Account Takeover

What is an Account Takeover?

An account takeover (ATO) is a form of identity theft that occurs when a hacker gains access to an individual’s bank account or Ecommerce profile in order to make fraudulent transactions, drain the account of loyalty points, or use their personally identifiable information (PII) to build a full profile of the customer to use elsewhere. With the rise of online transactions, customer information such as credit card numbers and shipping addresses are stored in online profiles, giving fraudsters another access point to personal information.

As online activity has increased, so have fraudulent transactions. Between 2017 and 2018, instances of account takeover have increased tenfold. Of course, this record level of identity fraud impacts the consumer, but it also leads to revenue and reputation loss for companies. Catching instances of account takeover retroactively, or not prioritizing a solution to combat fraudsters can have costly results for a company and led to losses of $5.1 billion for companies in 2017.

Because bad actors are using legitimate credentials to access these accounts, cases of account takeover are extremely difficult to catch. Without a comprehensive view of customer activity, legacy fraud management platforms are unable to identify if it is a customer, bot, or fraudster attempting to access an account.

Common Account Takeover Scenarios

All account takeovers involve a bad actor gaining unauthorized access to private business or customer information. However, there are various tactics that fraudsters use. Here are some of the most common account takeover scenarios:

• Data Breaches: Data breaches occur when fraudsters break down data protections to steal confidential information on a large scale. Data breaches are the primary origin of data used in account takeover attacks.
• Credential Stuffing: Fraudsters use automated tools to test previously compromised credentials to see if they have been reused on other sites. This is a precursor for ATO, and is viewed as the scouting or harvesting stage of the attack.
• Man-in-the-Middle: Man-in-the-middle attacks occur when a fraudster gains access to private information as it is sent online. Information is typically intercepted through an unsecured network such as public wifi.
• Social Engineering: Fraudsters will send an email or an SMS message to a customer and pretend to be from a reputable source, like an Ecommerce company. The fraudster will ask the customer for private information in order to trick a victim into disclosing personal details. This strategy may also be executed over the phone by individuals masquerading as tech support for a service the victim may have requested previously.

How to Prevent Account Takeover

Not only are there many possible account takeover scenarios, but the biggest concern is the growing automation of ATO attacks. With the use of bots, fraudsters are able to initiate account takeover attacks on a vast scale, compromising customer and company data, dollars, and credibility. From large data breaches to voice scams, it’s crucial for companies to identify potential account takeover scenarios in order to combat them.

There are several key methods to fight back against account takeover attacks:

• Prevent credential stuffing: Credential stuffing represents the earliest stages of large scale ATO fraud. It is critical to identify and stop these bots in the harvesting stage to prevent the ATO from taking place.
• Create comprehensive user profiles: Creating comprehensive customer profiles makes it easier to differentiate a real customer from a fraudster. Precognitive’s behavioral analytics technology links behavioral and biometric data to create a holistic customer profile that includes individual shopping patterns, devices used, and intricate details including mouse movement and typing speed. These unique characteristics help security teams identify fraudulent account activity.
• Identify warning signs: Create signals and plans of actions for each account takeover scenario. Keep an eye out for red flags such as excessive login attempts or spikes in password changes, multiple updates to personal information like addresses or payment methods.  Also, monitor your normal login volumes and flag anomalies in your traffic volumes to detect attacks in progress.
• Link identity to accounts: Using behavioral biometrics, device identifiers, and consumer profile data, retailers can establish known access patterns for a user and detect unusual activity. By linking known user devices and behavior patterns, security teams can more confidently grant access to their legitimate users.
• Apply Risk-Based Authentication: By applying multiple data sources and techniques, Ecommerce enterprises can apply risk-based authentication practices. Risk-based authentication identifies a risky login, challenges the user through multi-factor authentication (MFA), and requires confirmation of the access attempt from a confirmed account such as SMS or email.

The Future of Account Takeover Attacks

As online payment exchanges and storage of personal information continue to grow, so will cases of account takeover attacks. Account takeover attacks are expected to increase significantly over the next few years, and both customers and businesses can fall victim to this crime. Businesses need a proactive security solution to guard customer data, protect their own credibility and prevent losses in the millions.

As fraudsters are gaining access to real information through various scams, legacy fraud management platforms are unable to differentiate between a real user and a fraudster using legitimate information.

Building comprehensive customer profiles, knowing the signs of these account takeover scenarios, and layering rules with machine learning technology can help businesses combat account takeover attacks. Fraud protection from Precognitive aggregates customers’ device, behavior, and biometric data to help banking, Ecommerce, insurance, and travel enterprises identify and prevent instances of account takeover attacks in real-time.

Precognitive partners with banking, Ecommerce, travel, and insurance enterprises to manage and prevent fraud and ensure account security. Powered by behavioral analytics, machine learning, and device intelligence, Precognitive’s platform analyzes thousands of data points in real-time to accurately identify fraudsters. Simultaneous fraud detection and prevention reduces the need for time-consuming manual intervention and ensures comprehensive security.