Account Takeover: Business infringement 101
What if your online business had uninvited guests trying to take over the host and run the show?
Account Takeover (ATO) is a simplified version of the above statement. According to Javelin’s 2020 Identity Fraud Report, ATO attacks are increasing at the rate of 72% year over year. By gaining expertise in permutation and the combination of just a few elements of some confidential information, attackers can take over the account in a short time.
In a nutshell, if you’re a company running your business online or handling a huge wave of customer data online behind secured accounts, it’s time to give yourself a wake-up call and understand a potential threat that can harm your business. Let’s understand what exactly is account takeover, the techniques through which these attacks take place and their impact on businesses online.
What is Account Takeover?
Account Takeover is a fraudulent attack through which an attacker may gain unauthorized access to genuine accounts of people and businesses using stolen or hacked credentials. On gaining such access, these bad actors can transfer funds, steal credit card information, plant malware or spyware and hack corporate data, damage loyalty coupons, and gift cards and undertake multiple other cybercriminal activities.
ATO attacks are generally undertaken in a sequential manner. The bad actors first breach the data points of a company to gain access to stacks of consumer data. From such a breach, they prepare a combo list consisting of crucial customer data points like email addresses, usernames, etc.
From the list, the attackers start testing the combination of an appropriate username and password that match. Once these tests are cleared and the combination is obtained, the attackers take over the accounts and execute unhealthy transactions, steal confidential data, etc.
Now that we know the WHAT, let’s understand the HOW.
Techniques of Account Takeover/Types of ATO attacks
1. Credential stuffing attacks
A credential stuffing attack involves a fraudster who tests thousands of combinations of email addresses, usernames and passwords on the target website. This can be done by employing bots that conduct these tests in order to identify the right hit which can provide unauthorized access. On gaining access to one account using hacked credentials, the attacker can employ the same credentials on multiple accounts and inflict more damage.
2. Password-spraying attacks
A password-spraying attack involves an attacker attempting to gain access to genuine user accounts by testing the most common passwords. According to a study conducted by NordPass, the most common password in the year 2020 was 123456 which takes less than a second to crack.
3. Phishing attacks
This involves sending a deceptive message or email to employees or customers of a company demanding their existing credentials. For example, attackers may create a malicious link and send a message to a group of the target audience (like employees of a company) for obtaining their credentials. Once the person opens a link and enters his/her credentials, the attackers gain access to the same which can be used for ATO attacks.
Now that the problem is known at a general level, you might be wondering what are the potential indicators of an ATO attack. Let’s answer this for you.
Signs you are under an ATO attack
1. Increased traffic
What if your e-commerce website is not running any discount offers or has introduced new products but you still witness a huge spike in traffic? While we wish your digital marketing team is spot on, this could be an indicator of a potential ATO attack. A credit stuffing attack usually leads to increased traffic even in absence of any promotional campaign
2. Login attempts
Attackers while employing credential stuffing or password spraying, may log in multiple times and even fail. An attempt to gain access from usernames which aren’t a part of the company’s system may seem like a potential sign of an ATO attack.
3. Increased customer complaints activity
If you witness a rise in customer complaints around account accessibility or suspicious account activity, this could be a potential ATO attack. Fraudsters, after gaining unauthorized access to an account, may change the password resulting in the customer being logged out of their account. This may prompt them to raise a support ticket for the same.
Impact of ATO attacks
Imagine being heavily fined by legal corporations for non-compliance with consumer protection laws
An ATO attack damages the brand reputation of online retailers, especially when legal action is initiated due to such fraud. One of the major concerns of businesses is the legal fines that follow as a result of such fraudulent activities.
An ATO attacker has the potential to expose personal/confidential information, change passwords and lock out genuine users, purchase goods and damage loyalty points, create new accounts, and even stream digital content illegally.
These activities can ruin the retailer’s business in the following way:
1. Invite legal trouble
As previously mentioned, consumer protection has been given utmost importance today with laws like CPRA and GDPR in place. Any violation of consumer privacy governed under these laws can invite legal trouble for a company. Since account takeover holds the potential to breach data, a small complaint by a consumer can destroy a retailer’s business.
2. Low retention
A 2020 survey concluded that 25% of the respondents would never return to a website if it turned away their legitimate transaction. Extreme disturbances in the consumer’s online account in the form of multiple invalid login attempts, breach of financial transactions and fraudulent purchase of goods, services, and gift cards may constantly reduce their retention rate.
3. Damaged brand value
Fraudulent activities increase customer friction. A single negative experience may shake the trust and loyalty of the customer in a retailer. Due to a lack of trust, accompanied by negative word of mouth about the business, an ATO fraud slowly kills your brand value in the market.
ATO attacks on the rise
In July 2020, an American e-commerce company reported a credential stuffing attack on its platform. It led to a data breach of a customer which later ended up appearing for sale on the dark web.
A few months down the lane, another warehouse retailer automatically sent a password reset notification to its customers. This notification warned the customers that their accounts may have been hacked as a result of a potential credential stuffing attack or any other form of phishing attack.
ATO attacks through bots are highly profitable as they can be programmed to mimic user behavior and steal valuable data by running malware on actual user devices. The industries most commonly targeted include e-commerce, financial services, travel, and hospitality.