Harness the power of your data to reduce fraud
and increase payment acceptance
Tailor-made fraud protection
Detect and stop fraud faster with clear
Adaptive solutions for emerging threats
Defend against ATO, promo abuse and seller
Optimize conversion with agnostic
Manage PSD2 and take control of
Online payment fraud
Understand chargebacks, fees &
Machine learning for fraud detection
Models, risk scores & thresholds
Link analysis & graph networks
Draw deeper insights from data
Account takeover fraud
Prevention strategies & reputational
Uncover & stop hidden costs
PSD2 & SCA
3D Secure, TRA & exemptions
Global payment regulation map 2022
Track PSD2 & more with a full report
Deep dives on fraud & payments topics
The latest fraud & payments updates
API & developer docs
APIs, glossary, guides, libraries and SDKs
Discover the story about Ravelin
Join our dynamic team
Read more about our happy customers
Join our partner programme
Harness the power of your data to reduce fraud and increase payment
Detect and stop fraud faster with clear insights
Defend against ATO, promo abuse and seller fraud
Optimize conversion with agnostic authentication
Manage PSD2 and take control of authentication
Understand chargebacks, fees & detection
Prevention strategies & reputational risk
Uncover & stop hidden abuse
Read more about our happy custmomers
You might’ve heard about a new fraud tactic called ‘account pre-hijacking.’ But what actually is it? And how can you prevent it? Let’s break it down.
Share this article:
Account takeover fraud is evergrowing. In 2018, global losses due to account takeover were $4 billion. In 2021, this number grew by more than 200% to over $12 billion. And the costs are only going up. How does the threat persist year after year?
Account takeover hackers are always thinking of clever workarounds to your fraud prevention defenses. To get around two-factor authentication, fraudsters moved to contact center phishing, digital wallet takeovers, and BNPL account fraud (to name a few).
Now hackers have found a new way to get a step ahead: they can take over your customer’s account before it’s even been created. This new technique is called account pre-hijacking. It recently hit headlines after the release of a groundbreaking 2022 study. But the information circulating is quite technical and confusing.
Let’s clear up the confusion and keep things simple. Here’s an easy breakdown of account pre-hijacking techniques and how to protect your business.
Account pre-hijacking occurs when a hacker gets access to a customer’s account, before they’ve even made it. They preempt account creation on popular sites, and find clever ways to harvest your customer’s details.
Almost 50% of the world's most-visited sites are vulnerable to this new type of attack. This includes Zoom, Instagram, Dropbox and LinkedIn. Could your business be a target?
Let’s break it down into steps…
The hacker makes an account using a genuine email address, on a platform that the customer hasn’t yet signed up for.
A hacker might know that firstname.lastname@example.org is a genuine email address. They could find this out by checking the address against a free online verification service, scraping social media accounts or looking through credential dumps on the web. But when testing the address on a popular site, they find out it’s not yet been registered for an account. This is the perfect pre-hijacking target.
Checking these accounts manually would take too long, and fraudsters are impatient. So they’ll often create new accounts in bulk. They’ll target the most popular sites so it seems likely that a genuine customer might want to create an account soon.
The account only becomes valuable when the genuine customer tries to create an account, logs in, and adds information like their payment details. It’s at this point that the hacker uses a variety of methods to harvest the details.
The hacker’s next move? They have five options. Be warned, the names of these tactics aren’t very catchy…
Classic-Federated Merge Attack
On many sites, customers can sign up using either classic or federated identities. Classic refers to the standard ‘enter your email, create a password’ route. Federated refers to using websites or apps, like Gmail or Yahoo, for single sign-on.
But some merchants merge these identities. So a hacker using a gmail address and a genuine customer using the federated route could both have access to one account. And both could use different login information. It’s a clever loophole.
Unexpired Session Identifier Attack
This attack is quite simple. The hacker creates an account using the victim’s email address and then maintains a long-running active session. In other words, they stay logged in. Then when the owner creates an account, they’ll be told it already exists and have the option of resetting their password. If they do, both will have access to the account, as the malicious session is still underway.
Trojan Identifier Attack
The hijacker sets up an account recovery option using different details, like their own email address or phone number. So when the victim creates an account and resets their password, the hacker will also get a notification to reset the password. So the hacker resets it, recovers the account and gets their hands on the genuine customer’s information.
Unexpired Email Change Attack
The hacker creates an account using the victim’s email. But they’ll then request to change the account's email to their own address to get sent a verification email. Instead of clicking on the link, they’ll save the verification email for later. So after the genuine customer creates an account and resets their password, the hacker will finish the verification process and get access!
Non-Verifying IDP Attack
This attack only involves apps and sites that don’t verify email addresses. If a hacker discovers that you don’t verify emails, you’ll be a hot target. All the hacker has to do is create an account, and then when the genuine customer tries to register, both have access.
Hackers can do a variety of things once they’ve got your customer’s account. They can order goods or services for use or resale, sell on account details, or use vouchers or accrued credit.
The impact is the same as any other account takeover - it can be extremely damaging. Your business' reputation is on the line, and you’ll likely lose some customers. This means loss of future revenue. And you potentially have the costs of stolen goods, services and your team’s time.
It’s difficult to spot because it’s a long game. A seemingly genuine customer (the hacker) could make an account and go quiet for a few months. Then if they try to log in again after time has passed, it makes sense that they might have forgotten their password. So it’s hard to distinguish between a bad actor and a genuine new customer. You can’t rely on some of the usual fraud signals.
It’s easy enough to prevent if you have the right tools and processes in place:
Monitor your registrations! This includes failed registrations. If you notice an influx of account creations or changes to email addresses or recovery details, it could indicate a pre-hijack attack. Keep an eye on new account details - you’ll likely spot a pattern.
Verify email addresses upon account creation. Easy.
Communicate with customer services. Ask your customer facing team to flag if a customer says an account already exists under their email!
Do not merge any accounts. Don’t merge the single-sign in route with your standard logins. Or get approval from both account holders before you do.
Expire sessions and password resets! End sessions on accounts that share details. And expire password reset texts or emails a couple of hours after you send them. Genuine customers will want to reset their password straight away!
Targeted two-factor authentication. These attacks will be largely stopped by implementing authentication. But you want to use a targeted approach. If you enforce blanket two-factor authentication for all, your conversion could take a hit.
Force sign outs. You just need to force the sign out of any sessions that started before you push authentication to get rid of any lingering pre-hijacking set-ups.
How can you stay one move ahead of account takeover hackers? Keep your ear to the ground and share your knowledge with other fraud fighters. And, importantly, make sure you have the right tools and processes in place to protect your business. For more resources and information on how to deal with account takeovers proactively, visit our insights page.
Grace Proctor, Content Writer
Blog / News
If you offer a subscription, recurring payments can leave you vulnerable to unique fraud risks. How should you tailor your fraud strategy?
Buy now, pay later is exploding - what risks could this bring your business? We speak with Nelda Biltauere, Fraud Researcher at Ravelin, about BNPL challenges, costs & strategy.
From blocker to revenue enabler, businesses are seeing their fraud teams with new eyes. What has brought about this change? And how can you build on it?
Lola Omo-Ikerodah, Content Writer
Subscribe to our newsletter to get the latest fraud & payments updates
sent direct to your inbox.