Introduction to Account Takeover
In eCommerce, an account takeover is when a fraudster gains unauthorized access to a shopper’s store account. They then use that account to steal someone’s identity, make fraudulent transactions, sell account data on the dark web, and destroy a company’s reputation
The Federal Trade Commission (FTC) received more than 725,000 reports of impostor scams in 2022, where criminals pretended to be someone else to steal money or information. Although this was down from nearly one million reports in 2021, the total amount of money lost to impostor scams increased, reaching the highest level since measurements began in 2018. Consumers lost $2.67 million in 2022, up from $2.4 million in 2021.
What is an Account Takeover?
Account takeover (ATO) is a cyberattack where a malicious actor gains unauthorized access to a shopper’s online account, such as an email, social media, bank, or eCommerce store account. Once the attacker takes control of the account, they can use it for various fraudulent activities, including theft, data breaches, and impersonation. ATO incidents can lead to financial losses, privacy violations, and reputational damage for merchants.
Common Account Takeover Methods
Credential stuffing: Attackers use previously stolen username and password pairs (often from data breaches on other websites) to gain unauthorized access to accounts where users have reused their login credentials.
Phishing: Attackers send deceptive emails or messages that appear legitimate, tricking users into revealing their login credentials or clicking on malicious links that lead to fraudulent login pages.
Brute force attacks: Attackers attempt to guess a consumer’s password by trying numerous combinations until they find the correct one.
Social engineering: Attackers manipulate or deceive individuals into revealing their login credentials or other sensitive information through phone calls, impersonation, or other psychological tactics.
Why Fraudsters Like Account Takeover
Fraudsters favor account takeovers (ATOs) for several reasons, making them a preferred method for cybercriminals seeking to engage in illicit activities. Here are some key reasons why fraudsters are drawn to account takeovers:
- Access to established accounts: ATOs provide fraudsters with access to existing accounts that are often trusted by various online services, such as email, social media, financial institutions, or eCommerce platforms. This trust makes it easier for attackers to carry out fraudulent activities without raising immediate suspicion. The successful ATO provides fraudsters with access to a wealth of personal information about the account holder, including their name, contact details, financial information or shopping history. This data can be used for identity theft, phishing, or other fraudulent purposes.
- Credibility and trustworthiness: Compromised accounts are less likely to trigger security checks, allowing fraudsters to operate under the guise of legitimate users. This credibility makes it easier to deceive others, such as friends, family, or colleagues, into taking actions they wouldn’t otherwise consider.
- Financial gain: ATOs can lead to direct financial gain for fraudsters. They may use compromised accounts to make unauthorized purchases, transfer funds, or engage in financial fraud. They can also sell stolen account credentials on the dark web to other criminals.
- Lack of suspicion or low risk of detection: Victims of ATOs often don’t immediately realize that their accounts have been compromised, which gives fraudsters more time to exploit the accounts for malicious purposes. Once a fraudster gains control of an account, they can continue to exploit it over time. This can lead to sustained fraudulent activities, prolonged access to sensitive data, and a higher potential for financial gain. This delay in detection can be advantageous to attackers. Additionally, account takeover attacks can be difficult to detect, especially when attackers are cautious and take measures to cover their tracks. This can result in a lower risk of being caught compared to other types of cybercrimes.
- Ease of execution: In some cases, ATOs can be relatively straightforward for attackers, especially if they acquire stolen login credentials from previous data breaches. They don’t need to create fake identities or elaborate schemes; they simply use existing account details. This can make it easy for fraudsters to target a broad range of accounts, from individual users to businesses and organizations. This versatility allows fraudsters to cast a wide net and increase their chances of success.
- Continued Exploitation: Once a fraudster gains control of an account, they can continue to exploit it over time. This can lead to sustained fraudulent activities, prolonged access to sensitive data, and a higher potential for financial gain.
Given these advantages, it’s essential for merchants to prioritize security measures such as strong, unique passwords, multi-factor authentication (MFA), and regular monitoring of account activities to protect against account takeovers and minimize the risks associated with this type of cyberattack.
How to Prevent Account Takeover
Encourage Shoppers to Create Strong Passwords
Encourage users to create strong, unique passwords for each of their accounts. Use a combination of uppercase and lowercase letters, numbers, and symbols. Consider implementing password policies that require complexity and regular changes.
