Solutions overview
Harness the power of your data to reduce fraud and increase payment acceptance
Tailor-made fraud protection
Detect and stop fraud faster with clear insights
Adaptive solutions for emerging threats
Defend against ATO, promo abuse and seller fraud
Optimize conversion with agnostic authentication
Manage PSD2 and take control of authentication
Online payment fraud
Understand chargebacks, fees & detection
Machine learning for fraud detection
Models, risk scores & thresholds
Link analysis & graph networks
Draw deeper insights from data
Account takeover fraud
Prevention strategies & reputational risk
Policy abuse
Uncover & stop hidden costs
PSD2 & SCA
3D Secure, TRA & exemptions
Global payment regulation map 2022
Track PSD2 & more with a full report
Resource Zone
Deep dives on fraud & payments topics
Blog
The latest fraud & payments updates
API & developer docs
APIs, glossary, guides, libraries and SDKs
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Partners
Join our partner programme
Uncover & stop hidden abuse
Resource zone
Read more about our happy custmomers
Blog / Account Takeover
Account takeover is a growing form of fraud, but how does it actually work? Ravelin Protect expert Katrina explains how fraudsters manage to successfully do an account takeover. Unfortunately, it’s a lot easier than you might think!
There are a few different ways fraudsters can gain access to a genuine account, and how they choose to do it will largely depend on the potential reward. Malware or phishing is the most targeted and sophisticated method. These both require a lot of effort, and therefore are more likely to be used against banks or services with a more significant payout.
Online merchants are more likely to see low-cost and low-effort attacks using credential stuffing - which is far easier to do at a larger scale for a smaller payout across multiple victim accounts. To understand why this can be so easy for fraudsters, it’s important to understand trends around password reuse and data breaches.
Nowadays, the average person has over 100 accounts that require passwords. The problem with so many accounts is that we have to remember the passwords for all of them. This means a lot of people just reuse one or two passwords, sometimes making simple variations but often just relying on exactly the same password to keep their accounts safe.
In fact, two in three of us reuse the same password across multiple services. Password reuse becomes problematic when combined with data breaches. Unfortunately, data breaches are alarmingly common and often include things like usernames, passwords and sometimes even secret answer information - you can scan through the haveibeenpwned Twitter feed to get an idea of how common breaches are (there were 8 reported in September alone). There are also many breaches we are not aware of yet or that just never make it into the news.
Data breaches involving credentials can then be used to target other online services because there is a good chance that if someone does have an account elsewhere, they’ve used the same password. This is most commonly done using credential stuffing.
Credential stuffing uses stolen username and password combinations to automate login requests in order to gain access to user accounts. A fraudster can use a compiled list of credentials (often called a ‘combo list’) with an automated tool like Sentry MBA, Storm or Blackbullet to target logins on other online services. More sophisticated fraudsters may have their own script instead of relying on automated tooling but the overarching method is more or less the same.
The automated tool basically just takes username and password combinations and runs them against a login. This is a bit like having thousands of keys in a bag and trying all of them on the front door of a house (except with credential stuffing you are much more likely to have the right ‘key’ because of password reuse).
Generally, the automated tools or script will then return a list of successful credential combinations to the fraudster. This means they can get a list of accounts they can access with minimal effort - all they need is a combo list of credentials and some basic configuration (e.g. what URL should be targeted, what proxies to use etc.). Some scripts will also check if there is a card or any credit on the account so attackers know more about the potential value of the account.
Once the fraudster is inside, they have access to the genuine customer’s positive history and trust they have built up with the seller, which makes it more difficult to detect fraudy behavior. Therefore, the best point to detect account takeover is at login - so fraudsters take steps to make their logins look as genuine as possible.
Fraudsters can use proxies or botnets to make it look like the login attempts are coming from a variety of sources instead of a single attacker. They can choose popular login times to mimic normal traffic - such as targeting mealtimes to login to a food delivery service. Automated tools are available to allow fraudsters to get around things like CAPTCHA challenges.
All this means that unfortunately, committing account takeover using scripts or automated tools for credential stuffing is easy for would-be fraudsters - there are countless youtube videos explaining how to do it as well as active cracking forums that offer advice, tooling and combo files of credentials.
This makes it so important to have a specific account takeover solution to protect your customer accounts from this threat. This monitors different behavior patterns especially at login to the standard fraud detection for typical card-not-present fraud.
To learn more about how account takeover works, check out the insights page here.
Katrina Scott Product Manager
4 min read
More from Katrina Scott
Share this article:
Blog / News
Buy now, pay later is exploding - what risks could this bring your business? We speak with Nelda Biltauere, Fraud Researcher at Ravelin, about BNPL challenges, costs & strategy.
Grace Proctor, Content Writer
From blocker to revenue enabler, businesses are seeing their fraud teams with new eyes. What has brought about this change? And how can you build on it?
Lola Omo-Ikerodah, Content Writer
Disputes and chargebacks are often viewed as a “necessary evil” in ecommerce. But the pandemic has made them a serious threat to business and revenue. How are you fighting back?