Account takeover is a form of identity theft where a fraudster illegally gets access to a victim’s bank or online e-commerce account using bots. A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account
Fraudsters employ account takeover practices to commit identity theft. Credential stuffing (OWASP OAT - 008) and credential cracking (OWASP OAT - 007) attacks are the two most common techniques for hackers to access the users’ accounts illegally.
Imposters use the brute force approach, dictionary (word list), and guessing attacks to identify valid login credentials. Hackers deploy bots to hack into customers’ accounts. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.
Hackers test lists of credentials stolen from elsewhere (or purchased from the dark web) against a range of websites using bots, in the hope that a victim has used the same combination of credentials on multiple sites. Fraudsters exploit the user’s propensity to reuse passwords across various sites. Unlike credential cracking, credential stuffing doesn’t involve brute force or guessing of any values; instead, mass login attempts are used to verify the stolen username and password pairs. Credential stuffing symptoms include consecutive login attempts with different credentials from the same HTTP client.
There can be several intentions behind account takeovers. However, in most cases, the reason is related to monetary gain. The direct cost of account takeover is evident, which includes fraudulent transactions, transfer of funds from a bank account, and illegally obtain goods via a compromised e-commerce account. However, direct costs are not the last thing you as the owner of an online business must be wary of. Account takeover attacks, unfortunately, contribute to reputation damage. Regardless of how an account takeover attack was perpetrated, a duped customer would hesitate to trust your business again. Account takeover attacks undermine customer confidence in your business.
Many approaches are used by online businesses to eliminate bot traffic and avert account takeover attempts. The list includes time-worn practices such as limiting login attempts, a robust authentication process, IP blacklisting, configuring rules in WAF, and CAPTCHAs. However, in recent years, dedicated bot detection and mitigation solutions have emerged as off-the-shelf tools to eliminate account takeover attempts. These bot management solutions save businesses millions of dollars while protecting them from automated threats. ShieldSquare’s bot mitigation solution uses a non-intrusive API-based approach to mitigate bad bots that try to take over accounts.