Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / Account Takeover
Account takeover is a growing form of fraud, but how does it actually work? Ravelin Protect expert Katrina explains how fraudsters manage to successfully do an account takeover. Unfortunately, it’s a lot easier than you might think!
Share this article:
There are a few different ways fraudsters can gain access to a genuine account, and how they choose to do it will largely depend on the potential reward. Malware or phishing is the most targeted and sophisticated method. These both require a lot of effort, and therefore are more likely to be used against banks or services with a more significant payout.
Online merchants are more likely to see low-cost and low-effort attacks using credential stuffing - which is far easier to do at a larger scale for a smaller payout across multiple victim accounts. To understand why this can be so easy for fraudsters, it’s important to understand trends around password reuse and data breaches.
Nowadays, the average person has over 100 accounts that require passwords. The problem with so many accounts is that we have to remember the passwords for all of them. This means a lot of people just reuse one or two passwords, sometimes making simple variations but often just relying on exactly the same password to keep their accounts safe.
In fact, two in three of us reuse the same password across multiple services. Password reuse becomes problematic when combined with data breaches. Unfortunately, data breaches are alarmingly common and often include things like usernames, passwords and sometimes even secret answer information - you can scan through the haveibeenpwned Twitter feed to get an idea of how common breaches are (there were 8 reported in September alone). There are also many breaches we are not aware of yet or that just never make it into the news.
Data breaches involving credentials can then be used to target other online services because there is a good chance that if someone does have an account elsewhere, they’ve used the same password. This is most commonly done using credential stuffing.
Credential stuffing uses stolen username and password combinations to automate login requests in order to gain access to user accounts. A fraudster can use a compiled list of credentials (often called a ‘combo list’) with an automated tool like Sentry MBA, Storm or Blackbullet to target logins on other online services. More sophisticated fraudsters may have their own script instead of relying on automated tooling but the overarching method is more or less the same.
The automated tool basically just takes username and password combinations and runs them against a login. This is a bit like having thousands of keys in a bag and trying all of them on the front door of a house (except with credential stuffing you are much more likely to have the right ‘key’ because of password reuse).
Generally, the automated tools or script will then return a list of successful credential combinations to the fraudster. This means they can get a list of accounts they can access with minimal effort - all they need is a combo list of credentials and some basic configuration (e.g. what URL should be targeted, what proxies to use etc.). Some scripts will also check if there is a card or any credit on the account so attackers know more about the potential value of the account.
Once the fraudster is inside, they have access to the genuine customer’s positive history and trust they have built up with the seller, which makes it more difficult to detect fraudy behavior. Therefore, the best point to detect account takeover is at login - so fraudsters take steps to make their logins look as genuine as possible.
Fraudsters can use proxies or botnets to make it look like the login attempts are coming from a variety of sources instead of a single attacker. They can choose popular login times to mimic normal traffic - such as targeting mealtimes to login to a food delivery service. Automated tools are available to allow fraudsters to get around things like CAPTCHA challenges.
All this means that unfortunately, committing account takeover using scripts or automated tools for credential stuffing is easy for would-be fraudsters - there are countless youtube videos explaining how to do it as well as active cracking forums that offer advice, tooling and combo files of credentials.
This makes it so important to have a specific account takeover solution to protect your customer accounts from this threat. This monitors different behavior patterns especially at login to the standard account takeover fraud detection for typical card-not-present fraud.
To learn more about how account takeover works, check out the insights page here.
Katrina Scott, Product Manager
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?