Account Takeover (ATO): What is Account Takeover Fraud and How to Prevent ATO?

What is Account Takeover (ATO)?

Identify theft is the theft of certain elements of a victim’s personally identifiable identification (PII). More specifically, this means that a perpetrator is stealing confidential information from a person, such as their driver’s license number or their Social Security number, in order to pretend to be that person or to sell the information to other criminals.

Account takeover (ATO) is an online version of identity theft. In ATO, a perpetrator illegitimately gains access to a person’s online e-commerce or financial accounts commonly through the use of bots. ATOs that succeed often result in multiple fraudulent e-commerce transactions and unapproved shopping orders carried out from the breached accounts of the victim(s). The fraudsters can alter the victim’s mailing address on one or more accounts, and create excessive bills before the victim even notices that an ATO has occurred.

Account Takeover Methods

Those who use ATO exploit vulnerabilities found within online accounts, and are able to gain access to more of the victim's information and funds through breaching the account. These perpetrators use a variety of methods for accessing and performing unauthorized actions on online accounts. The two most frequently used methods are attacks known as credential stuffing and credential cracking.

Credential Cracking

The goal of an ATO perpetrator in credential cracking is to discover and utilize the victim’s legitimate login credentials. There are a few versions of credential cracking: the dictionary (word list) method, guessing attacks, and the brute force method. The thief will attempt to hack into victims’ accounts using bots. Some telltale signs of credential cracking attempts on a given site are an inexplicable uptick in invalid login attempts and a spike in customer complaints about their accounts being taken over.

Credential Stuffing

Credential stuffing is the second part of a 3-part series. The three parts can be broken up into The Breach, Credential Stuffing, and The Financial Transaction.

  • The Breach: ATO hackers take advantage of vulnerabilities that can be found in popular websites or on high-traffic forums, accessing the user databases of those sites. Breaches can impact large numbers of users if they become widespread enough, affecting potentially hundreds to even more than one billion people in the case of social media breaches. The hackers gain the victims’ usernames/email addresses and passwords, as well as other confidential information such as account security questions and answers, users’ genders, dates of birth, PINs, order histories, or personal financial transactions and official bank statements.
  • Credential Stuffing: After the ATO thieves have acquired a given username and password, they will use those credentials on several different websites. This technique, known as credential stuffing, stems from the fact that reuse their account names and passwords to make their login process more convenient for them. Credential stuffing can be quite effective, make the hackers a lot of money in a short amount of time, and is relatively simple to carry out. The perpetrators can search for and download rudimentary tools to carry out credential stuffing attacks, and can even ramp up their attack frequency and range with automated bots.
  • The Financial Transaction: In many cases, the ATO itself is one part of a larger and long-term plan by the hackers to sell the stolen information to other types of criminals. Once sold, the stolen information is used and checked by underground criminal networks, in a process that can last for years. The sale of customers’ information after data breaches can cost companies millions of dollars in terms of recovery procedures, legal issues, and brand damage-control.

Account Takeover Prevention

There are many ways that online account users, e-commerce companies and websites can reduce or prevent ATO attempts.

Users can prevent ATO attacks by taking these precautions:

Online companies and websites can prevent ATOs by using technical authentication processes, only allowing a set number of permitted login attempts, IP permanent blocking, CAPTCHAs, and adjusting rules for a site’s Web Application Firewall (WAF). Over the years, tools that specialize in both recognition and mitigation processes have been developed. These tools have been effective at putting a stop to ATO attempts, saving many businesses large sums of money while simultaneously keeping them safe from unwanted, automated attacks and breaches.

Proven results against account takeover fraud.

Our account takeover fraud prevention solutions and products work hard and effectively to secure and protect your business from account takeover fraud.

Major US Telecom Provider Improves Customers' Login Experience with iovation ClearKey

Read The Case Study

I call it a golden age of fraud. As far as account takeover is concerned, I don't think we've been in this good of a position for a year and a half. ~Toby Ceselski Business Data Analyst III

Ready for the next step?

In just minutes, we’ll show you how to improve your customer authentication experience, stop fraud and save money.


Ready for the next step?

In just minutes, we’ll show you how to improve your customer authentication experience, stop fraud and save money.