DataDome
Account Takeover Guide

Account Takeover Prevention: How to Prevent ATO & Mitigate Fraud

Table of contents

Account Takeover Prevention is Critical, Here’s Why

Account takeover (ATO) is a form of online identity theft in which attackers steal account credentials or personal identifiable information (PII), such as social security numbers, addresses, and banking details, and use them for fraudulent purposes (scams, reputation damage, to sell to a third party, etc.). In an account takeover attack, the perpetrator often uses bad bots to gain access to a real person’s online account, often an e-commerce account that includes financial details.

When an ATO attack is “successful”, the attacker can immediately alter the victim’s shipping address to make fraudulent transactions on the e-commerce site, potentially creating excessive bills before the victim even notices their account has been compromised. Account takeover attacks can be very dangerous to online businesses and their customers, and the damages can be both immediate and long lasting—depending on how long it takes the business or account holder to notice.

In an effort to spare your business and your customers a laundry list of ATO damages, this article outlines different techniques that can be used for account takeover prevention.

The Damages: What happens to your business during an account takeover?

Attackers hijack user accounts via account takeover to execute all sorts of fraudulent activities, typically changing the account password (rendering it inaccessible by the owner), as well as the shipping address to make fraudulent purchases and/or withdraw money from the account if possible.

For an e-commerce site, there can be various negative impacts from account takeovers (especially repeated ATO attacks), such as:

  • Increased Transaction Disputes
  • Increased Chargebacks
  • High Customer Churn
  • Loss of Trust in Your Business
  • Damage to Your Brand’s Reputation

One of the worst things about ATO attacks is that the owner of the website is usually unable to detect the presence of an attack without a customer claim (or proper bot and online fraud protection).

Chargebacks are a huge cost for e-commerce websites, especially those using a third-party payment gateway. When your chargeback rate is high (meaning you process a lot of chargebacks compared to your total number of sales), your payment gateway company might raise your transaction fees, which can translate to very significant losses. As a result, credit card chargeback prevention is vital.

Ultimately, account takeover attacks can be very damaging—not only to your brand image and customer trust in the long term, but also more directly to your bottom line.

Attack Techniques: How does account takeover happen?

Perpetrators may use various techniques to attempt an account takeover. Here are some common ones:

Phishing

The attacker tricks potential victims into revealing their information voluntarily, using a fake login page, emails pretending to be someone the victim knows, etc. Phishing attacks can be very deceptive and specifically targeted (spear phishing).

Credential Stuffing

Using stolen or leaked credentials from one website or platform to try and access various other website accounts (in hopes the victim has reused their login credentials) is credential stuffing, one of the most common ways to initiate ATO.

Brute Force Bot Attack

The attacker deploys bad bots to perform a rapid, high-volume brute force attack on your website or app. Sophisticated bots can take over a significant number of accounts before getting caught, and they can rotate between thousands or millions of IP addresses. It is important to prevent brute force attacks as much as possible.

Account Takeover Prevention Methods: How can you combat ATO?

1. Check for Compromised Credentials

A key step in account takeover prevention and e-commerce fraud prevention is to compare new user credentials with a breached credentials database so you can know when a user is signing up with known breached credentials. We recommend checking your user database regularly too, so you can catch when existing users’ information becomes compromised and notify the users immediately. Be proactive, and alert users and new sign-ups immediately when their credentials have been breached.

2. Set Rate Limits on Login Attempts

You can set rate limits on login attempts based on username, device, and IP address based on your users’ usual behavior to help prevent account takeover. You can also incorporate limits on the use of proxies, VPNs, and other factors.

3. Send Notifications of Account Changes

Always send your users a notification of any change made to their account. That way, they can notice right away if their account is compromised, ensuring that even if an attacker is able to overcome your authentication measures, you are helping to minimize risk and even prevent further damage.

4. Prevent Account Takeover With ATO Prevention Software

Because ATO attacks give themselves away through a myriad of small hints (such as login attempts from different devices and multiple failed login attempts), the easiest way to prevent them is by using a specialized account fraud protection software. Look for a cybersecurity software that reviews all of the small signals in each request to your website, app, or API to root out suspicious behavior on autopilot. DataDome Account Protect uses multiple layers of machine learning to analyze requests to detect malicious user behavior within milliseconds.

Account Takeover Detection: How can you detect ATO attacks?

Here are some important key signs you can use to detect ATO attempts on your website:

IP Addresses From Unusual Countries

A sudden rise of IP addresses from one or more countries outside the usual access locations can be a good indicator of account takeover. The perpetrator might not know the account owner’s original location to mimic the right IP address. Pay extra attention when an account alters access locations before or after changing account credentials.

Several Accounts Changing to Shared Details

When an ATO attacker successfully claims an account, they typically change details like email address and password, so the original owner can’t access their account anymore. When similar changes to a shared detail (e.g. a same email address) are applied across more than one account, it is a huge sign there’s likely an ATO attack on your site.

