What is account takeover?
Account takeover, also known as account compromise, happens when a fraudster gets access to a genuine customer’s account. Any online account could be taken over by fraudsters, including ecommerce accounts, subscriptions, banks, credit cards, emails and so on. In this guide, we’ll focus on account takeover for online merchants.
What a typical account takeover looks like
What does the fraudster do with the account?
Once a fraudster has compromised an account, what can they do with it? There are a range of options available:
- Make fraudulent orders using saved or stolen card details
- Use loyalty points or account credits
- Sell the confirmed account
- Extract the customer data to sell
To learn more about how fraudsters monetize compromised accounts, we analysed data from ATO attacks against food delivery businesses.
Here’s what we found:
71% of ATO attacks resulted in the attacker placing an order
We found that for food delivery ATO attacks, the primary method for monetizing the account was to place an order. This is likely to be heavily influenced by the type of business we are analysing; food delivery is likely to appeal to a certain type of attacker, like the Hungry Fraudster.
We found that when an attacker does place an order, they make 3 to 4 orders on average, with around a 50% success rate. Of the 29% of attacks which didn’t result in an order, this could be because something stopped them, such as the customer spotted a change on their account and contacted the merchant. It’s also possible that the attacker may have monetized the account in another way, such as resale or extraction of customer data to be sold online.
46% of attacks included orders placed to a city/region different from the customer’s previous order
For food delivery businesses, speed of delivery is super important and it’s not unusual for customers to order deliveries to different addresses. Although changing delivery addresses can be an indication of ATO, it’s also common for genuine customers to order food to a new delivery address. This shows how challenging it can be to differentiate ATO activity from normal customer behavior, and why analyzing a combination of indicating factors is key.
10% of attackers changed the email address, while 48% changed the phone number
Our analysis showed that attackers were more likely to change the phone number on the compromised account than the email address. This may be because food delivery services often send an SMS text message to the customer to alert them that an order has been received or is on the way. The fraudster changing the phone number would stop the genuine customer getting this alert and contacting the merchant to cancel the order.
It’s also common for delivery drivers to use the account phone number to get in touch with the customer when they are attempting delivery. Fraudsters don’t always use their true address, to avoid it being blacklisted by a merchant - therefore they may contact the driver to arrange the drop off somewhere else.
Additionally, this could also be due to the widespread use of SMS one-time passwords for authentication. If the use of a new address or unusual activity triggers an authentication request, the fraudster would be able to falsely authenticate with their own phone number without alerting the customer or the merchant.
In around 15% of attacks the phone number on the account was changed twice or more - suggesting that fraudsters may use temporary phone numbers.
How big is the risk to merchants?
Financial cost, business reputation and customer loyalty implications
Account takeover is a significant threat to online businesses. So far, it’s not as common and the cost is not as high as for chargeback fraud (yet). But there are other costs involved with account takeover: an incident can shred business reputation when victims complain publicly, and if managed badly it can put a huge dent in customer loyalty and retention.
Increasingly common style of attack
One reason why this type of fraud is increasing is because merchants have gotten much better at detecting typical card-not-present fraud, and fraud solutions have come a long way.
In 2017, account takeover increased by 45% and in 2018 US costs tripled to $5.1billion
Easy to implement and very hard to detect
Account takeover is particularly risky because it’s simple and low-effort to implement - we’ll explain how fraudsters do this attack below.
Coupled with this, it can be very difficult to detect, as the attacker has access to a genuine customer’s history which looks normal. Online businesses tend to encourage and trust repeat customers, which means a takeover can easily go undetected.
Data breaches and passwords create perfect conditions for account takeover
To understand why this can be so easy for fraudsters, it’s important to understand trends around data breaches and password reuse.
We live in a world of seemingly endless data breaches, impacting some of the most widely used services. Breaches can include data like usernames, passwords and sometimes even secret answer information. The haveibeenpwned Twitter feed reveals how common breaches are, and these are just the ones we know about, there are many breaches that are not reported.
Nowadays, the average person has over 100 accounts that require passwords, which adds up to a lot of passwords to remember. Often, people reuse one or two passwords to keep their accounts safe. In fact, two-thirds of us reuse the same password across multiple services. Coupled with the fact that some people are still using passwords like ‘123456’, it’s a serious problem.
Data breaches involving login details can then be used to target other online services because there is a good chance that if someone does have an account elsewhere, they’ve used the same password.
How does a fraudster get stolen credentials?
There are a few different ways fraudsters can get into an account, with different levels of effort and time required. Malware or phishing are the most targeted and sophisticated methods. These both require a lot of effort, so they are more common in takeovers of bank accounts or corporate accounts with a much higher potential payoff.
