• Contact Sales
  • Resellers
  • Support
Yubico Header Text LogoYubico Header Text Logo
Why Yubicoexpand_more
Why Yubico
  • Enterprises
  • SMBs
  • Individuals
  • Developers
  • Careers
  • Partner programs
  • Affiliate program
  • Contact Sales
  • Events
  • Press room
  • Yubico Blog
  • Yubico Executive Connect
  • About us
  • The team
  • Innovation history
  • Secure it Forward
Easy-to-use, secure authentication

With YubiKey there’s no tradeoff between great security and usability

Why YubiKey
  • account takeovers
  • cybersecurity
  • phishing
Proven at scale at Google

Google defends against account takeovers and reduces IT costs

Google Case Study
  • account takeovers
  • cybersecurity
  • phishing
Protecting vulnerable organizations

Secure it Forward: One YubiKey donated for every 20 sold

Learn about Secure it Forward
  • account takeovers
  • cybersecurity
  • phishing
Productsexpand_more
All products
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • YubiEnterprise Subscription
  • YubiEnterprise Delivery
  • Yubico Authenticator
  • Computer login tools
  • Software Development Toolkits
  • YubiCloud
  • Using YubiKey is easy
  • Find the right YubiKey
  • Works with YubiKey
  • Compare YubiKeys
One key for hundreds of apps and services

YubiKey works out-of-the-box and has no client software or battery

Yubico protects you
  • account takeovers
  • cybersecurity
  • phishing
See YubiKeys as a Service
YubiEnterprise Subscription delivers scale and savings

Gain a future-proofed solution and faster MFA rollouts

See YubiKeys as a Service
  • account takeovers
  • cybersecurity
  • phishing
Solutionsexpand_more
Solutions overview
  • Zero Trust
  • Executive Order OMB M-22-09
  • Phishing-resistant MFA
  • Passwordless
  • Compliance
  • Cyber Insurance
  • Secure supply chain
  • Hybrid & remote workers
  • Secure privileged users
  • Mobile restricted environments
  • Call centers
  • Shared workstations
  • Microsoft ecosystem
  • Salesforce workspace
  • IAM solutions
  • AWS environment
The Bridge to Passwordless

Begin the journey to make your organization passwordless

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Accelerate your Zero Trust Strategy

7 best strong authentication practices to jumpstart your Zero Trust program

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Federal cybersecurity requirements

See guidance for CIOs and leaders to prepare for the modern cyber threat era

See Gartner® Report
  • account takeovers
  • cybersecurity
  • phishing
Industriesexpand_more
Industries overview
  • High tech
  • Federal government
  • State & local government
  • Education
  • Financial services
  • Manufacturing
  • Energy & natural resources
  • Retail & hospitality
  • Telecommunications
  • Healthcare
  • Pharmaceuticals
  • Cryptocurrency
  • Elections & campaigns
Manufacturing and supply chain security

Authentication best practices for manufacturing using highest-assurance security

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Phishing-resistant MFA: Fact vs. Fiction

Meet requirements for phishing-resistant MFA in OMB M-22-09 guidelines

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Secure energy and natural resources from cyber threats

Best practices for phishing-resistant MFA to safeguard your critical infrastructure

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Resourcesexpand_more
All resources
  • Yubico Blog
  • Cybersecurity glossary
  • Authentication standards
  • Resource library
  • Developer program
  • Product briefs
  • Solution briefs
  • Case studies
  • Get a pilot started
  • White papers and reports
  • Webinars
BeyondTrust: secured with a subscription

A leader in Privileged Access Management simplifies YubiKey deployment

How they optimized ROI
  • account takeovers
  • cybersecurity
  • phishing
S&P Global Market Intelligence report: old habits die hard

Only 46% of respondents protect their applications with MFA. How about you?

