What is an Account Takeover Fraud?
Account takeover (ATO) is a form of fraud in which fraudsters illicitly access and take control of users' accounts. Once the fraudster gains control of an account, they can engage in a range of activities, including unauthorized financial transactions, changing account settings to lock out the legitimate owner, accessing sensitive personal information, or even using the compromised account to impersonate the owner for further fraudulent activities.
ATO fraud poses a significant threat to individuals and businesses alike, as it can lead to financial losses, identity theft, and various other forms of cybercrime.
How does Account Takeover Fraud work?
The key to a successful account takeover is obtaining a user’s login details or gaining remote control access to users' devices. Here are some of the ways fraudsters carry out ATO attacks:
- Exploiting accessibility permissions: This involves taking advantage of features designed to assist users on smartphones, especially those with disabilities. These features require users to grant accessibility permissions, giving apps extensive access to their devices. While crucial for some users, these permissions can be misused by fraudsters for malicious activities. It allows them to take control of the device, monitoring everything on the screen, including keystrokes and all installed apps. During this control, the scammer accesses the list of installed apps, collecting data the user types or displays, such as login credentials, passwords, and credit card numbers. The fraudster also intercepts authentication codes. Armed with this information, the fraudster infiltrates the victim's bank account, conducting fraudulent transactions and pilfering funds
- Social Engineering Attacks: Fraudsters manipulate users into sharing their login credentials, with the most common form of social engineering being phishing or spear-phishing. In these attacks, criminals send messages or emails that appear to be from legitimate sources, such as banks or trusted organizations. These messages often contain links to fake websites/apps created to collect confidential information or to trick the user into installing malware. Armed with the victim’s credentials, the fraudster takes over their bank account.
- Brute Force Attack: Fraudsters employ a trial-and-error method to uncover login information. Through relentless attempts, they systematically work through all conceivable combinations in the hopes of stumbling upon the correct credentials. They may also use tools to automate the attack.
- Credential Stuffing: Fraudsters use bots to test combinations of usernames and passwords on various sites. For instance, they might test the credentials of an e-commerce account on a banking account, taking advantage of people often reusing passwords across different platforms. This implies that if one account is compromised, others are also at risk.
7 Signs of Account Takeover Fraud
Recognizing the signs of account takeover attacks is crucial for protecting your ecosystem and your users’ accounts. Here are some signs that all businesses should look out for:
- Multiple accounts accessed from a single device
Usually, all the taken-over accounts are associated with a single device being operated by the fraudster. From our experience, whether it’s ten thousand accounts or just five accounts linked to the same device, this user behaviour is reason enough to warrant further investigation.
- Unfamiliar Devices
The sudden appearance of unrecognized devices logged into the same account or multiple logins from different locations in a short time indicate potential signs of an account takeover attack.
- Multiple accounts exhibiting similar information
Once fraudsters gain access to credentials, they aim to take control of the account and prevent users from taking it back. To achieve this, they change credentials, phone numbers and email addresses, all to prevent the account owner from being notified, and regaining access to the account. For instance, if 20 users suddenly update their contact details to the same number on the same day, it could indicate a potential account takeover.
- Unusual Account Activity
Sudden and unexpected changes in account settings, such as email address, password, or contact information, pose a clear sign of an account takeover attack.
Here is an example of how unusual account activity might translate to an ATO attack:
• The customer updates contact details;
• Within 24 hours the customer logs in from a new device;
• The customer purchases something with a new delivery address.
- Unusual Account Behavior
Another indicator of an Account Takeover (ATO) attack is when an account undergoes a shift in behavior, exhibiting distinct usage patterns, unusual purchase activities, or engaging in actions that deviate from the typical behavior of the legitimate account owner.
- Failed Logins Attempts
Multiple failed login attempts can also be suspicious. Organizations should investigate repeatedly failed login attempts as an indicator of account takeover attacks, usually a result of fraudsters trying to test or guess credentials.
- Multiple IP Address or Geolocations
Another sign of an account takeover attack is if there were multiple login attempts on a single account from different geographies. Businesses should stay vigilant if they see quick changes in a device’s geolocation within a short period of time.
Also, customers typically access services from a few locations, such as home and work, and use the same device. If a customer is logging in from more IP addresses than usual it’s usually a good indicator of account takeover.
Account Takeover Fraud Detection & Prevention
Detecting account takeover attacks can pose a challenge for businesses. The most effective approach involves identifying each physical device used to access the platform, uncovering when a fraudster attempts to mask the device fingerprint or reset the device to appear as new and also monitoring account activity and analyzing user behavior in real time. This emphasizes the need for businesses to invest in advanced fraud detection and prevention solutions capable of:
- Flagging suspicious devices and configurations in real time that indicate someone is attempting to forge a device to access an account.
- Providing the latest in AI & machine learning algorithms, making it possible to process vast amounts of real-time data, including device information, network, behavioral data points, and historical patterns, to provide actionable insights.
- Analyzing user behavior in real time and identifying malicious tools that can be used by them to conduct fraudulent activities.
- Ensuring a proactive approach against new and unknown fraud attacks.
How SHIELD Protects Businesses & Their Users From ATO
Protecting your app and your customers' accounts from account takeover fraud is crucial, and this involves implementing fraud detection & prevention software with a proactive approach to the constant and evolving problem.
SHIELD’s device-first risk intelligence solution is powered by cutting-edge device fingerprinting and the latest in AI & machine learning algorithms. It identifies fraud at its root and analyzes thousands of devices, network, and behavioral data points to provide actionable insights in real time. Our technology enables the detection of account takeover attempts through the combination of features:
SHIELD Device ID
Accurately identifies each physical device used to access your application. It is extremely accurate and persistent, detecting when a fraudster attempts to mask the device fingerprint or reset the device to appear as new.
Our proprietary device fingerprinting technology is key to detecting and eliminating account takeover attacks. It flags suspicious devices and configurations that indicate someone is attempting to forge a device to access an account.
SHIELD Risk Intelligence
With Device Risk Intelligence, we continuously monitor each device session, identifying when a good user suddenly displays signs of fraudulent behavior. The feature detects when malicious tools commonly used to conduct account takeover attacks, such as emulators, screen sharings, app cloners, are being used.
SHIELD also enables online platforms to stay proactive against new and unknown fraud attacks with our Global Intelligence Network, a continuously updating fraud library of the latest fraud patterns across all industries with real-time sync of malicious techniques. Our AI constantly refreshes this library with new malicious tools and techniques, including proxy, VPN, TOR tools, as well as malicious IP addresses, before they become mainstream, ensuring a proactive approach to fraud prevention.
Detect ATO Attacks in Real Time and Protect your Users' Personal Data using SHIELD. Request a demo here
