What is Account Takeover?
Account takeover (often abbreviated ATO) describes the scenario where a cybercriminal or organization uses stolen or compromised credentials to gain fraudulent access to an account, and then exploits the privileges granted or associated to said account. All manner of account types may be viable targets, including but not limited to email, banking, online shopping and even corporate or employee accounts. A classic example of an ATO would be a hacker that gains access to someone’s online bank account, and then initiates a wire transfer to steal the funds therein.
Account Takeover Definition
Account takeover is a widespread form of cyber attack in which an individual hacker or group uses credentials they have either purchased on the black market, learnt through social engineering, or discovered after repeated attempts (also known as brute force) to gain unauthorized access to someone’s personal online accounts. These accounts can include anything that is generally secured by login credentials, such as emails, online banking portals, social media profiles, travel websites, loan providers, and countless more. Furthermore, online accounts more often than not have sensitive information, such as credit card numbers or medical information, as well as special privileges assigned to them, like the ability to make purchases or transfer funds. The goal of an account takeover, no matter how it is perpetrated, is for the attacker to pose as the authentic account holder and use that deception or pretense to commit theft, fraud, or other acts of misconduct without raising red flags in the process. Account takeover attacks have been on the rise in recent years, and they continue to be one of the most potent and problematic types of cyber crime, making it vital for every individual and organization to take account takeover prevention seriously.
Account Takeover FAQs
What Is Account Takeover?
People are familiar with the concept of identity theft by now, but many still wonder, “what does account takeover mean?” The simplest way to explain it is to examine the wording of the term itself. Account takeover is when a hacker – whether an individual or a cyber gang – literally “takes over” an online “account” and uses it for whatever nefarious purpose they desire. Upon gaining access to said account, hackers then have broad latitude to change, steal, authorize or manipulate information or take action associated with the account. In many instances, their goal is to quickly steal the largest amount of money possible, but account takeover attacks are not always immediately or entirely motivated by financial gain. The purpose of account takeover fraud can also be to learn information, surveillance, gain entry, or bypass security controls for the purposes of launching deferred but bigger and more sophisticated cyber attacks. In that way, account takeover attacks can be damaging in their own right, but they can also be a precursor or tools to facilitate attacks that are even more devastating. That fact, combined with escalating instances of account takeover fraud, makes securing account access extremely important for managing cyber risk.
How Does Account Takeover Work?
The first step in an account takeover attack is for the hacker to obtain the login credentials they will use as the target to takeover. There are many ways to do this, including using huge lists of credentials that can be purchased on the dark web or through the black market, launching bots or scripts that can endlessly test password/username combinations until a valid combination is discovered (also referred to as a brute force attack) or employ phishing attacks using various forms of social engineering and manipulation to trick victims into revealing their account credentials including the password. It generally does not require a great amount of time, money, or technical expertise for account takeover attacks to work.
The second step is to then use the stolen credentials to access and exploit the account. For accounts that only rely on single-factor authentication, meaning only a singular form of proof to authenticate users, it is generally sufficient to obtain the correct username and password in order to be presumed as the authorized user. Therefore, anyone who is able to present those credentials to the service provider will have full control over the account itself, whether that be the legitimate account holder or otherwise. Password-based service providers that utilize single-factor authentication have no effective way to distinguish between legitimate and stolen credentials – provided that the credentials are correct – and whoever possesses them is afforded access. Account takeover fraud leverages this weakness to “pose” as the legitimate user so that whatever actions are taken once authenticated, does not raise red flags or encounter additional resistance, making account takeover detection extremely difficult until after the damage has already been done.
What is Account Takeover Fraud?
Account takeover fraud is the term used to describe the activities (often illegal) that hackers engage in after successfully gaining entry to an account. Account takeover fraud can take many forms:
- Theft – By far the most common reason hackers use account takeover is to steal money. Being inside an account, cloaked under the guise of the authorized account holder, makes it extremely easy to steal large sums of money or other things of monetary value (e.g. make expensive purchases).
- Reconnaissance – Account takeovers are a way to surveil and steal the sensitive information inside of accounts, from addresses and phone numbers to credit card and account information. Hackers often use this initial reconnaissance to move laterally through a network in order to access other accounts or enable larger attacks in the future.
- Phishing – After completing an account takeover on someone’s email inbox or Facebook profile, for example, a hacker is able to send messages that appear to be coming from the authentic account holder. Phishing attempts that originate from legitimate accounts and known parties are far more likely to succeed at getting unsuspecting recipients to provide information, and escalate the scope of the original account takeover to include even more takeover potential targets.
- Credential Gathering – Sometimes the purpose of an account takeover is to simply identify the correct login credentials before selling those credentials to someone else, who will presumably use those credentials to launch more aggressive account takeovers of their own.
Account Takeover vs Identity Theft
The terms identity theft and account takeover are often used interchangeably. And while they are closely related, they are not exactly alike. Think of account takeover as a type of identity theft. The term identity theft can apply to many scenarios where one person claims the identity of another, digital or otherwise. Account takeover scenarios are instances of identity theft involving stolen login credentials, fraudulent access to online accounts, and unauthorized activities conducted through digital channels. Breaking into accounts is one of the most common ways to impersonate an identity – but it’s not the only way, so it is therefore important to draw the distinction between identity theft and account takeover. For legal purposes, most account takeover attacks are prosecuted under identity theft statutes.
Account Takeover Examples
The account takeover examples below illustrate some of the most common ways that hackers are able to steal login credentials, paired with various outcomes they could instigate once inside accounts:
- A bot uses a database of usernames purchased off the dark web or have been collected through social engineering, plus a dictionary of common passwords to break into people’s online stock brokerage accounts. If any of the combinations succeed, hackers will then have the ability to change the bank account information and transfer funds, or sell stocks as a precursor to the transferring of funds, and ultimately pocket the returns.
