Effective account takeover protection starts at the source

With 65% of people re-using passwords across some or all of their accounts and the rise in advanced attack vectors such as generative AI, the threat of account takeover attacks (ATOs) has never been higher. At least 77 million Americans were hit by an ATO in 2023. Account takeover attacks provide bad actors with unauthorized access to sensitive information and can result in serious consequences for users and companies, such as financial fraud, identity theft, and reputational damage. Read on to discover how ATO attacks work and learn the best ways you can enable account takeover protection.

What are account takeover (ATO) attacks?

Account takeover attacks occur when a cybercriminal uses stolen credentials to gain access to legitimate accounts for malicious purposes. ATOs differ from traditional cyber threats because they rely on compromised user accounts instead of directly attacking your network. While most companies have security measures in place to protect their networks against external attacks, many lack the proper countermeasures for account takeover protection.

How are account takeovers carried out?

Hackers often employ elaborate techniques to execute account takeovers, including through:

• Credential stuffing: Armed with a list of hundreds or thousands of usernames and passwords, hackers can attempt to gain unauthorized access to user accounts with software that automates login requests on a mass scale.

• Phishing: This is a fraudulent attempt to obtain sensitive information by sending emails or text messages that appear to come from a trustworthy organization, such as a bank.

• Social engineering attacks: Bad actors manipulate individuals into revealing confidential information or performing actions that compromise security by exploiting human psychology.

• Malware/ransomware: Malicious software designed to infiltrate, damage, or gain unauthorized access to systems. Ransomware is a specific type of malware that encrypts a victim’s files and demands a ransom payment in exchange for the decryption key.

• Stolen customer data: Troves of stolen data can be purchased on the dark web. This unauthorized acquisition of sensitive information can lead to identity theft, financial fraud, and other criminal activities.

Credential stuffing is one of the most common of these techniques. Attackers use automated tools to quickly try logging in to various sites using lists of thousands of stolen usernames and passwords. Bad actors can obtain these lists from dark web fraudsters known as initial access brokers (IABs). Account information sold by IABs has been connected with some of the most high profile ATO and ransomware attacks of recent years. It’s important to note that credential stuffing is not necessarily always used for immediate account takeovers. Once attackers have gained access, they may bide their time until they find a specific reason to use the account.

Why do account takeovers happen?

Compromised user credentials are at the root of account takeover vulnerability. People commonly recycle the same username and password combinations across multiple online accounts, including for core accounts such as email, social media, banking, and other essential digital services. This practice increases account takeover vulnerability for everyone because if an attacker manages to obtain the password for one site, they can potentially gain access to all other accounts that share the same credentials.

The result is a domino effect of compromised accounts, resulting in identity theft, financial losses, data leaks, and other damaging consequences for both individuals and organizations. Even if your business employs strict account takeover protection measures to safeguard your users’ credentials, password re-use means many may still be available to the highest bidder on the dark web.

One of the most insidious elements of ATOs is that they can be extremely difficult to investigate and prove. Once a cybercriminal gains access to an account, they can easily change the password and alter the registered email address. With full control of the account, they can now make purchases using any saved payment details. Once the legitimate account owner eventually spots the unauthorized payments, they may find it difficult to dispute the charges with the account email address now inaccessible to them. Investigating such incidents with traditional fraud detection tools is also challenging as they provide very limited customer journey data, making it difficult for a manual review to find any evidence of how the attack was carried out.

Account takeover examples

Social media accounts

While practically every online website or app with a login also has an account takeover vulnerability, one of the most common targets for ATOs are social media platforms. Once hacked, social media accounts can be used for identity theft, fraud, or sold on the dark web for around $25 to $60.

Banking and financial accounts

Banking and payment accounts are prime candidates for account takeovers. Hackers who gain access to these accounts can steal funds directly or make unauthorized purchases. They may also attempt to open new lines of credit or apply for loans using the stolen identity, causing significant financial damage to the victim.