Develop Robust Authentication Methods
Implement MFA or two-factor authentication (2FA) to add an extra layer of security. Even if an attacker knows the password, they won’t be able to access the account without the second authentication factor. For email, use email authentication protocols like Domain-based Message Authentication (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF)
Implement Rate Limiting and Account Lockout
Continuously monitor account activities and maintain detailed logs to detect and respond to suspicious actions in real-time. Implement mechanisms to lock out or throttle login attempts after a certain number of failed login tries. After a set number of failed attempts, lock the account temporarily to prevent brute-force attacks.
Use Fraud Detection Tools That Can Analyze Behavior
Utilize fraud detection tools that can analyze behavior in a way that helps prevent and mitigate fraudulent activities, including account takeovers and other types of fraud. Establish baseline behavioral profiles for shoppers and transactions. The fraud prevention tool should learn and adapt to what is considered “normal” behavior for your shoppers over time.
Ensure that your fraud prevention tool has access to a wide range of data sources, including transaction data, user behavior data, and historical data. Integration with various data feeds is essential for a fraud prevention solution to have a comprehensive view of shopping patterns. A great fraud prevention solution will use machine learning and AI to identify abnormal user behavior and flag potentially compromised accounts.
Ensure Software and Tools Are Updated Regularly
Keep all software, including web browsers and applications, up to date to patch vulnerabilities that attackers could exploit. Regularly updating software and tools is a fundamental aspect of cybersecurity best practices to prevent fraud and account takeovers. Keeping your systems and applications up to date helps protect against known vulnerabilities and security weaknesses that fraudsters may exploit.
Implement an Account Recovery Procedure
An account recovery procedure is a set of protocols designed to help legitimate shoppers regain access to their online accounts when they have been locked out or have forgotten their login credentials. Account recovery procedures are essential for shopper convenience and security. They ensure that authorized users can regain access to their accounts while preventing unauthorized access by fraudsters.
Here are the key components and steps involved in an account recovery procedure:
- Initiating account recovery: Users initiate the account recovery process by visiting the merchant’s login page and clicking on the “Forgot Password” or “Account Recovery” link.
- User verification: During the recovery process, shoppers typically need to provide some form of verification to confirm their identity. This verification may include a secondary email address or phone number associated with the account, answering security questions that were set up during account registration, confirming the recovery link or code sent to the secondary email or mobile device, or uploading identification documents for manual verification (for higher-risk accounts or when other methods are unavailable).
- Identity validation: The merchant validates the user’s identity by comparing the provided information with the data on file. This may involve matching personal details, checking security questions, or confirming ownership of the secondary email or phone number.
- Temporary access or reset: Once identity is verified, the merchant may grant temporary access to the account or allow the shopper to reset their password. This temporary access is often time-limited to prevent misuse.
- Password reset: Users can typically reset their password during the recovery process. They choose a new password, which replaces the old one.
- Security measures: To ensure security, merchants may implement additional measures like sending confirmation emails or requiring users to change their password after recovery.
- Logging and auditing: The entire account recovery process is logged and audited. This includes details of the recovery request, verification steps, and actions taken to grant access.
- Communication with the shopper: The shopper is informed about the successful completion of the account recovery process. They may receive confirmation emails or notifications.
- Account lockout policy: To prevent abuse or unauthorized access, account lockout policies may limit the number of recovery attempts within a specific time frame.
- Shopper education: Shoppers are educated about the importance of maintaining up-to-date recovery information, such as secondary email addresses and phone numbers.
- Incident response: In cases where the account recovery request appears suspicious or fraudulent, the platform may have incident response procedures in place to investigate and take appropriate action.
- Regulatory compliance: Account recovery procedures must comply with relevant data protection and privacy regulations, such as GDPR or CCPA.
Effective account recovery procedures strike a balance between user convenience and security. They ensure that only legitimate account owners can regain access to their accounts while minimizing the risk of unauthorized access and fraudulent account takeovers.
Preventing account takeovers requires a multi-layered approach that combines technical measures, shopper education, and proactive monitoring. By staying vigilant and implementing robust security measures, merchants can reduce the risk of ATO attacks and protect shopper accounts and sensitive data.