ATO begins like a tiny crack in a car's windshield. Though the small break seems insignificant, it is compromising and will continue to grow. With ATO, all the fraudster needs is a tiny crack in the glass—a weak password, personal identifiers, public digital identity information—and they're in. From there, the cybercriminal's foundation is laid, and they go to work using one account to take over another or building a digital identity that looks and behaves like a legitimate customer.
A successful account takeover is often executed in four steps:
Most commonly, fraudsters target people who use weak or outdated passwords. People often use the same passwords for all their logins, and others don't account for brute force attacks, making their passwords too simple and easily stolen. Studies have found that even today, many passwords are vulnerable to even the most basic hacking attempts, including human guesswork.
The next step in the account takeover is to test the stolen information. The fraudster takes the login details and other relevant details and uses them in the intended system to see if it's valid, current, and provides access. They then poke around to test the level of access given.
Armed with stolen credentials, the fraudster then bypasses any two-factor authentication associated with the account. This step varies based on the security system, and hackers use a barrage of techniques and tactics to bypass multifactor authentication (MFA), such as brute force attacks, social engineering, and more.
Often, the final step in the account takeover is to up the ante by using the access gained to dig deeper into accounts connected to the stolen one. By doing this, fraudsters aim to break into an even higher-value account and obtain much more sensitive data and bigger payoffs.
Once the account is compromised, the bad actor often changes account settings, passwords, login names, security questions, and other key account credentials. Unfortunately for the victim – the actual account holder – they are now locked out of their account. Their attempts to regain access become much more difficult, as all the security prompts are now different and controlled by the fraudster.
Now that you're familiar with what ATO is and how it happens, let's look at who might be vulnerable to these attacks.
With the continuing rise of ATO, it's important to know who is most at risk so that you can build your defense accordingly.
In the past, fraudsters have targeted financial institutions, but now nearly any organization or individual with a user-facing login is susceptible to account takeovers. In terms of individuals, some groups fall victim to ATO much more often. According to Security.org's recent digital safety studies, 75% of people aged 45 and above have experienced ATO, while only 69% of 18-29-year-olds did.
Here are some common underlying factors in people who are high risks for ATO:
Of course, these factors don't always lead to an ATO, but they certainly shouldn't be ignored.
The trends are less clear when examining the types of organizations vulnerable to ATO. However, some departments need to be hyper-aware of potential ATO, as they're more likely to be targeted. Departments with high-value information should prepare to be targeted more often. IT, finance, and HR teams are more frequently targets since they control employee data, security, or financial information.
We know which type of people and organizations cybercriminals target for account takeover now; let's examine their methodology to gain entry to these accounts.
Understanding the techniques used by fraudsters to conduct ATO is critical to building an effective prevention strategy. It would be easier to defend against if there were only one entry point, but unfortunately, cybercriminals use a wide range of tactics to gain access to an account.
Below are techniques fraudsters currently employ to gain access to victims' accounts.
Phishing is when a bad actor sends deceptive digital messages to victims to trick them into providing sensitive information or infecting their systems with malware. There are several types of phishing attacks, all of which create the potential for ATO:
Since SMS MFA is a near-ubiquitous baseline method used to secure accounts, fraudsters have developed a method to breach the security they provide with SIM swaps. SIM swaps occur when a bad actor gathers personal information about a victim (often through phishing or purchased on the dark web) and then has that person's wireless carrier change the victim's phone number access to the scammer's smartphone SIM card.
As a result, the fraudster's phone now receives all calls and text messages sent to the victim's device, allowing them to intercept the one-time-passcode (OTP) and bypass the authentication.
Fraudsters combine publicly available information with manipulation tactics to commit a social engineering attack on a victim. They gather information from across the web, including social media accounts, to create fraudulent messages they send to victims. These messages pressure the victim to send sensitive data or information, often posing as their employer and asking them to address a seemingly urgent issue.
ATO attacks continue to increase at an alarming rate as fraudsters expand their target base and refine their techniques for more significant payoffs. Although both individuals and companies are affected, businesses can be held liable when customers dispute fraudulent transactions, so the impact can be compounded and costly.
Building a solid relationship and gaining customer trust can make or break a business. Lost trust can be one of the most harmful results of account. According to a recent McKinsey report, 87% of respondents said they would not do business with a company if they had concerns about its security.
The following are the most common and harmful negative impacts resulting from ATO:
There are two different types of ATO prevention: direct prevention and detection. Below are a few tips to prevent ATO from happening or detect it when it's in progress.
In an ideal world, we could prevent all ATO from ever taking place. Unfortunately, there are too many moving parts within a company to avoid it from ever happening. When prevention fails, detection is the next layer of security measures.
Fraudsters don’t always use the same tactics and vectors, making detecting an ATO difficult. However, there are safeguards that individuals and companies can employ to detect and shut down an attack as it's happening.
Digital crime has grown so extensively that all companies and organizations, big and small, are vulnerable. Unfortunately, ATO is a trend that is heading in the wrong direction. Because of how damaging ATO can be to customer relations and brand image, it's essential to minimize risks and employ a flexible, layered security stack that can stop fraud before it starts.
End-to-end account integrity is a dynamic, ongoing process. For more than 15 years, TeleSign has helped the world’s most trusted companies keep their customers safe. As the industry leader in digital identity intelligence, TeleSign harnesses billions of digital interactions, behavioral signals, and traffic patterns to continuously assess risk at key moments across your customers’ lifecycle. Proprietary machine learning adapts to unique business cases and delivers actionable insights codes so you can automate acceptance or rejection of logins, password reset requests, account updates, transaction verifications, and other high-risk interactions across your ecosystem. TeleSign deploys a multilayer defense to protect against ATOs:
Want further details about account takeover? Chat with us today.