Online Account Takeover Fraud Spiking: Are Unique And Strong Passwords The Answer?

January 6, 2022

Account takeover (ATO) fraud occurs when identity thieves use stolen credentials to take control of a legitimate user account.

ATO fraud is increasing across all industries, with a majority of the attacks detected on the Arkose Global Network occurring at the login point. Credential stuffing attacks, which involve using bots to constantly try different username and password combinations until a match is found, more than doubled in Q4 2020 compared to Q3 2020.

In a poll of 100 IT executives commissioned by Arkose Labs, most respondents said ATO attacks cost between $50 and over $200 per incident, which can add up to a huge expense if an organization experiences thousands of these attacks.

Many cybercriminals start out committing ATO fraud because there are numerous free or low-cost tools available to help them execute attacks at scale, as well as public, online tutorials on how to use these tools. Years of large-scale data breaches have made it easy for identity thieves to get username and password combinations.

Cybercriminals also like ATO fraud because it enables them to carry out many types of downstream attacks. Through ATO fraud, identity thieves can drain funds from bank accounts; apply for loans or credit cards; make fraudulent payments; carry out phishing scams; redirect shipments; launder money; steal rewards points; resell subscription information; and carry out drug- and human-trafficking, among other crimes.

Financial services and fin-tech accounts are the most vulnerable to cybercriminals because they can steal money from them and gather sensitive information. However, hackers will also target gaming, travel, social media, and streaming services accounts. 

A successful ATO attack involves these three steps: 1. Credential harvesting (using phishing, malware, or social engineering attacks or exploiting database security vulnerabilities); 2. Account validation (often using botnets); and 3. Account takeover (when a fraudster buys a list of compromised accounts).

Ways to detect and stop ATO attacks include assigning risk scores and creating rules to verify digital identities, multi-factor authentication, CAPTCHAs, and reviewing every user manually. The Arkose Labs Fraud and Abuse Prevention Platform uses data-driven, real-time fraud intelligence with secondary screening of risky traffic. "Account Takeover Fraud: What It Is And How To Stop it" arkoselabs.com (Jun. 29, 2021).

Commentary

Cybercriminals employ several types of hacking methods to get the login credentials they need to carry out ATO fraud.

Buying credentials stolen in a data breach from the internet may be all they need to attack poorly-protected types of accounts. However, to gain access to financial and other valuable accounts, cybercriminals may employ additional measures including SIM swapping and phishing campaigns.

Protect yourself from ATO fraud by using unique, strong passwords for every online account and immediately changing your username and password if you are notified that it may have been compromised. These measures reduce the risk that information stolen in a data breach could be used to access one or more of your accounts.

Also, watch out for phishing emails, such as those that look like they are from your bank and ask you to click on a link to confirm your login credentials. Never share login credentials in response to an unsolicited email or telephone request. Always make sure that a website is encrypted, and the domain name matches the legitimate website before entering your username and password.

Finally, your opinion is important to us. Please complete the opinion survey:

News

New Fax Number for Best Practice Help Line

The fax line for Best Practice Help Line consultation requests is now 918-712-5965.

Bots Make All Employers, Even Small Employers, Vulnerable To Cyber Attacks

A new global study of internet websites reveals an increasing amount of bot traffic, much of which is malicious. We examine why that creates a risk for all employers.

War In Ukraine And The Rise Of Destructive Malware

Organizations must implement best practices to protect their network from malicious code designed to destroy data. We look at prevention strategy sources.

White Hat Hacker And Other Security Tips To Protect Your And Your Employees' Data

Although no system is impenetrable, you can mitigate your losses with help from a former cybercriminal. Learn why.