DataDome
Account Takeover Guide

Account Takeover (ATO) Fraud: How it Happens & How it’s Prevented

Table of content
Kira Lempereur, Sr. Technical Writer
22 Apr, 2024
|
min

What is account takeover?

Account takeover (ATO) occurs when criminals gain access to a person’s online account (through attacks like credential stuffing). Usually, the attacker will change the login credentials to lock the original owner out of their own account. This attack tends to have more impact on any company with user accounts or stored details online (e.g. social media accounts), and is hard to detect.

On July 15 2020, Barack Obama decided to promote Bitcoin. He tweeted that if you would send him any amount of Bitcoin, he would send back double the amount. He wasn’t the only one this generous. On the same day, Kanye West, Bill Gates, Warren Buffett, Joe Biden, Uber, Apple, Wendy’s, and over a hundred other high-profile Twitter accounts sent out similar tweets.

These tweets were sent out as part of a powerful account takeover attack on Twitter. The company was left scrambling. As a temporary solution, they blocked all their verified accounts—their most powerful influencers—from tweeting. It was a huge breach of trust that was in the news for days on end.

Twitter’s CEO publicly apologizing after the attack.

Social media companies such as Twitter aren’t the only ones that suffer from account takeovers. Any company with an app or website where users can create accounts is subject to this type of attack, especially if you store credit or debit card details. An ATO attack isn’t usually as visible as the one on Twitter either. They tend to fly under the radar until it’s too late, after which they can hurt you substantially more than it did Twitter.

How does an account takeover attack work?

We already know that hackers purchase stolen credentials from cybercriminal marketplaces. But what do they do with them? How do they find the right websites to attack? How do they use those credentials to take over other people’s accounts? While their methods vary widely, almost all hackers have one thing in common: they use malicious bots to automate much of their work.

How ATO Attackers Gain Access

  1. Hackers buy hundreds of thousands of stolen login credentials on the dark web.
  2. They program bots to attack the login endpoints of websites with valuable user accounts.
  3. The bots very rapidly test all the stolen login-password combinations (“credential stuffing”).
  4. Hackers get access to accounts created with reused credentials.
  5. Hackers collect personal data and/or exploit means of payment, loyalty points, gift cards etc. associated with the hacked accounts.

Malicious bots will target specific touchpoints when they want to break into user accounts. All of the touchpoints listed below are especially vulnerable on your websites, mobile apps, and APIs:

  • Login
  • Cart
  • Payment

Anything unusual that you notice around these touchpoints could be a hint of account takeover fraud. The particular types of attacks we list below will pass through most, if not all of these endpoints.

Types of Account Takeover Fraud

Credential stuffing (OAT-008) and credential cracking (OAT-007) are two types of automated threats where hackers use malicious bots to “stuff” online login pages with stolen usernames and passwords. These are the two primary methods hackers use to take over accounts fraudulently.

Credential stuffing and cracking aren’t tasks that can be done manually at a profitable scale. But by using bots, hackers can run through almost unlimited volumes of credentials—often overloading the victim’s website or app with traffic in the process.

In a credential stuffing attack on one of DataDome’s customers, hackers sent 5.7 million requests over the course of two days. Not only that, but they did so from 250,000 different IP addresses across 8,000 autonomous systems and 215 countries.

The spike in website requests that the DataDome solution blocked on a single domain.

Had this customer not installed DataDome, it’s highly likely at least a few thousand of those bot requests would have allowed hackers to access user accounts. From that point, they could have stolen more data, placed illegitimate orders, changed user passwords, deleted accounts, and more.

The key lesson here is that hackers are increasingly sophisticated. Their bots have little in common with the simple crawlers of yesteryear: they are using highly complex software that can rotate through IPs, hide inside user sessions, look like browsers, and mimic human behavior. A full 30% of bad bots constantly change their IPs to try to remain undetected. Cybersecurity solutions that don’t specialize in bot detection stand little chance against today’s most advanced bots.

Impact of ATO Attacks on Businesses & Individuals

With account takeover, bad actors compromise online accounts, often through automated attacks. ATO attackers usually gain access to existing accounts via bot-driven attack techniques, such as credential stuffing and credential cracking. ATO compromises users’ personal data and can lead to data leaks.

