Breaking Down an Account Takeover (ATO) Attack on an E-Wallet

Data breaches in the first half of 2021 exposed the user credentials of almost 20 billion users. With fraudsters employing increasingly sophisticated methods to gain access to user credentials, account takeover (ATO) fraud is set to skyrocket. 

Fraudsters can effortlessly fly under the radar and conduct malicious activity after orchestrating account takeovers. In the face of increasing account takeovers, it is important that everyone knows how one works.  

What is account takeover fraud

As the name suggests, an account takeover is the process of gaining access to someone else’s account without their permission. Accounts that have been taken over can then be used for a number of things, such as buying items with the account holder’s stored cards, selling the account to someone else, or scamming other users. 

Why e-wallets are often targeted 

Account takeover attacks are becoming more prevalent along with the rapidly increasing number of digital platforms. Within the digital sphere, e-wallets are particularly attractive to fraudsters. With the rise in mobile adoption, users are beginning to use mobile payment methods more frequently. It has become so common that the worth of PayPal credentials on the dark web has risen by a whopping 194% in 2021, now worth more than credit card information. 

Because of their growing popularity, many e-wallets offer more than just a way to pay. They’re often integrated as part of other apps such as ride-hailing or e-commerce, which increases the attack surface for fraud. For example, if an e-wallet app also offers a ride-hailing service, an ATO could give a fraudster access to both services.

Steps of an account takeover on e-wallet accounts

Step 1: Credential Harvesting 

Credential harvesting is the process of attacking an organization with the intent of obtaining user credentials through illegal means. User credentials can be obtained through a variety of fraud tactics such as malware attacks and social engineering scams. 

Credentials are often put up for sale or traded on the dark web. Just last year, more than 15 billion username and password credentials for online services were found circulating on the dark web. A result of over 100,000 different data breaches, this number tripled in just two years.

Step 2: Credential Stuffing 

Credential stuffing is the automated injection (using bots) of username and password pairs into website login forms. Since password reuse is very common, fraudsters often test the same credentials against lots of different apps and websites to confirm the credentials can be used to access numerous accounts. 

After the fraudster has a list of verified credentials, they can either sell these on the dark web or proceed to take over the account for their own personal gain.

Step 3: Use credentials to conduct fraudulent activity 

If the fraudster is successful with an account takeover, they will begin conducting malicious activities on the e-wallet. This includes making fraudulent purchases, transferring funds to bank accounts they own, draining accounts, and more. Stolen identity data can be used to make fraudulent credit applications. The compromised account can also be used to carry out money laundering. Fraudsters can further benefit from ATOs by asking unsuspecting contacts for money. The possibilities for fraud are endless.

How organizations can stop account takeovers

Since activity from account takeover fraud can look very similar to that of a real user, many businesses won’t even realize when it’s happening. 

SHIELD helps e-wallets protect themselves from account takeovers by detecting malicious devices and users on the e-wallet app. The SHIELD ID, a unique device identifier, accurately detects every single device on the app with extreme persistence. The benefit of this is that the technology is able to identify signs of account takeover fraud before it happens. In the case of ATOs, the SHIELD ID can help businesses identify if multiple accounts are linked to the same device. It’s highly unlikely that users would be sharing and logging into accounts using one device.

Another key feature is SHIELD’s group of Risk Indicators, which identify tools that are typically associated with fraud. Suppose a fraudster was using an emulator to run automated credential stuffing attacks. SHIELD’s technology would be able to pick up on this and flag this in real time. 

SHIELD provides companies with risk intelligence throughout the entire user journey, powering organizations with the knowledge they need to stop account takeovers. As user credentials for e-wallets continue to become more valuable on the dark web, it seems unlikely the frequency of data breaches and account takeovers will slow down.  

Find out how SHIELD helps e-wallet businesses protect their platforms from account takeover attacks.