- A phishing email disguised to look like it came from an e-commerce website tricks someone into providing their login credentials. Pretending to be that person lets hackers charge items to the saved credit card and change the saved address where the items will be shipped to.
- A weak password helps an attacker or bot guess the login credentials to an account associated with government services like Medicare. The resulting account takeover leads to benefits being interrupted for the person who needs them.
How Does Account Takeover Happen?
Account takeover prevention isn’t possible without first understanding how account takeover itself happens in the first place. The examples outlined above (and the countless others not included) all share two fundamental features that explain why these attacks most likely happen and inform what account takeover solutions should look like.
First, most account takeover scenarios occur because people – in both their personal and professional lives – rely on weak authentication schemes, such as the simplest usernames and passwords they can think of. Within most organizations, usernames often follow a predictable naming convention, and to avoid complications, people everywhere pick short, simple passwords that are easy to remember but also easy to guess for the same reason. Using the same credentials across multiple accounts is also common, so one successful account takeover can lead to a sting of many others. And even if people used stronger, less-predictable credentials, hackers could still obtain them from someone willing to figure them out or even brute force it themselves (since it ultimately only takes time and persistence on both counts). In today’s security climate, usernames and passwords overall provide little protection when it comes to access control or account takeover prevention. The question therefore, is less about how to prevent account takeover by making passwords more secure and more about how to remove passwords from the equation entirely, in favor of stronger mechanisms that are less susceptible to account takeover.
This leads to the second issue causing account takeover to happen, which is the still common practice of using single-factor authentication. Unfortunately, the majority of online service providers still ask for nothing more than a username and password for authentication and access. Which, for reasons explored above, makes access easy to steal and account takeover hard to detect until it’s too late. Hackers know this and search for accounts where all they need to get in is the right credentials. Alternatively, they will actively avoid accounts that require multi-factor authentication – such as credentials plus a smart card or biometric verification – because they are much harder to hit with account takeover fraud.
How to Detect Account Takeover
Account takeover fraud detection is notoriously difficult, which is one of the reasons that hackers gravitate towards this type of attack. The goal of any effort at account takeover detection will be to see the fraudulent access as soon as it occurs. Barring that, account takeover solutions should strive to prevent fraudulent activity while it’s in progress, particularly as it involves more sensitive access. As a last resort, victims of account takeover must be able to detect a problem after it has happened so they can take steps to remediate it. Here are some signs of account takeover to look for:
- Unusual and questionable transactions. At businesses where these problems might occur in the natural course of things, an uptick in incidences could be a sign of account takeover fraud.
- Notifications about failed login attempts or recent password changes suggest someone has tried and failed or tried and succeeded to get into the account.
- Changes to account details like the bank account information on file or the saved shipping address are clear indicators that someone has been tampering with the account.
- A sudden drop in the number of reward points or loyalty perks available could be because someone else has claimed them.
- Any transaction, whether a purchase, sale, sent message or transferring of funds, that the account holder did not authorize requires further investigation as possible account takeover fraud.
How to Prevent Account Takeover?
Account takeover prevention and account takeover protection go hand in hand because the point of access is the battleground. Keep hackers out and their attacks will be futile. Allow them inside, however, and the only option is to detect, minimize, and mitigate problems that are otherwise inevitable. Therefore, the most important and effective strategies for how to prevent account takeover apply to the point of access and include:
- Limited Logins – Set a cap on the number of failed logins allowed before access to an account is locked. This prevents bots from making repeated attempts.
- Device Tracking – Track where login attempts are coming from and on what devices, then set parameters to permit access from known locations and devices and deny access to everywhere and everything else.
- IP Blocking – Block access to IP addresses known to be associated with bots.
- Sandboxing – Send suspicious access requests to a sandbox so they can be reviewed further and, if malicious, negative impacts are segregated from the rest of the IT environment.
- Web Application Firewall (WAF) – Some WAFs have the ability to identify account takeover attempts on the fly, especially brute force attempts, and build account takeover protection into the security stack.
- Account Takeover Software – A few vendors offer an account takeover solution in the form of software that can monitor for suspicious activity, notify account holders, and automate aspects of account takeover prevention and remediation.
Does Yubico Enable Account Takeover Prevention?
Multi-factor authentication – i.e. requiring two or more different forms of authentication to gain access – is considered the gold standard of account takeover prevention and the foundation of phishing-resistance. However, it’s certainly not a panacea, and there’s increasing evidence to suggest it’s not working as well as it used to. That’s because hackers have learned how to steal the first authentication factor (login credentials) and also compromise the second authentication factor in some cases (for example, SIM swapping if an SMS code is being used). When that second factor is sent to someone’s cell phone or their email, hackers have ways to steal or intercept that data and continue their account takeover unabated. Studies have shown that multi-factor authentication that relies on codes, PINs, or passwords (i.e. something known) for either or both factors is still ultimately vulnerable to account takeover.
That’s why Yubico takes a different approach entirely. Hackers may be able to steal, guess, or buy digital information, but it’s much harder to also gain possession of a physical item that only the account holder has. That’s where our signature product, the YubiKey, comes in.
It grants someone access to accounts, apps, data, or anything else requiring restricted entry based on whether the YubiKey is presented during authentication. Only the authorized party would have the associated YubiKey, so only a device with that particular YubiKey will be authenticated, and no other. It can serve as part of a broader multi-factor authentication strategy – like the ones being implemented and optimized throughout the public and private sectors – without the cost, complication, or technical requirements of other alternatives. And not only does it shut down account takeover, it opens the door to passwordless access as well. The YubiKey achieves the rare feat of making access easier and more secure at the same time.
Find out more about how Yubico provides Account Takeover prevention here.