A Guide to Account Takeover (ATO) Fraud Detection & Prevention

What is account takeover fraud? 

Account takeover (ATO) fraud is when fraudsters gain unauthorised access to user accounts with stolen credentials, usually to steal funds or personal information. Any digital platform that requires an account is susceptible to ATO fraud.

Think of a user account as a home and an account takeover attack as a break-in. Most homes can be entered through doors, but they tend to be locked shut. If someone manages to get the keys to the house, they’ll be able to steal valuables, personal items, or even change the locks. 

What can compromised accounts be used for?

Account takeovers spell trouble for mobile apps as they can be used as a springboard for all sorts of fraudulent activity. Some examples include: 

  • Carrying out unauthorised transactions
  • Steal account information
  • Committing identity theft
  • Conducting money laundering activities
  • Converting profiles to spam accounts
  • Mining personal and financial information 
  • Taking out loans under victims’ names
  • Launching social engineering scams 
  • Reselling sensitive data on the dark web
  • Creating fake accounts using the victim’s credentials

Summary of an account takeover attack

A typical ATO fraud attack consists of three steps: 

1. Fraudsters obtain stolen account credentials from data breaches or through phishing scams. These can include usernames, passwords, emails, or phone numbers.

2. The next step is to test these credentials using techniques like credential stuffing or brute force attacks.

3. Once these credentials are validated, fraudsters then breach these accounts to carry out fraud. Validated credentials can also be resold on the dark web and used by others to conduct account takeover fraud on other digital platforms.

How do account takeover attacks happen? 

The key to a successful account takeover is obtaining a user’s login details. Here are some of the ways fraudsters carry out ATO fraud attacks: 

Credential Stuffing 

Credential stuffing works by injecting stolen credentials en masse into login pages. Unlike brute force attacks, credential stuffing doesn’t involve guesswork. Instead, fraudsters use easily accessible tools like bots to test username and password combinations against a range of websites. For example, they can test credentials from a bank’s data breach on an e-commerce platform. 

The main reason why credential stuffing attacks work is because people reuse their login credentials. Over 60% of users reuse the same password for multiple accounts. That means if one account is compromised, all others using the same username and password combination are at risk too. 

Brute Force Attacks 

Imagine forgetting which key opens a door, and trying every key on your keyring, that’s a brute force attack. The cousin of credential stuffing attacks, brute force attacks happen when fraudsters use trial and error to guess user passwords until they succeed. 

The more complex a password, the more combinations will need to be tested. On the flipside, accounts with weak passwords can be breached in seconds. According to the UK’s National Cyber Security Centre, over 30 million account takeover victims have had ‘123456’ as their password - making it one of the most hacked passwords ever. 

Phishing Scams

Picture this: You receive an email from the e-commerce company you’ve made a recent purchase from. It prompts you to sign in with your account details so you can track your parcel. You duly sign in and next thing you know, you’ve been locked out of your account.  Aptly named, phishing scams are social engineering scams in which a fraudster dangles bait in the form of a supposedly legitimate email in order to trick gullible users into revealing personal information. As people have a natural tendency to trust authority, they usually wouldn’t think twice about revealing personal information requested from an apparently reputable organisation. 

Though email is one of the more common forms of phishing, other tactics also include smishing - sending text messages with malware-infected links, and most recently, vishing - convincing people to reveal sensitive information over the phone.

SIM Swap Scams 

SIM swap scams focus on migrating someone’s phone number from their SIM and to one owned by a fraudster. To do this, fraudsters will contact a victim’s mobile carrier, pretend to be the person they want to defraud and request a sim swap. They’ll claim to have a new SIM card that requires activating. If a fraudster can convince the mobile carrier that they’re legitimate, the carrier will transfer their victim’s phone number to the new SIM card. This effectively disconnects the victim’s existing number from their phone, blocking their access to any accounts that might need a phone number login. 

With that, fraudsters will be able to receive any one-time passwords (OTP) or verification codes needed to authenticate logins and transactions.They can also start accessing a multitude of platforms, changing passwords and clearing two-factor authentication (2FA) checks easily. A number of high-profile accounts have been taken over using this technique, including Twitter CEO Jack Dorsey’s.

Signs of account takeover fraud

When an account has been compromised, it’s often too late. There are a few telltale signs that all businesses should look out for to stay one step ahead of account takeover attacks. 

1. Unusual Login Traffic: To mask their account takeover attempts, fraudsters are more inclined to launch their account takeover attacks when traffic is at its peak, such as during holiday periods or sales campaigns. However, a huge spike in login traffic during an off-peak season might indicate a credential stuffing attack. Sudden and large increases in failed login attempts can also be indicators of ATO fraud.

2. Multiple IP Address or Geolocations: Another sign of an account takeover attack is if there were multiple login attempts on a single account from different geographical locations. Businesses should stay vigilant if they see changes in a device’s geolocation in a short period of time. After all, it’s impossible for a legitimate user to be in two countries in the span of five minutes. 

3. Changes in customer details: Fraudsters often change account details after a successful account takeover - similar to changing the locks to a home. This is to prevent the original owner from recovering it. If fraud teams notice multiple accounts having their details changed recently, and sharing the same phone number or email address, the chances of fraudulent activity would be pretty high.  

4. Multiple accounts, one device: In most situations, it’s highly unlikely that users would be sharing and logging into accounts using the same device. From our experience, whether it’s ten thousand accounts or just two accounts linked to the same device, this user behaviour is reason enough to warrant further investigation.

What are the consequences of account takeover fraud

Account takeover fraud can lead to financial losses for customers and businesses. Experts peg the cost of ATO fraud attacks to be at an average of $263 for victims and a whopping $26 billion for businesses in 2020. But that’s not all. Users typically blame businesses for having poor security on their platforms when they fall victim to account takeover fraud. This can lead to the loss of user trust, low retention rates, and cause reputational damage for businesses if customers take to public platforms to air their grievances. 

Account takeover fraud prevention and detection 

Businesses can’t react to an account breach they don’t know about. To combat account takeover fraud, businesses should invest in fraud prevention solutions that can help them identify whether the user behind an account is legitimate or not, all while ensuring a frictionless user experience. 

SHIELD provides world-leading enterprises with device intelligence that empowers them to protect their platforms from account takeover attacks. Our proprietary device fingerprinting technology enables businesses to identify every single device on their ecosystem in real-time with unparalleled persistence. Powered by unsupervised machine learning algorithms and artificial intelligence, our technology continuously profiles risk throughout an entire user session, equipping businesses with the ability to identify the exact moment a user shows signs of fraudulent behaviour. 

Learn how our solution can help your business detect and prevent account takeover fraud and more.