Between building out security architecture, setting up good data management practices, creating business continuity practices, and much more, CISO, CTO, and DevSecOps engineers are beyond busy. You may even wonder why you should focus any of your time and resources on preventing account takeover fraud. How big of a threat can it be? Here are the most important reasons ATO should be a critical component of your cybersecurity strategy:

  1. The ATO rate is skyrocketing. The ratio between fraudulent login attempts and total logins is increasing as more and more criminals are using ATO as their preferred way of attacking. This rate jumped by 378% since the start of the ongoing COVID-19 pandemic because of the rise in e-commerce sales and the growing number of stolen credentials available online.
  2. Customers expect security, but want convenience. Most of the burden of cybersecurity falls on the company. The customer expects you to protect their details, even if they don’t exercise proper cybersecurity practices themselves. For example, 52% of people still reuse passwords for multiple accounts. On top of that, most security measures meant to stop ATOs add friction to the user experience, which can lead to cart abandonment, false positives (where you block a genuine user), and frustration.

Many people don’t use different passwords for their accounts.

  1. Payment fraud costs a pretty penny. US citizens filed 1.4 million reports of identity theft to the Federal Trade Commission in 2020, of which almost 30% is credit card fraud. More people than ever before see transactions on their credit card statements that they never made, leading to an increase in chargebacks. Card network rules dictate that the cost of the chargeback falls on the company that accepted the fraudulent payment, so you may be paying for lost goods or services, chargeback fees, and card processing fees.
  2. Data protection frameworks come with expensive fines. In the second quarter of 2019, Marriott Hotels reported $22 million in insurance recoveries related to the 2018 Starwood data breach. Then the UK’s Information Commissioner’s Office (ICO) also fined Marriott Hotels £18.4 million for failing to put appropriate safeguards in place to protect customer data, as per the EU’s General Data Protection Regulation (GDPR). Wherever you’re based, there’s probably a data protection framework that will fine you if you suffer from data breaches or ATOs.
  3. Account takeovers suck up time & resources. The impact of ATO reverberates through all areas of your business, from your support team responding to customer complaints to your sales team that will need to explain why prospects should still buy from you. The fallout of an ATO attack can last for months, during which time it will always suck up a certain percentage of your employees’ time. It is a net productivity loss for your company, because it’s all time that your employees could have spent doing their actual job.
  4. The customer sits in the middle of it all. ATOs are uniquely dangerous to your reputation because it’s often the customer who notices the attack in the first place; usually, by finding out someone placed an order using their account, or locked them out entirely. And not all users will report such problems. They might just delete their account altogether and decide never to buy products from your company again.

That’s why it’s so important to prevent ATO attacks from succeeding in the first place.

How can you prevent account takeover attacks?

Account takeover fraud is almost never as immediately visible as the Twitter example we gave at the beginning of this guide. In fact, it’s in the hackers’ best interest to stay unnoticed for as long as possible. The longer their scams can continue, the more money they can earn or data they can harvest. That’s why hackers increasingly prefer account takeover methods that are discreet, such as loyalty card fraud or fake account creation.

There’s no one signal that gives away an account takeover attack. ATOs give themselves away through a collection of tiny hints. For example:

  • Login attempts from different devices.
  • Older browsers and operating systems.
  • Unusual buying behavior.
  • Different shipping addresses.
  • Multiple failed login attempts.
  • Suspicious device configurations.
  • An increase in closed accounts.

So how do you combat ATO?

1. Use Strong Password Practices & Multi-Factor Authentication

The easier a user’s password is to guess, the more likely an attack like credential cracking will work. Encourage your users to use complex passphrases with special characters—and a different password for each website. In addition to strong passwords, users should turn on multi-factor authentication. This second layer of protection helps stop attackers who’ve gathered the user’s password from the dark web to perform credential stuffing.

Keep in mind, though, that users may not want to use MFA or complex passwords because of the added friction to the login process.

2. Review Accounts Regularly & Notify Users of Any Changes

Users may not always be checking their accounts for differences, so it’s best you ensure that the user is notified of any change made to their account. This way, users might be able to find out right away if their account has been compromised. Keep an eye out for suspicious activity like updated shipping addresses in a different area than normal, changed or updated card information, etc.

3. Use Advanced ATO Prevention Software

The simplest way to prevent ATO attacks is by using specialized software that reviews all of the small signals in each request to root out suspicious activity. DataDome Account Protect collects user-centric and business data signals to create a footprint of user behavior, which enables us to then identify (and stop) suspicious behavior with greater accuracy than other ATO protection solutions. Combined with our bot and online fraud protection, DataDome can reduce your risk of ATO significantly—keeping your customers safe and your business running smoothly.

DD ATO Dashboard

Common ATO Prevention Methods & Why They’re Not Enough

As we mentioned previously, the endpoints that are most vulnerable to account takeover attacks are anything to do with logins, registrations, shopping carts, and payment funnels. In order to effectively protect your business and your customers, your protection system must take into account the varying threats targeting each touchpoint and endpoint.

