What Is Account Takeover (ATO)?
Account Takeover (ATO) Definition
What is an account takeover? When a hacker tries to execute an account takeover (ATO), their goal is to take control of your account and use it to steal information or for their own personal profit. In the context of this account takeover definition, the end objective is typically to benefit the hacker or their organization.
However, account takeover fraud can also be used to execute a vandalism scheme designed to hurt the reputation or the operational capacity of a company. Fortunately, there are several things you can do as part of an account takeover protection plan. All organizations, regardless of size, should have tools and protocols in place for account takeover prevention.
But first, let's discuss the reasons why a fraudster would choose to launch an account takeover attack.
Why Do Fraudsters Take Over Accounts?
When a fraudster is able to gain access to someone’s account, they can effectively pretend to be that person. This means that anything the person does online using that account can be done by the hacker. The way a hacker uses your account can vary between exploiting it for financial benefit or using it as part of a longer-term campaign or strategic hack.
For example, if a hacker has access to your account, they can ask people for personal information, including login credentials, phone numbers, addresses, and even more. In some cases, if the hacker is able to contact close friends or relatives while pretending to be you, they can ask for information like social security numbers, retirement account information, and other financial account details.
Targets of Account Takeover (ATO) Attacks
Even though nearly anybody and nearly any organization can be the target of an account takeover attack, some types of accounts are more likely to come within a hacker’s crosshairs. The following account takeover examples are those most commonly used by attackers.
- Financial. When accessing financial accounts, an attacker can steal money or use the account to make purchases. This can be easily done with a bank or credit card account. Another option they have is to manipulate investment portfolios.
- Travel. A hacker can try to steal your frequent flyer miles.
- Retail. Hackers may try to take over online retail accounts so they can purchase products while pretending to be you and either send them to themselves or to someone else who can then sell them for profit.
- Government benefits. If a fraudster is able to take over an account that provides government benefits, such as Medicare, they can route the benefits to themselves or sell the account information to another hacker online.
- Retail loyalty rewards. Hackers can use your loyalty points rewards either for their own benefit or as an asset they can sell to other fraudsters online.
- Cellphone contracts. Some hackers will use your cell phone account credentials to make phone calls, send text messages, or use your data to avoid paying for it themselves.
How Does Account Takeover Happen?
A successful account takeover attack has to be executed using a few steps:
- Step 1: Compromise the user's credentials. People often use the same passwords for different accounts, as well as the same username, particularly if it is an email address. Hackers can use this to their advantage. Often, a hacking group will steal hundreds or thousands of passwords, and then another hacker can purchase that list and try those passwords to get into user accounts. In other situations, the attacker may get user credentials using a phishing attack.
- Step 2: Test if the accounts work: Once an attacker has account credentials, the next step is to test them out to see if they work. This can be done using manual entry where the attacker tries one username after the next, typing them in one by one. However, using a bot that automatically tests account credentials has become common. This allows a hacker to try many sets of credentials on a variety of accounts simultaneously.
- Step 3: Use or sell the credentials: As soon as a hacker knows that the credentials they have are legitimate, they will either use them for their own benefit or sell them to another hacker. Criminals on the black market are always ready to pay a decent price for a set of credentials, and the amount a hacker can make varies depending on the type of account.
- Step 4: Access higher-value accounts: Sometimes, once a hacker has verified the validity of the credentials, they use them to access a different account, one that has more value. An email account takeover, for example, can enable a hacker to request login credentials or change usernames and passwords as they wish.
Account Takeover Techniques
Some of the most popular account takeover techniques include credential stuffing, phishing, malware, and mobile banking Trojans.
Credential stuffing refers to a type of brute-force attack where the hacker uses many different combinations of usernames and passwords until they find one that gives them access to an account.
ATO attacks often begin with phishing, which is when a hacker tricks a user into revealing their account credentials. A variant of phishing is spear phishing, which involves a hacker focusing on a single individual as opposed to launching a general campaign against a group of people. A spear phishing email can be very convincing, particularly because the hacker may use personal details that they gleaned from social media or other accounts.
Several types of malware can be used to expose the credentials of a victim. For instance, keyloggers can keep track of what you type in as you enter your username and password. Also, there are Trojans that are designed to steal your personal data. After you download what appears to be an innocent file, a Trojan within it gets installed on your computer and then proceeds to steal your login information.
Mobile Banking Trojans
A mobile banking Trojan uses a fake screen that is overlaid on top of the user’s screen. When the user enters their account login information, the fake screen is able to capture what they put in. Further, the malware is able to alter the data exchanged during the transaction, allowing it to redirect funds to a fake account.
Man-in-the-Middle (MTM) Attacks
In a man-in-the-middle attack, a hacker gets in between a user and where they are sending their information. The hacker then intercepts whatever they enter, collecting it for later use. MITM attacks are often executed on public networks with lax or insufficient security measures. This makes it easier for the hacker to log in to the same network that their victims are using.
Account Takeover (ATO) Prevention and Protection
- Education. One of the most effective ways to prevent account takeover and protect employees is to use an educational program that teaches them about account takeover techniques as well as how to protect themselves. This is particularly helpful because, in many cases, an account takeover attack relies on the hacker using credentials that have been exposed in a data breach. If employees understand the importance of changing their passwords, particularly after they have shown up in a data breach report, they can prevent many account takeover attacks from happening.
- Two-factor authentication (2FA). Whether attackers use hacking, phishing, or botnets, 2FA can often stop them before they even get started. This forces whoever logs in to an account to provide a second form of identification, such as something they know, physically have with them, or biometric data, such as a fingerprint scan.
- Sandboxing. Sandboxing can be an effective way to stop several different kinds of malware because it traps the threat in a safe environment, preventing it from spreading. If a hacker is trying to use a worm, which spreads to several computers, sandboxing can prevent it from traveling laterally through your network.
Why Real-time Fraud Detection and Prevention Is Important
A fraud detection system can provide a financial institution with visibility into the activity of users before they log in, while they are logged in, and after the transaction has been completed. In this way, a fraud detection team can pinpoint suspicious activity in real time. Fraud detection tools are also useful when investigating the cause of an attack after it has already happened.
How Fortinet Can Help
FortiAuthenticator provides users and system administrators with a collection of tools that can prevent many different kinds of account takeover attacks. With FortiAuthenticator, you get:
- A centralized system for authenticating and authorizing the use of accounts and services
- Multi-factor authentication (MFA) tools and management options
- The ability to provide guests and users that use their own devices as part of a bring-your-own-device (BYOD) policy with the appropriate levels of access and privileges
- A streamlined licensing and deployment system that makes it easier to use FortiAuthenticator on virtual machines and in the cloud
What is an account takeover?
When a hacker tries to execute an account takeover (ATO), their goal is to take control of your account and use it to steal information or for their own personal profit. The objective is typically to benefit the hacker or their organization.
How do account takeovers attacks happen?
Account takeover attacks happen according to the following steps:
- Compromise the user’s credentials.
- Once an attacker has account credentials, the next step is to test them out to see if they work.
- As soon as a hacker knows that the credentials they have are legitimate, they will either use them for their own benefit or sell them to another hacker.
- Sometimes, once a hacker has verified the validity of the credentials, they use them to access a different account, one that has more value.
How common is account takeover?
Account takeover is very common because it is the primary goal of many hackers, particularly because an account that has been taken over can bring significant financial gain.