What is Account Takeover?
Account Takeover (ATO) is a form of identity theft where a fraudster illegally uses bots to get access to a victim’s bank, e-commerce site, or other types of accounts. A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account.
How Does Account Takeover Happen?
Fraudsters most commonly use two methods to take over accounts:
Credential Stuffing
Credential stuffing (OWASP OAT - 008) ─ Credential stuffing exploits users’ propensity to use the same username and password at multiple websites. Hackers use bots to test lists of credentials obtained as a result of data dumps of breached credentials (or purchased from the dark web) against a range of websites, in the hope that a victim has used the same combination of credentials on multiple sites. Unlike credential cracking, credential stuffing doesn’t involve brute force or guessing of any values; instead, mass login attempts are used to verify the stolen username and password pairs. Credential stuffing symptoms include consecutive login attempts with different credentials from the same HTTP client.
Credential Cracking
Credential cracking (OWASP OAT - 007) ─ Also known as ‘brute forcing,’ credential cracking is a way to identify valid credentials by trying different values for usernames and passwords (usually from lists of breached account credentials that were made public by malicious parties and hackers). Hackers deploy bots to hack into customers’ accounts using the brute force approach, dictionary attacks (inputting large numbers of words), and guessing attacks to identify valid login credentials. Brute force attack symptoms include a sudden increase in failed login attempts and high numbers of account hijacking complaints from customers.
A U.S. Credit Union Stops Account Takeover and Website Scraping Attacks
Why do Fraudsters Take Over Accounts?
There can be several intentions behind account takeovers. However, in most cases, the reason is related to monetary gain. The direct cost of account takeover is evident, which includes fraudulent transactions, transfer of funds from a bank account, and purchase of goods via a compromised e-commerce account. However, direct costs are not the last thing online businesses must be wary of. Account takeover attacks cause major damage to a brand’s reputation, undermining customer confidence and trust.
Account Takeover Fraud Prevention
Many approaches are used by online businesses to eliminate bot traffic and prevent account takeover attempts. The list includes time-worn practices such as limiting login attempts, a robust authentication process, IP blacklisting, configuring rules in a WAF, and CAPTCHAs.
However, in recent years, dedicated bot detection and mitigation solutions have emerged as off-the-shelf tools to eliminate account takeover attempts. These bot management solutions save businesses millions of dollars while protecting them from automated threats. Radware Bot Manager's bot mitigation solution uses a non-intrusive API-based approach to mitigate bad bots such as AuthBot that try to take over accounts.