For example, your login page is much more subject to a credential stuffing attack than your registration page. Then again, your registration page is more likely to see bots create fake accounts. Each endpoint requires a tailored strategy for the most effective protection to prevent fake account creation.

That’s the overarching reason why the prevention methods we list below are not effective: they might offer some protection for one endpoint, but they certainly don’t offer impenetrable protection for all endpoints and all touchpoints along your user journey. Let’s discuss each prevention method in more detail.

Traditional CAPTCHAs are no longer a match for cybercriminals.

Traditional CAPTCHAs used to work against bots, but they no longer do because the bots adapted and the CAPTCHAs did not (at least not fast enough).

Case in point: There are dozens of YouTube tutorials that teach viewers how to program a bot that can either work around or easily solve traditional CAPTCHAs. Solving more difficult CAPTCHAs can also be outsourced to CAPTCHA farms for very little money. At the same time, difficult CAPTCHAs introduce substantial friction to the user experience.

Some CAPTCHAs are harder to solve than others.

Any human user who struggles to solve a CAPTCHA can become a false positive, in which case a traditional CAPTCHA will block the user entirely. And few things frustrate users more than being blocked from moving your platform because they couldn’t solve a tedious bot detector test.

The only way to efficiently leverage a CAPTCHA for bot detection and ATO prevention is to integrate it with a comprehensive bot and online fraud management solution.

WAFs don’t work for sophisticated bots.

Web application firewalls (WAFs) only protect web applications against the most obvious software vulnerabilities—like SQL injections, cross-site scripting, or session hijacking. WAFs are not designed for detecting real-time, automated threats, and consequently don’t protect you well against account takeover fraud.

This is particularly true because today’s sophisticated bots don’t look like bots. They mimic human behavior. They click around, stay on a page for a while, seemingly move a mouse cursor, and so on. In addition, bots can easily cycle through hundreds or even thousands of IPs to stay undetected. WAFs usually rely on IP-based rules that are no match for these bots.

MFA is security that many users won’t bother with.

Multi-factor authentication (MFA) is one of the better prevention methods against account takeover attacks. Hackers prefer easy targets, and MFA adds an extra step that they’d rather not take. Unfortunately, it’s usually up to the user to decide whether or not to activate MFA, and it’s hard to convince the user to do so for every website they have an account on.

In addition, not all forms of MFA are equally effective. SMS-based two-factor authentication, for example, is not nearly as good a protection as an authentication app. SMS is not a secure channel and attackers can easily intercept or redirect SMS messages. Apps such as Google Authenticator or Authy are the more secure form of MFA.

What to Do If Your Business is Victimized by ATO

If your business is facing an ongoing ATO attack, you want to react quickly and decisively:

  1. Use your WAF and rate limiting capabilities to slow down the most simple bots. Today’s sophisticated bots will still get through, but your server resources may need the reduced pressure from basic bots.
  2. If needed, temporarily lock or prevent changes to user accounts. This will help keep user accounts safe, even if attackers are able to gain access during the attack.
  3. Implement a powerful ATO protection software like Account Protect. This is the key to stopping all ATO attacks. Look for a tool that is effective, accurate, and can easily be deployed on your architecture.

For example: BlaBlaCar is the largest community of carpoolers in the world. Their platform has over 70 million users in 22 different countries. The BlaBlaCar team noticed unusual spikes in traffic load on their website and realized that bots were trying to brute-force their way into their users’ accounts.

blablacar bot protection

So BlaBlaCar implemented DataDome’s bot protection solution. Because the company’s revenue comes primarily from their website, they closely monitored its performance and stability after installing DataDome. In addition, BlaBlaCar wanted to retain the privacy of their users and make sure DataDome did not receive personal information while monitoring.

Thankfully, DataDome had a negligible impact on BlaBlaCar’s website performance and received no personal user information. The solution now blocks all malicious bots to BlaBlaCar’s apps and websites. Their user accounts are now fully protected from account takeover fraud, and their technical team no longer needs to intervene on a daily basis.

Key Takeaways

Even if your business has not been subject to an account takeover attack so far, ATOs are a digital threat on the rise that can severely harm your company if you fail to mitigate your risk. Installing an account takeover protection solution such as DataDome will protect you against this threat without adding friction to the user experience.

Setting up DataDome is insurance. You can live without it, but you need to know that if you do, you are putting yourself at risk.

– Francis Nappez, CTO of BlaBlaCar

Try DataDome’s Bot Protection and Account Protect for free and gain a real-time overview and detailed visibility of all automated threats, including advanced protection against ATO and account fraud. No credit card required. Create a free account here (and don’t worry, it’s well-protected).