Preventing and Identifying Account Takeover Fraud

Photo of author

( — January 2, 2023) — 

By gaining access to a user’s personal information and then using it to impersonate the account owner, account takeover (ATO) is a kind of online fraud and identity theft. By compromising a user’s account, criminals can gain access to sensitive data, steal money, spread malware like ransomware or spyware, and more. Employing account takeover fraud prevention software is the best way to protect your accounts from hijacking attempts.

Account Takeover Fraud: Overview

Account takeover fraud occurs when a criminal hacks someone’s account and uses the leaked information for personal gain. The fraudster enriches themselves by unauthorized transactions or purchases, or through the sale of account details to third parties. In November 2020, Spotify, a music streaming service, announced a data breach that affected 300,000 users.

How is an Account Takeover Carried Out?

There are numerous methods that can be used to try to take over another user’s account. Listed below are only a few such examples.

  • Social engineering

A variety of identifying information, like a victim’s phone number or the names of their friends and family, can be gleaned from social media and publicly available databases, which are exploited by attackers in their pursuit of victims. This information can be used by attackers to try to guess users’ passwords.

  • Phishing

Convincing a victim to provide critical information can be accomplished in a number of ways, such as by creating a fake login page or sending an email that appears to come from a trusted source. Spear phishing, on the other hand, is targeted at a specific individual rather than a large audience.

  • Bot attack

The cybercriminal unleashes a swarm of malicious bots to perform a brute-force attack. Advanced harmful bots can impersonate tens of thousands of users and change IP addresses frequently, making them challenging to track even if they are identified.

  • Credential stuffing

An attacker launching a credential-stuffing assault will rapidly try thousands upon thousands of usernames and passwords on the targeted service. Instacart’s client database was breached in July 2020 via a credential stuffing attack, with the stolen data later being sold on the dark web.

How Do We Identify Account Takeover Attacks?

Pay attention to the following warning signs to see if your account is being hacked:

  • Country-specific IP addresses

If a huge number of suspicious IPs emerge all at once, it’s likely that an account has been compromised. If an attacker is unaware of the true location of the account’s owner, a fake IP address can be used to get access. The preferred way of accessing an account should be closely monitored if the user decides to alter it so quickly after the last modification.

  • Multiple accounts sharing the same details

A hacker who has successfully broken into a user account may alter personal information such as the account holder’s email address or password. If you see a lot of identical edits in different accounts, it’s likely that an ATO is trying to break into your site.

  • Unidentified device models

By imitating many devices, fraudsters might trick you into thinking that one account is being accessed from multiple locations. That’s why these devices will show up as “unknown” in your operating system. Having a larger number of unrecognized devices increases the possibility that your account will be compromised by a hacker.

How Can We Prevent Account Takeovers?

  • Verify that no usernames or passwords have been compromised

New user credentials are checked against the stolen information to determine if the account has been compromised. It’s also important to routinely audit your user database in search of indicators of data compromise so you can swiftly notify everyone whose data may have been stolen. Alerting people who have already signed up and those who might later do so is essential after a security breach.

  • Configure maximum and minimum login attempts

In order to stop account takeovers, you can limit the number of unsuccessful login attempts that a user can make before having their account locked. Proxy servers and VPNs could be disabled for those whose actions merit it.

  • Keep clients up to date on account changes

Customers should be notified immediately upon any significant changes being made to their accounts. You can still prevent or lessen the damage even if the criminal is able to bypass your authentication measures.

  • Entity identification and fingerprinting

If an attacker alters their IP address, user agent, or any other identifying characteristics, you can still track them with the use of fingerprinting techniques. ATOs need a comprehensive view of prior harmful or suspicious behavior in order to make appropriate blocking decisions.

Taking Measures to Prevent Account Hacking

  • A Tracking and Status System

As soon as possible after discovering a compromised account, further security measures should be implemented. An account that has been flagged for suspicion can be placed in a “sandbox” to observe its actions and terminate it if required.

  • Web Application Firewall (WAF)

Although this is not their primary function, WAFs can be configured to recognize and block account takeover attempts based on a set of strict rules. When it comes to brute force and malicious bots, WAFs can spot the difference.

  • Predictive Analysis by Artificial Intelligence

AI-based account protection and detection solutions can spot even the most sophisticated bot attacks and efforts to hijack user accounts.