Solutions overview
Harness the power of your data
Support and investigations
Support services for Ravelin
Online payment fraud
Account security
Policyabuse
Marketplace fraud
3DSecure
Resource Zone
Deep dives on fraud & payments topics
API & developer docs
APIs, glossary, guides, libraries and SDKs
Global Payment Regulation Map
Track PSD2 & more with a full report
Blog
The latest fraud & payments updates
Insights
In-depth guides to fraud, payments & security
About Ravelin
Discover the story about Ravelin
Careers
Join our dynamic team
Customers
Read more about our happy customers
Press
Get the latest Ravelin news
Support & investigations
Accept more payments securely
Protect your customer accounts
Policy abuse
Stop policy abuse to protect your bottom line
Ravelin for marketplace fraud
3D Secure
Ravelin 3DS & SDKs
Resource zone
Global Payment regulation map
Read more about our happy custmomers
Blog / News
You might’ve heard about a new fraud tactic called ‘account pre-hijacking.’ But what actually is it? And how can you prevent it? Let’s break it down.
Share this article:
Account takeover fraud is evergrowing. In 2018, global losses due to account takeover were $4 billion. In 2021, this number grew by more than 200% to over $12 billion. And the costs are only going up. How does the threat persist year after year?
Account takeover hackers are always thinking of clever workarounds to your fraud prevention defenses. To get around two-factor authentication, fraudsters moved to contact center phishing, digital wallet takeovers, and BNPL fraud (to name a few).
Now hackers have found a new way to get a step ahead: they can take over your customer’s account before it’s even been created. This new technique is called account pre-hijacking. It recently hit headlines after the release of a groundbreaking 2022 study. But the information circulating is quite technical and confusing.
Let’s clear up the confusion and keep things simple. Here’s an easy breakdown of account pre-hijacking techniques and how to protect your business.
Account pre-hijacking occurs when a hacker gets access to a customer’s account, before they’ve even made it. They preempt account creation on popular sites, and find clever ways to harvest your customer’s details.
Almost 50% of the world's most-visited sites are vulnerable to this new type of attack. This includes Zoom, Instagram, Dropbox and LinkedIn. Could your business be a target?
Let’s break it down into steps…
The hacker makes an account using a genuine email address, on a platform that the customer hasn’t yet signed up for.
A hacker might know that jenny.smith@email.com is a genuine email address. They could find this out by checking the address against a free online verification service, scraping social media accounts or looking through credential dumps on the web. But when testing the address on a popular site, they find out it’s not yet been registered for an account. This is the perfect pre-hijacking target.
Checking these accounts manually would take too long, and fraudsters are impatient. So they’ll often create new accounts in bulk. They’ll target the most popular sites so it seems likely that a genuine customer might want to create an account soon.
The account only becomes valuable when the genuine customer tries to create an account, logs in, and adds information like their payment details. It’s at this point that the hacker uses a variety of methods to harvest the details.
The hacker’s next move? They have five options. Be warned, the names of these tactics aren’t very catchy…
Classic-Federated Merge Attack
On many sites, customers can sign up using either classic or federated identities. Classic refers to the standard ‘enter your email, create a password’ route. Federated refers to using websites or apps, like Gmail or Yahoo, for single sign-on.
But some merchants merge these identities. So a hacker using a gmail address and a genuine customer using the federated route could both have access to one account. And both could use different login information. It’s a clever loophole.
Unexpired Session Identifier Attack
This attack is quite simple. The hacker creates an account using the victim’s email address and then maintains a long-running active session. In other words, they stay logged in. Then when the owner creates an account, they’ll be told it already exists and have the option of resetting their password. If they do, both will have access to the account, as the malicious session is still underway.
Trojan Identifier Attack
The hijacker sets up an account recovery option using different details, like their own email address or phone number. So when the victim creates an account and resets their password, the hacker will also get a notification to reset the password. So the hacker resets it, recovers the account and gets their hands on the genuine customer’s information.
Unexpired Email Change Attack
The hacker creates an account using the victim’s email. But they’ll then request to change the account's email to their own address to get sent a verification email. Instead of clicking on the link, they’ll save the verification email for later. So after the genuine customer creates an account and resets their password, the hacker will finish the verification process and get access!
Non-Verifying IDP Attack
This attack only involves apps and sites that don’t verify email addresses. If a hacker discovers that you don’t verify emails, you’ll be a hot target. All the hacker has to do is create an account, and then when the genuine customer tries to register, both have access.
Hackers can do a variety of things once they’ve got your customer’s account. They can order goods or services for use or resale, sell on account details, or use vouchers or accrued credit.
The impact is the same as any other account takeover - it can be extremely damaging. Your business' reputation is on the line, and you’ll likely lose some customers. This means loss of future revenue. And you potentially have the costs of stolen goods, services and your team’s time.
It’s difficult to spot because it’s a long game. A seemingly genuine customer (the hacker) could make an account and go quiet for a few months. Then if they try to log in again after time has passed, it makes sense that they might have forgotten their password. So it’s hard to distinguish between a bad actor and a genuine new customer. You can’t rely on some of the usual fraud signals.
It’s easy enough to prevent if you have the right tools and processes in place:
Monitor your registrations! This includes failed registrations. If you notice an influx of account creations or changes to email addresses or recovery details, it could indicate a pre-hijack attack. Keep an eye on new account details - you’ll likely spot a pattern.
Verify email addresses upon account creation. Easy.
Communicate with customer services. Ask your customer facing team to flag if a customer says an account already exists under their email!
Do not merge any accounts. Don’t merge the single-sign in route with your standard logins. Or get approval from both account holders before you do.
Expire sessions and password resets! End sessions on accounts that share details. And expire password reset texts or emails a couple of hours after you send them. Genuine customers will want to reset their password straight away!
Targeted two-factor authentication. These attacks will be largely stopped by implementing authentication. But you want to use a targeted approach. If you enforce blanket two-factor authentication for all, your conversion could take a hit.
Force sign outs. You just need to force the sign out of any sessions that started before you push authentication to get rid of any lingering pre-hijacking set-ups.
How can you stay one move ahead of account takeover hackers? Keep your ear to the ground and share your knowledge with other fraud fighters. And, importantly, make sure you have the right tools and processes in place to protect your business. For more resources and information on how to deal with account takeovers proactively, visit our insights page.
Grace Proctor, Content Writer
Blog / Fraud Analytics
Fraud prevention is a delicate balance between stopping fraud and maintaining good customer experiences. But what is the most effective way to measure this outcome?
Ravelin Technology, Writer
Blog / Machine Learning
Online payment fraud is one of the biggest threats facing grocery merchants. And it’s only gotten worse. How are fraudsters using the cost of living crisis to take advantage of your business?
There’s a new fraud threat on the rise – and it’s your customers. First-party fraud is infamously tricky to catch and a huge revenue risk. How can you detect and deter criminal behavior in your customer base?