Read the report
  • account takeovers
  • cybersecurity
  • phishing
Secure shared workstations against cyber threats

Shared workstations can be secured with phishing-resistant MFA

Get the white paper
  • account takeovers
  • cybersecurity
  • phishing
Supportexpand_more
Support home
  • Find the right YubiKey
  • Set up your YubiKey
  • Downloads
  • Product documentation
  • Support articles
  • Support Services
  • Professional Services
  • YubiEnterprise Subscription
  • Works with YubiKey Program
  • Buying and shipping information
  • Security advisories
  • Help center
How to set up your YubiKey

Follow our guided tutorials to start protecting your favorite services

Set up your YubiKey
  • account takeovers
  • cybersecurity
  • phishing
Find the best YubiKey for your needs

Take the guided quiz and see which YubiKey best fits your or your businesses needs

Take the quiz
  • account takeovers
  • cybersecurity
  • phishing
Accelerate your YubiKey deployment

Technical and operational guidance for your YubiKey implementation and rollout

Professional Services
  • account takeovers
  • cybersecurity
  • phishing
SubscribeStore
  • Home » Resources » Cybersecurity glossary » Account Takeover

    What is Account Takeover?

    Account takeover (often abbreviated ATO) describes the scenario where a cybercriminal or organization uses stolen or compromised credentials to gain fraudulent access to an account, and then exploits the privileges granted or associated to said account. All manner of account types may be viable targets, including but not limited to email, banking, online shopping and even corporate or employee accounts. A classic example of an ATO would be a hacker that gains access to someone’s online bank account, and then initiates a wire transfer to steal the funds therein.
    Back to glossary

    Account Takeover Definition

    Account takeover is a widespread form of cyber attack in which an individual hacker or group uses credentials they have either purchased on the black market, learnt through social engineering, or discovered after repeated attempts (also known as brute force) to gain unauthorized access to someone’s personal online accounts. These accounts can include anything that is generally secured by login credentials, such as emails, online banking portals, social media profiles, travel websites, loan providers, and countless more. Furthermore, online accounts more often than not have sensitive information, such as credit card numbers or medical information, as well as special privileges assigned to them, like the ability to make purchases or transfer funds. The goal of an account takeover, no matter how it is perpetrated, is for the attacker to pose as the authentic account holder and use that deception or pretense to commit theft, fraud, or other acts of misconduct without raising red flags in the process. Account takeover attacks have been on the rise in recent years, and they continue to be one of the most potent and problematic types of cyber crime, making it vital for every individual and organization to take account takeover prevention seriously. 

    Account Takeover FAQs

    What Is Account Takeover?

    People are familiar with the concept of identity theft by now, but many still wonder, “what does account takeover mean?” The simplest way to explain it is to examine the wording of the term itself. Account takeover is when a hacker – whether an individual or a cyber gang – literally “takes over” an online “account” and uses it for whatever nefarious purpose they desire. Upon gaining access to said account, hackers then have broad latitude to change, steal, authorize or manipulate information or take action associated with the account. In many instances, their goal is to quickly steal the largest amount of money possible, but account takeover attacks are not always immediately or entirely motivated by financial gain. The purpose of account takeover fraud can also be to learn information, surveillance, gain entry, or bypass security controls for the purposes of launching deferred but bigger and more sophisticated cyber attacks. In that way, account takeover attacks can be damaging in their own right, but they can also be a precursor or tools to facilitate attacks that are even more devastating. That fact, combined with escalating instances of account takeover fraud, makes securing account access extremely important for managing cyber risk.

    How Does Account Takeover Work?

    The first step in an account takeover attack is for the hacker to obtain the login credentials they will use as the target to takeover. There are many ways to do this, including using huge lists of credentials that can be purchased on the dark web or through the black market, launching bots or scripts that can endlessly test password/username combinations until a valid combination is discovered (also referred to as a brute force attack) or employ phishing attacks using various forms of social engineering and manipulation to trick victims into revealing their account credentials including the password. It generally does not require a great amount of time, money, or technical expertise for account takeover attacks to work. 

