With how more people are doing online shopping and online payment nowadays, a new problem in cybersecurity called account takeover (ATO) fraud also arises.
Website users and eCommerce website shoppers are now mostly required to log in to their accounts with username and password pairs to perform their activities. The thing is, when cyber criminals gained access to these accounts, they can use the account to perform more dangerous fraud and attacks.
This is why account takeover fraud is a very serious cybersecurity threat for both the user and the website. In this guide, we will discuss all you need to know about ATO frauds and especially how to prevent them.
What Is Account Takeover Fraud?
First, we have to differentiate between the initial account takeover (ATO) attack and ATO fraud.
Cybercriminals use account takeover attacks to obtain user’s credentials to access the account, while account takeover frauds are frauds and attacks performed using this stolen account.
So, to execute an account takeover fraud, the attacker must first possess a legitimate user account, typically on an eCommerce site.
For example, when an attacker makes a purchase using a user account with valid credit card details within it, then it is considered an account takeover fraud.
The damages related to the account takeover fraud, however, can be long-lasting and very dangerous because many if not most eCommerce users use the same login credentials (or with minor variations) across a broad range of websites, especially eCommerce websites.
So, when one account is compromised, a sophisticated hacker can perform credential stuffing attacks on other eCommerce sites and gain even more details about the user. For example, the attacker may obtain a credit card number from the first account, VCC from the second account, billing address from the third account, and so on.
This is why it can be very difficult to reverse the damages of account takeover fraud. Ensure you have a merchant fraud prevention solution in place to protect your website and business.
Account Takeover Attacks: Common Methods
As discussed, an account takeover fraud can only happen after the attacker has gained access to legitimate user accounts. So, the best way to prevent ATO fraud is to prevent the ATO attack in the first place.
Hackers can use various ATO attack methods to figure out user credentials, but here are some common methods cybercriminals use:
- Credential Cracking
Also known as brute force attacks, where the attacker attempts to guess the password by attempting all possible combinations (brute-forcing) of the password. For example, if it’s a 4-digit numerical PIN, the attacker will attempt 0000, then 0001, up to 9999, or until the right combination has been found.
There are various modifications to this technique, but the principle remains the same. Cybercriminals typically use bots to perform brute force attacks so they can attempt hundreds if not thousands of multiple login attempts per minute.
- Credential Stuffing
In this type of ATO attack, the attacker already possesses a valid credential of a user (typically stolen) and attempts to use the credential to log in to other websites. For example, the attacker may possess a user’s Gmail credential and attempts to use the same credential on Facebook.
As we can see, this attack exploits a very common mistake performed by so many internet users: using the same passwords for all our accounts. This is also why the success rate of credential stuffing attacks is fairly high.
- Social Engineering
The attacker may spend a significant amount of time researching a potential victim like lurking the victim’s social media posts and conversations to find useful information that can be used in guessing the victim’s credentials like birth date, parent’s name, physical address, and so on.
- Physical theft
The criminal can steal items like your wallet, credit card, or intercept your mail and then use the information within to access or even create new accounts.
Impersonating someone you know and/or a legitimate organization to trick you into giving up your credentials. For example, the attacker may impersonate your HR manager (with a seemingly real email address) and ask for the password for your company email.
The attacker can use various tools to intercept public Wi-Fi networks to gain various information including usernames and passwords entered by the public Wi-Fi users.
Preventing Account Takeover Frauds
Now that we’ve discussed common ways attackers use to perform account takeover attacks, here are some important methods you can use to prevent these attacks:
- Use Strong and Unique Password
A basic but very important best practice is to use a complex and long enough password that is also unique. That is, you should only use a password once for a single account.
As a general rule of thumb, your password should be 10 characters long and include a combination of uppercase, lowercase, symbols, and numbers in it. Don’t forget that nowadays you can use various password manager tools to help generate and ‘remember’ complex passwords.
- Anti-Bot Solution
Since most account takeover attempts, especially credential cracking and credential stuffing attacks, are made possible with malicious bots, we can significantly protect our account by having a sufficient bot management solution in place.
A credential stuffing prevention solution like DataDome can use behavioral analysis to detect and manage account takeover bots in real-time and can be a very effective solution in protecting your user account.
- Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) an additional layer of security aside from your usual password. Essentially MFA is asking for a second factor besides your password before you can access your account, which can be:
- Something you are: face ID, iris/retina scan, fingerprint, etc.
- Something you know: a second password, PIN, answer to a security question, etc.
- Something you have: a physical dongle, etc.
The idea of implementing MFA is that even in cases where the hackers have successfully guessed your password (i.e. via brute force attack), they still won’t be able to access your account and your data. Especially effective against credential stuffing attacks.
The best way to stop account takeover frauds is to prevent these hackers from gaining access to your account in the first place, and the tips we’ve shared above are the most effective ones in protecting your credentials from cybercriminals.
With most account takeover attacks using malicious bots in their attempts, using DataDome to effectively detect and manage these bot activities can be the most effective solution in preventing account takeover frauds.