Online marketplace accounts

Online marketplace accounts are another tempting target, and fraudsters can monetize them in a number of ways. Some hackers use stolen accounts to do card testing, a fraudulent activity where malicious hackers can verify whether stolen credit card information is valid. Many online marketplace or merchant accounts have grandfathered features such as lower fees, special selling privileges, or higher transaction limits that make them highly desirable as vehicles for money laundering or other illicit activities.

Online gaming accounts

Gaming accounts, particularly those associated with popular online multiplayer games, are increasingly targeted by cybercriminals. These accounts often hold valuable in-game items, virtual currency, or rare collectibles that can be sold for real money on black markets. Hackers may also use stolen gaming accounts to cheat, disrupt gameplay, or engage in toxic behavior, negatively impacting the gaming community and the platform’s reputation.

Traditional methods of prevention

The history of account takeover solutions has been an arms race between bad actors and the security professionals intent on stopping them. Several methods have emerged to try to prevent ATOs, such as:

• Strong password policies: Complicated passwords are harder to crack via brute force methods, reducing the likelihood of an account takeover. Users are required to create complex, unique, and lengthy passwords that are regularly updated. Although complex passwords are harder to crack, they can still be reused, stolen, leaked, or purchased from the dark web.

• Two-Factor (2FA) or Multi-Factor Authentication (MFA): These forms of user verification add one or more elements to the traditional username and password combination, such as a physical security token or a one-time password (OTP) code sent to an account holder’s phone or email address. 2FA and MFA mean that, even if an account’s credentials are compromised, it’s much harder for hackers to access the account unless they also have control of the user’s physical device or email. However, vulnerabilities in the authentication process can still be exploited, such as by intercepting SMS codes, stealing physical tokens, or using social engineering techniques to trick users into revealing their OTP.

• Customer education on security best practices: Companies often provide customers with educational material on cybersecurity to explain how to make strong passwords or identify phishing attempts. However, no business should rely solely on users to protect their online infrastructure. Some may not fully understand or implement the recommended security measures, and even well-informed individuals can make mistakes or fall for phishing attempts.

Each of these traditional solutions can contribute to improving security, but none offer robust end-to-end protection, allowing cybercriminals with credentials lists and in-depth research, to always stay one step ahead.

The best solution stops attacks before they happen

Combating account takeover attacks requires comprehensive data and complete visibility into user activity.

By leveraging a journey data platform, businesses can monitor user activity throughout the entire customer journey, rather than just at key checkpoints. This holistic approach enables merchants to develop a more accurate picture of legitimate and anomalous user behavior, making it easier to differentiate between genuine users and fraudsters. As a result, businesses can identify and stop ATO attacks, reduce chargebacks, and protect accounts, without increasing friction in the user experience.

Spec is the only customer journey security platform on the market today. With Spec, you get access to 14x the data provided by legacy solutions, enabling you to paint a complete picture of the user journey. Spec proactively monitors emerging attacks and account behavior, providing end-to-end protection. Because attackers are constantly evolving new tactics, Spec’s real-time automation ensures your defenses are always on the cutting edge, identifying, tracking, and blocking fraudulent actors before they strike.

Indiegogo, one of the leading crowdfunding platforms, found itself repeatedly targeted by account takeover attacks that resulted in a high volume of fraud-related credit card chargebacks. With each fraudulent transaction costing Indiegogo the refund amount plus a $15 service fee, the costs were soon becoming unsustainable.

“The chargebacks would start flowing in,” Indiegogo Payments Manager Justin Orme says. “We knew we needed more checks, but how would we onboard these vendors without tying up significant internal resources?”

To solve its problems, Indiegogo implemented Spec’s Customer Journey Security Platform. Spec enabled the company to combat attacks, reduce fraud, and gain comprehensive visibility into user activities. This move cut credential stuffing attacks to less than 1% of site traffic and reduced fraud-related chargebacks from 20% to 1%.

“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform,” Orme says.

Learn more about how Indiegogo used Spec to reduce chargebacks, stop account takeovers, and protect their customers. Read the full Indiegogo case study now!