    The second step is to then use the stolen credentials to access and exploit the account. For accounts that only rely on single-factor authentication, meaning only a singular form of proof to authenticate users, it is generally sufficient to obtain the correct username and password in order to be presumed as the authorized user. Therefore, anyone who is able to present those credentials to the service provider will have full control over the account itself, whether that be the legitimate account holder or otherwise. Password-based service providers that utilize single-factor authentication have no effective way to distinguish between legitimate and stolen credentials – provided that the credentials are correct – and whoever possesses them is afforded access. Account takeover fraud leverages this weakness  to “pose” as the legitimate user so that whatever actions are taken once authenticated, does not raise red flags or encounter additional resistance, making account takeover detection extremely difficult until after the damage has already been done. 

    What is Account Takeover Fraud?

    Account takeover fraud is the term used to describe the activities (often illegal) that hackers engage in after successfully gaining entry to an account. Account takeover fraud can take many forms:

    • Theft – By far the most common reason hackers use account takeover is to steal money. Being inside an account, cloaked under the guise of the authorized account holder, makes it extremely easy to steal large sums of money or other things of monetary value (e.g. make expensive purchases).
    • Reconnaissance – Account takeovers are a way to surveil and steal the sensitive information inside of accounts, from addresses and phone numbers to credit card and account information. Hackers often use this initial reconnaissance to move laterally through a network in order to access other accounts or enable larger attacks in the future. 
    • Phishing – After completing an account takeover on someone’s email inbox or Facebook profile, for example, a hacker is able to send messages that appear to be coming from the authentic account holder. Phishing attempts that originate from legitimate accounts and known parties are far more likely to succeed at getting unsuspecting recipients to provide information, and escalate the scope of the original account takeover to include even more takeover potential targets. 
    • Credential Gathering – Sometimes the purpose of an account takeover is to simply identify the correct login credentials before selling those credentials to someone else, who will presumably use those credentials to launch more aggressive account takeovers of their own. 

    Account Takeover vs Identity Theft

    The terms identity theft and account takeover are often used interchangeably. And while they are closely related, they are not exactly alike. Think of account takeover as a type of identity theft. The term identity theft can apply to many scenarios where one person claims the identity of another, digital or otherwise. Account takeover scenarios are instances of identity theft involving stolen login credentials, fraudulent access to online accounts, and unauthorized activities conducted through digital channels. Breaking into accounts is one of the most common ways to impersonate an identity – but it’s not the only way, so it is therefore important to draw the distinction between identity theft and account takeover. For legal purposes, most account takeover attacks are prosecuted under identity theft statutes.

    Account Takeover Examples

    The account takeover examples below illustrate some of the most common ways that hackers are able to steal login credentials, paired with various outcomes they could instigate once inside accounts:

    • A bot uses a database of usernames purchased off the dark web or have been collected through social engineering, plus a dictionary of common passwords to break into people’s online stock brokerage accounts. If any of the combinations succeed, hackers will then have the ability to change the bank account information and transfer funds, or sell stocks as a precursor to the transferring of funds, and ultimately pocket the returns. 
    • A phishing email disguised to look like it came from an e-commerce website tricks someone into providing their login credentials. Pretending to be that person lets hackers charge items to the saved credit card and change the saved address where the items will be shipped to. 
    • A weak password helps an attacker or bot guess the login credentials to an account associated with government services like Medicare. The resulting account takeover leads to benefits being interrupted for the person who needs them.

    How Does Account Takeover Happen?

    Account takeover prevention isn’t possible without first understanding how account takeover itself happens in the first place. The examples outlined above (and the countless others not included) all share two fundamental features that explain why these attacks most likely happen and inform what account takeover solutions should look like.

    First, most account takeover scenarios occur because people – in both their personal and professional lives – rely on weak authentication schemes, such as the simplest usernames and passwords they can think of. Within most organizations, usernames often follow a predictable naming convention, and to avoid complications, people everywhere pick short, simple passwords that are easy to remember but also easy to guess for the same reason. Using the same credentials across multiple accounts is also common, so one successful account takeover can lead to a sting of many others. And even if people used stronger, less-predictable credentials, hackers could still obtain them from someone willing to figure them out or even brute force it themselves (since it ultimately only takes time and persistence on both counts). In today’s security climate, usernames and passwords overall provide little protection when it comes to access control or account takeover prevention. The question therefore, is less about how to prevent account takeover by making passwords more secure and more about how to remove passwords from the equation entirely, in favor of stronger mechanisms that are less susceptible to account takeover. 