Unknown Device Models

Cybercriminals often hide what device they are using through device spoofing to make it harder for you to detect the same device attempting to access multiple accounts. Your system will detect spoofed devices as “unknown”. If you have a higher ratio of unknown devices than usual, it’s a common sign of an incoming ATO attack.

Multiple Accounts Accessed by the Same Device

Sometimes, attackers do not spoof or mask their device between logging into different accounts. Therefore, if they steal and access more than one account, they will all be linked to one device. The catch is, sometimes devices are legitimately shared by authentic users with their friends or family members, so you should always double-check other factors to confirm if it is an ATO attack.

Steps to Mitigate the Risks of ATO

Improve your ATO protection by encouraging your users (including customers and employees) to use strong, secure passwords—and not to use previously compromised credentials. When it comes to passwords, longer is stronger (but longer passwords are also harder for users to remember). Require users to incorporate a mix of lowercase and uppercase letters, special characters, numbers, and symbols, and remind them not to use personal information like name or birthday.

Here are some solid corporate account takeover prevention measures for your business to consider:

Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

You can incorporate 2FA or MFA on your website to strengthen your account takeover protection by asking users to provide another method, besides their password, for authentication. Best practices include using one or more of the following:

  1. Information they know (that is not common/public knowledge), such as answers to security questions.
  2. A proprietary object they possess, such as a dongle, token, or card you have provided that can be recognized by your system.
  3. A unique physical characteristic, such as their fingerprint, face ID, or iris scan.

You don’t need to ask for 2FA every time. You can make it adaptive according to the perceived risk (risk-based authentication). For example, you can ask for 2FA only after a user attempts to access the account with a different login device or from a different location than usual.

Tracking System

When an account has been compromised, you need a measure in place to prevent further attacks. By sandboxing a suspicious account effectively, you can track all activities related to the account and block it if necessary.

Web Application Firewall (WAF)

Although not specifically designed for account takeover detection, WAFs can be configured to help identify and block account takeover attacks via targeted policies. WAFs might help identify signs of brute force attacks (commonly used for ATO) and other bad bot activities.

AI-Based Detection With Threat Expert Oversight

AI-based account takeover protection and detection software is the best way to identify and stop sophisticated ATO attempts in real time, whether they’re perpetrated by human fraudsters or bots. Advanced AI and machine learning (ML)-based technologies are necessary for behavior-based detection that will identify complex ATO attempts and effectively monitor your website, mobile app, and/or API for suspicious activity.

Conclusion

Detecting account takeover attempts and effectively preventing them is very important for any website and company that provides credential-protected accounts. When your website is compromised, it can lead to a loss of consumer trust and permanent damage to your brand’s reputation.

From large enterprise websites and organizations to smaller companies—no online business or account holder is safe from being targeted with ATO. It is business-critical that you proactively secure your account takeover prevention, detection, and protection today (if not sooner). To see how your business could benefit from ATO protection, book an Account Protect demo today.

FAQ

1. What is account takeover protection?

Account takeover protection is any software specifically designed to locate account takeover attempts and prevent them from succeeding, thus protecting users from having their accounts stolen. Account takeover protections tend to focus on identifying suspicious user behavior through a variety of signals like geolocation, time stamps, session history, and even usernames and email addresses.

2. What causes account takeover?

Account takeover happens when a malicious actor gains access to user account credentials. When they have the full set of credentials, they can use credential stuffing to try them on several websites. With partial credentials, they can use credential cracking to test possible answers for the missing piece(s).

3. What are some common indicators of account takeover?

Look for a sudden rise of IP addresses from one or more unusual countries, several accounts changing to shared details, unknown device models, and multiple accounts accessed by the same device. In e-commerce, you might see an increased rate of chargebacks as users with stolen accounts notice fraudulent transactions.

4. What’s the difference between identity theft and account takeover?

ATO is a form of online identity theft, and both activities can be used for fraudulent purposes, but there are some differences in account takeover vs. identity theft. For instance, instead of attempting to steal someone’s identity (social security numbers, addresses, banking details) physically or on paper, the objective of ATO is to steal access to another person’s online account(s) for fraudulent purposes, so the “identity” being stolen in ATO is a person’s online persona on a specific account.

Datadome
Kira Lempereur
Sr. Technical Writer
Kira Lempereur is the Sr Technical Writer for DataDome and the leader of the company’s LGBTQ+ pod. She collaborates with the threat research, marketing, and product teams to build content for thought leadership in bot and online fraud mitigation. Kira has more than 6 years of experience in the cybersecurity industry, from enterprise antivirus software to bot mitigation.
Datadome

Experience everything DataDome

Schedule a demo of the DataDome platform to see how you can start blocking bots and preventing cyberfraud.