Online accounts have become the gateway to nearly every aspect of our personal and financial lives. From shopping to banking, social media, and email, these accounts hold valuable data that cybercriminals are eager to exploit.
In this guide, we explore how account takeover (ATO) happens, how it affects consumers and businesses and what you can do to help protect yourself from it.
What is Account Takeover?
Account takeover, also known as ATO, is a form of identity theft in which a malicious third-party gains access to or “takes over” an online account. Account takeover (ATO) is one of the fastest-growing threats in cybersecurity today, resulting in nearly $13 billion in losses last year.
One of the primary reasons behind this massive rise in account takeover is the relative ease with which it can be done. With the most recent data showing more than 24 billion login credentials available on the dark web, millions of online accounts remain at risk of unauthorized access.
How Account Takeover Affects Consumers
Auto-fill features in apps and web browsers have helped make online payments a breeze. One click alone is often enough to log in or make a purchase. However, once your accounts are compromised, cybercriminals can use them to perform a variety of malicious activities, including:
Unauthorized Purchases
The most common type of fraud associated with account takeover is payment fraud. Once an account has been breached, it’s relatively easy for criminals to make purchases and simply update delivery details to redirect items to them.
Research by Ravelin has indicated that 71% of account takeover attacks resulted in the attacker placing an average of three to four orders with a success rate of 50%. And in 46% of these cases, the criminal changed the delivery address to redirect the order to them. These items are then typically sold for profit. In many cases, however, the attacker simply uses compromised accounts to order amenities, as there are generally fewer security checks associated with these services.
Use Loyalty Points or Account Credits
Even if the compromised account doesn’t have payment details associated with it, criminals can still use saved loyalty points or account credits. Air miles are a common target for this kind of fraud, as they can be used to buy transportation in other countries.
Selling Online Accounts
Selling compromised accounts is also a lucrative business. According to the Privacy Affairs Dark Web Price Index, certain accounts can be sold online, including:
- Uber accounts for around $12 per account.
- Facebook accounts for around $25 per account.
- Netflix accounts for around $20 per account.
- Credit card details with a balance of up to $5,000 for around $110 per account.
While these individual prices may seem relatively low, it’s important to remember that data breaches usually compromise millions of accounts at a time which are then sold in bulk.
Selling Stolen Data
Given that 78% of people use the same password for multiple accounts, compromising one account can give a criminal access to a vast range of personal data. Stolen data can then be bought and sold on the dark web.
How Account Takeover Affects Organizations
A compromised business account, especially at a management or executive level, opens up a range of fraud opportunities for criminals.
Once they have access to an account with sufficient authority, cybercriminals can use that trusted email address to scam other companies into making fraudulent payments or just distribute malware en mass.
Not only does this kind of fraud have a monetary cost, but it also damages the reputation of the targeted company.
What’s Fueling Account Takeover Fraud
Several interconnected factors are driving the current surge in account takeover fraud, including:
Data Breaches: According to the Identity Theft Resource Center (ITRC), there have been more than 1 billion data breach victims in the first half of this year alone, an almost 500% increase since the first half of last year. These data breaches supply criminals with a vast collection of data that can be used for account takeover.
The Dark Web: The dark web is where hacked accounts and stolen personal data is bought and sold. This includes bulk collections of details stolen in data breaches.
Social Engineering: Cybercriminals are increasingly using sophisticated social engineering tools to trick people into revealing their login credentials. Research by the ITRC has shown the vast majority of data breaches this year involved cyberattacks like phishing scams and other social engineering tactics.
Credential Stuffing: Credential stuffing is a hacking method where hackers use compromised username/password pairs to access online accounts. Hackers use bots that automate login attempts, testing thousands of logins per minute.
Password Security: Despite an increased focus on password security, many people still use easily crackable passwords and reuse the same passwords for multiple accounts. This creates ideal conditions for hackers to compromise numerous accounts in a short space of time.
Autofill Automatic Checkout (ACO): Saving payment details in your browser or apps has made online payments easier. However, if hacker manages to get a hold of your login credentials, they also have the ability to make unauthorized purchases.
Watch the KSDK 5 NBC interview below featuring IdentityIQ Chief Innovation Officer Michael Scheumack for more details:
Account Takeover Prevention
While account takeover is a growing problem, there are simple steps you can take to help protect your account:
Change Your Password Habits
The first step toward protecting yourself from account takeover is to improve how you manage your passwords. Password security is critical to protecting your online accounts, yet almost 1 in 4 Americans report not doing anything to protect their passwords.
Extra layers of security are an integral part of password security. In a recent interview with KSDK, IDIQ Chief Marketing Officer Michael Scheumack recommends implementing biometrics, such as a facial or fingerprint scan, for added protection to your online accounts. Nearly 90% of IT security professionals worldwide agree passwords aren’t enough on their own, suggesting multi-factor authentication systems as an effective protection against account takeover attacks.
Here are some tips to help strengthen your password habits:
- Update your password every 72 days on all of your accounts.
- Never use the same password for multiple accounts.
- Passwords should be at least 13 characters long and composed of capitalized and non-capitalized letters, numbers and special symbols.
- Enable two-factor authentication on all your accounts to significantly impede someone attempting unauthorized access.
- If managing many complicated passwords sounds overwhelming, try using a password manager that automatically creates and updates unique passwords for you.
Always Keep Your Browser Updated
Cybercriminals are always looking for new ways to exploit web browsers’ vulnerabilities, and developers are always patching over them. Failing to update your browser leaves these vulnerabilities in place and puts your account security at risk.
Install Anti-Malware Software
Malware is a crucial tool used to carry out account takeover attacks. Spyware can be loaded onto your machine to log all your keystrokes. Trojan horses can give criminals backdoor access to your system. Your computer might even be part of a bot-net used to hack other accounts through credential stuffing.
Installing a trusted and mature antimalware solution on your computer and keeping it regularly updated can help you contain and eliminate malware infractions before you’re put at risk.
Bottom Line
While the growing threat of account takeover fraud attacks should be a significant concern to businesses and consumers alike, there are simple ways to help protect yourself.
By changing how you approach passwords, keeping your browser updated, installing the right antivirus, and proactively monitoring your identity, credit, and bank accounts for unusual activity, you can massively reduce your vulnerability to this increasingly prevalent form of cybercrime.
Take the next step in protecting yourself with IdentityIQ. Our comprehensive identity theft protection plans include 24/7 credit monitoring, real-time alerts to possible suspicious activity, and tools to help you safeguard your online accounts and sensitive information. Don’t wait for fraud to happen — get started with IdentityIQ to secure your peace of mind today.
.jpeg)