    This leads to the second issue causing account takeover to happen, which is the still common practice of using single-factor authentication. Unfortunately, the majority of online service providers still ask for nothing more than a username and password for authentication and access. Which, for reasons explored above, makes access easy to steal and account takeover hard to detect until it’s too late. Hackers know this and search for accounts where all they need to get in is the right credentials. Alternatively, they will actively avoid accounts that require multi-factor authentication – such as credentials plus a smart card or biometric verification – because they are much harder to hit with account takeover fraud. 

    How to Detect Account Takeover

    Account takeover fraud detection is notoriously difficult, which is one of the reasons that hackers gravitate towards this type of attack. The goal of any effort at account takeover detection will be to see the fraudulent access as soon as it occurs. Barring that, account takeover solutions should strive to prevent fraudulent activity while it’s in progress, particularly as it involves more sensitive access. As a last resort, victims of account takeover must be able to detect a problem after it has happened so they can take steps to remediate it. Here are some signs of account takeover to look for:

    • Unusual and questionable transactions. At businesses where these problems might occur in the natural course of things, an uptick in incidences could be a sign of account takeover fraud. 
    • Notifications about failed login attempts or recent password changes suggest someone has tried and failed or tried and succeeded to get into the account. 
    • Changes to account details like the bank account information on file or the saved shipping address are clear indicators that someone has been tampering with the account. 
    • A sudden drop in the number of reward points or loyalty perks available could be because someone else has claimed them. 
    • Any transaction, whether a purchase, sale, sent message or transferring of funds, that the account holder did not authorize requires further investigation as possible account takeover fraud. 

    How to Prevent Account Takeover?

    Account takeover prevention and account takeover protection go hand in hand because the point of access is the battleground. Keep hackers out and their attacks will be futile. Allow them inside, however, and the only option is to detect, minimize, and mitigate problems that are otherwise inevitable. Therefore, the most important and effective strategies for how to prevent account takeover apply to the point of access and include:

    • Limited Logins – Set a cap on the number of failed logins allowed before access to an account is locked. This prevents bots from making repeated attempts.
    • Device Tracking – Track where login attempts are coming from and on what devices, then set parameters to permit access from known locations and devices and deny access to everywhere and everything else. 
    • IP Blocking – Block access to IP addresses known to be associated with bots. 
    • Sandboxing – Send suspicious access requests to a sandbox so they can be reviewed further and, if malicious, negative impacts are segregated from the rest of the IT environment. 
    • Web Application Firewall (WAF) – Some WAFs have the ability to identify account takeover attempts on the fly, especially brute force attempts, and build account takeover protection into the security stack. 
    • Account Takeover Software – A few vendors offer an account takeover solution in the form of software that can monitor for suspicious activity, notify account holders, and automate aspects of account takeover prevention and remediation.

    Does Yubico Enable Account Takeover Prevention?

    Multi-factor authentication – i.e. requiring two or more different forms of authentication to gain access – is considered the gold standard of account takeover prevention and the foundation of phishing-resistance. However, it’s certainly not a panacea, and there’s increasing evidence to suggest it’s not working as well as it used to. That’s because hackers have learned how to steal the first authentication factor (login credentials) and also compromise the second authentication factor in some cases (for example, SIM swapping if an SMS code is being used). When that second factor is sent to someone’s cell phone or their email, hackers have ways to steal or intercept that data and continue their account takeover unabated. Studies have shown that multi-factor authentication that relies on codes, PINs, or passwords (i.e. something known) for either or both factors is still ultimately vulnerable to account takeover. 

