Learn about account takeover fraud, how it occurs, and detection and prevention strategies from F5.
Account takeover (ATO) is the most prevalent and expensive attack targeting financial institutions, e-commerce, and other online digital services. Using automated bots and other cybercrime methods, criminals use stolen credentials to gain access and control user accounts for monetary gain or to commit fraud. The impacts of account takeover fraud are real: According to the Javelin 2022 ID Fraud Study, 22% of U.S. adults have been victims of ATO.
Account takeover fraud is the culmination of a series of cybercriminal activities, usually beginning with stolen or compromised credentials, which lead to credential stuffing attacks, which can result in the takeover of a customer’s online accounts. Once in charge, the criminal can drain the account of funds, monetize stored value, and use the account for further fraud.
The most basic form of credential stuffing involves bot-driven brute force attacks, which submit random combinations of characters to login forms until attackers find a match for an account’s credentials.
More advanced credential stuffing attacks begin with valid username and password pairs that have been stolen or compromised during data breaches. Stolen credentials are easily purchased on dark web marketplaces (according to Cyber Security Hub, 22 billion data records were exposed in 2022 alone).
Credentials can also be stolen through an array of cyberattacks and other cybercrime techniques including:
Once cybercriminals have accumulated a stash of valid credentials, they can begin the credential stuffing process, often at massive scale. Because around two-thirds of consumers reuse the same usernames and passwords across multiple websites, these recycled credentials are easily exploited by cybercriminals and their armies of automated bots: A significant fraction of breached credentials will also work to gain access to accounts at other sites. Once attackers take over accounts, they can change credentials to lock out the legitimate account owner, drain the assets, and use the accounts to commit additional acts of fraud
Digital fraud losses from attacks such as ATO are anticipated to surpass $343 billion globally between 2023 and 2027, according to reports in American Banker.
Account takeover also has effects beyond the financial realm. An organization’s brand and reputation may also suffer, leading to lost business and negative publicity regarding perceived weakness in security. Long-term brand damage may result, and it can take years to rebuild a positive reputation.
Organizations can also lose customer trust and loyalty, leading to termination of commercial relationships. Customers are understandably unhappy if a company’s inadequate security measures result in account takeover and costly fraudulent activity.
Organizations may also face compliance and legal consequences for failure to protect consumer data. Legislation and standards such as the General Data Protection Regulation (GDPR) in the EU, the California Consumer Protection Act (CCPA), and the Payment Card Industry Data Security Standard (PCI-DSS) are designed to ensure consumer data privacy and impose large monetary penalties in the event of data breaches. These include ATO attacks that expose private data to bots.
It is important to monitor user accounts and activities to detect signs of ATO.
A proactive approach to preventing ATO involves multiple levels of protections and strategies. These include best practices methodologies, a focus on user education, real-time infrastructure monitoring, and strong authentication protections.
One of the most effective ways to prevent account takeover is through educational programs that train users to identify and resist risk. ATO attacks often begin with phishing, when a bad actor attempts to trick users into revealing their account credentials or clicking on malicious links. Phishing emails and texts can be very convincing, especially when the communication features personal details that criminals can collect from social media. Also make sure that users understand the importance of good password hygiene and enforce use of strong password protocols.
Strong authentication requires users to present two or more verification factors, beyond a username and password, during a login attempt. There are several approaches to strong authentication.
Both consumers and businesses should regularly monitor and audit accounts for suspicious activity. For consumers, this includes regularly logging into financial accounts and other accounts with stored value (including loyalty programs and gift cards) to keep an eye on balances and account activity.
Businesses and organizations can employ a range of technologies to automate the continuous monitoring and auditing of accounts, including account tracking systems that use machine learning and AI-based detection to help prevent fraud by identifying anomalous activities that don’t match the user’s usual behavior.
A WAF protects web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe. A WAF acts as an intermediary that protects the web app server from a potentially malicious client.
Although not specifically designed to detect ATO activity, WAF policies can be targeted to help identify and block account takeover attacks. WAFs can also help identify malicious bot activities, which often precede brute force credential stuffing attacks.
Armies of bots allow criminals to scale their attacks, bypass MFA controls, and enable fraud. Automation means that bots can be massively deployed in pursuit of their assigned task, whether that is credential stuffing or phishing attacks. Bot detection solutions provide visibility into malicious activities such as fake account creation, inventory hoarding, scraping, and digital skimming of credential information. Bot detection solutions can also provide alerts for client-side attacks, such as formjacking, digital skimming, Magecart, and other browser-based JavaScript vulnerabilities.
Because of the multitude of stolen and compromised credentials readily available on the dark web, it is increasingly likely that organizations will experience a cyberattack, sooner or later. It is imperative that organizations prepare robust responses and processes in advance to address the impact of a cyberattack on both the institution and its customers.
An incident response plan defines the active steps, available resources, and communication strategies that will be put into place upon identification of a threat event. An incident response plan should define the protocols for responding to the event and identify an incident response team that has been trained to operationalize the plan.
It’s critical that the incident response team directly notify impacted customers and explain what has happened, let them know what steps are being taken to protect them, and urge them to change the compromised password if it is used on other accounts. Staying in contact with affected customers is important for rebuilding trust.
After an attack is detected, it is crucial to assess and contain the incident, and identify the nature and scope of the incident and the systems affected. Once the access point is identified, the organization should eliminate the attacker’s unauthorized access to impacted accounts, and remediate compromised accounts to ensure that they can no longer be used maliciously. As part of the fraud recovery review, analyze how to prevent such an attack from happening again.
It’s important to communicate about security breaches and attacks with transparency, as holding back information can be perceived by regulators, the media, or consumers as concealment, and can significantly compound the financial impact of the attack.
Today, any organization issuing or accepting digital payments is an ATO target, and the threat of attack continues to grow. This places online merchants, financial institutions, and service organizations in a paradox: As they embrace customers’ preference for more convenient online services and apps, they open themselves up to increased risk of fraud and other forms of cybercrime. Once an account is compromised, a fraudster may drain funds, steal goods or services, or access payment information to use on other sites—alienating customers and eroding revenue.
Conventional 2FA and MFA controls are no longer sufficient to stop cybercriminals who launch increasingly sophisticated ATO attacks. To prevent ATO requires an end-to-end approach to security and fraud prevention that assesses intent, streamlines digital experiences, and halts ATO by identifying fraud patterns and risky transactions before they take place.
F5 security and fraud prevention solutions offer the industry’s most comprehensive account takeover protection on a single platform. Using sophisticated technologies such as threat intelligence modeling and machine learning to detect attacker techniques, Distributed Cloud Bot Defense deploys appropriate countermeasures in real time to counter bot-driven fraud and ATO with maximum effectiveness. Distributed Cloud Authentication Intelligence recognizes legitimate users throughout the customer journey, and Distributed Cloud Client-Side Defense provides real-time insight into client-side digital skimming attacks.
Coupled with the rapid removal of post-login fraud via Distributed Cloud Account Protection, the F5 Distributed Cloud security and fraud prevention platform provides an end-to-end approach that assesses intent, streamlines digital experiences, and stops ATO attempts that otherwise lead to fraud, lost revenue, and reduced customer loyalty.
USE CASES
Prevent Account Takeover (ATO) ›