    That’s why Yubico takes a different approach entirely. Hackers may be able to steal, guess, or buy digital information, but it’s much harder to also gain possession of a physical item that only the account holder has. That’s where our signature product, the YubiKey, comes in. 

    It grants someone access to accounts, apps, data, or anything else requiring restricted entry based on whether the YubiKey is presented during authentication. Only the authorized party would have the associated YubiKey, so only a device with that particular YubiKey will be authenticated, and no other. It can serve as part of a broader multi-factor authentication strategy – like the ones being implemented and optimized throughout the public and private sectors – without the cost, complication, or technical requirements of other alternatives. And not only does it shut down account takeover, it opens the door to passwordless access as well. The YubiKey achieves the rare feat of making access easier and more secure at the same time. 

    Find out more about how Yubico provides Account Takeover prevention here.

    Get started

    Find the right YubiKey

    Take the quick Product Finder Quiz to find the right key for you or your business.

    Take the quiz
    Get protected today

    Browse our online store today and buy the right YubiKey for you.

    Buy now

Yubico Text LogoYubico Text Logo
  • RSS
  • Twitter
  • LinkedIn
  • Facebook
  • Instagram
  • YouTube
  • GitHub
  • Product finder quiz
  • Find set-up guides
  • Buy online
  • Contact sales
  • Get Yubico updates
  • Careers
  • Events
  • Press room
  • About us
  • Partner programs
  • Affiliate program
  • YubiKey 5 Series
  • YubiKey 5 FIPS Series
  • YubiKey Bio Series
  • Security Key Series
  • YubiKey 5 CSPN Series
  • YubiHSM 2 & YubiHSM 2 FIPS
  • Yubico Authenticator
  • Zero Trust
  • Phishing-resistant MFA
  • Passwordless
  • Cyber insurance
  • More solutions
  • Industries overview
  • Yubico blog
  • Resource library
  • Cybersecurity glossary
  • Authentication standards
  • Developer program
  • Works with YubiKey
  • Help center
  • Downloads
  • Product documentation
  • Support Services
  • Professional Services
  • Professional Services
  • Contact support
Yubico © 2023 All Rights Reserved.
  • Sitemap
  • Cookies
  • Legal
  • Privacy
  • Patents
  • Terms of use
  • Trust
We use cookies to ensure that you get the best experience on our site and to present relevant content and advertising. By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.

PreferencesAccept all
Yubico Privacy and Cookies Policy

Privacy Overview

Yubico.com uses cookies to improve your experience while navigating through the website. When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies.

Click on the different category headings to find out more and change our default settings.

Blocking some types of cookies may impact your experience on our site and the services we are able to offer.
Strictly necessary cookies
Always Enabled

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Functional cookies

These cookies enable the website to provide enhanced functionality and personalization. They may set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Performance cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Uncategorized

Undefined cookies are those that are being analyzed and have not been classified into a category as yet.

Matomo Anonymized Tracking
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
CookieDurationDescription
_hjIncludedInSessionSample_8352762 minutesDescription is currently not available.
_hjSession_83527630 minutesDescription is currently not available.
_hjSessionUser_8352761 yearDescription is currently not available.
_schn13 minutesDescription is currently not available.
_scid_r1 year 1 monthDescription is currently not available.
_vis_opt_exp_186_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_186_combi_choose3 months 8 daysDescription is currently not available.
_vis_opt_exp_187_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_187_combi_choose3 months 8 daysDescription is currently not available.
_vis_opt_exp_188_combi3 months 8 daysDescription is currently not available.
_vis_opt_exp_188_combi_choose3 months 8 daysDescription is currently not available.
cookielawinfo-checkbox-matomo1 yearDescription is currently not available.
loglevelneverNo description available.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
CookieDurationDescription
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
_gat_UA-*1 minuteGoogle Analytics sets this cookie for user behaviour tracking.
_hjFirstSeen30 minutesHotjar sets this cookie to identify a new user’s first session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user.
_hjRecordingEnabledneverHotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivityneverHotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
ln_or1 dayLinkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
Save & Accept