Fraudsters can buy credentials in bulk on the dark web for relatively low cost. Once they have a set of logins to try against ecommerce businesses, they are more likely to use credential stuffing to find out if any of these logins work. So how does it work?
Credential stuffing is suitable for use against online merchants because it’s a low-cost and low-effort attack style and far easier to do at a larger scale for a smaller payout across multiple victim accounts. In this process, the fraudster uses an automated tool or script to perform login requests using the stolen credentials to gain access to user accounts. This can be done extremely quickly - with hundreds or thousands of logins a minute.
The tool basically takes username and password combinations and runs them against a login page. This is a bit like having thousands of keys in a bag and trying all of them on the front door of a house. With credential stuffing, you are much more likely to have the right ‘key’ because of password reuse.
Who is impacted by account takeover?
Consequences for customers
Often the customer is the first person to realise an account takeover has happened. They may notice charges on their card or get a notification from the merchant for an order they didn’t make.
The customer may have to call around to the merchant and their bank to connect the dots and prove that their account has been compromised. An attack costs victims an average of $290 and 15 hours to resolve - this often adds up to a very unhappy, stressed customer.
Consequences for merchants
Chargebacks and other fees
A business might only realise their customers have been victims of an account takeover when they suddenly start to see increased chargebacks and increased customer transaction disputes. As with typical payment fraud, chargebacks and the associated fees can be expensive and also carry the risk of ending up on a chargeback management program.
There are also added concerns around General Data Protection Regulation (GDPR) fees as a result of a breach.
Customer loyalty and retention
With account takeover, customers often blame the merchant for having poor security, even when the original data breach happened elsewhere. This can result in loss of customer trust, low retention of customers and decrease in the lifetime value of the customer. Most importantly, businesses can face real brand damage when customers complain publicly.
Strain on operations teams
For many businesses, account takeover is a relatively new problem, and so they have limited or no resources for managing this. This means the business response can be slow or more complex, and allow more time for the attack to have a worse impact. Many businesses would prefer to resolve the issue with the customer directly and offer a refund, rather than incur a chargeback. This means there’s also added stress on operations teams who have to respond to customer queries - the nature of an account takeover means this can be overwhelming.
Customer responses to account takeover
Understandably, customers don’t like their accounts being hacked. What makes it even worse, is when businesses don’t respond quickly or fail to manage the problem effectively in their customers’ eyes.
Brad Bourque’s Playstation account was hacked while he was sleeping, his account details were changed and a new device was added. When he finally got through to Sony to get a refund for the charges on his account they told him he had to pay the charges or his account would be frozen. It was only after he published his story that he managed to get the money back. There are also multiple customers reporting account takeovers on Twitter.
A stream of customers of US fast-food giant Chipotle reported their accounts being hacked, taking to Twitter and Reddit to complain. Many customers were unable to get a refund and were angry with Chipotle for allowing orders in states a significant distance from them and not verifying the person picking up the order.
What makes it so hard to detect?
Genuine customers have a good spending history
Once the fraudster is inside, they can hide behind the genuine customer’s positive history and trust they have built up with the seller, which makes it more difficult to detect fraudy behavior. Therefore, the best point to detect account takeover is at login - so fraudsters take steps to make their logins look as genuine as possible.
Fraudsters mimic normal login behavior
Fraudsters use proxies or botnets to make it look like the login attempts are coming from a variety of sources instead of a single attacker. They can choose popular login times to mimic normal traffic - such as targeting mealtimes to login to a food delivery service. Automated tools are available to allow fraudsters to get around things like CAPTCHA challenges.
Fraudsters are always sharing knowledge
There are countless youtube videos available explaining how to do an account takeover. There are also active cracking forums where fraudsters offer advice, tooling and combo files of credentials and share tips on how to make credential stuffing more profitable.
Business responses to the threat
Despite the alarming rise in account takeover, many companies aren't putting in the protocols, time, or technology necessary to manage the problem. What’s behind this?
No clear owner for the account takeover problem
One reason for this is because for many businesses, account takeover is a relatively new fraud problem. It doesn’t have one clear owner - it affects many different teams. An account takeover looks very different from typical card-not-present fraud. A single attack affects hundreds of different genuine customer accounts at the same time. By the time the Payments team notices a chargeback relating to an account takeover, often the damage has already been done across multiple other accounts.
Different priorities around logging in and ease of use
This means it’s important for not only the Fraud and Payments teams, but also Security/Risk, Product and Marketing departments to tackle the issue. Defining the right way to deal with account takeover is complicated by the goals and priorities of each; for example, the Marketing department may prioritize ease of ordering over repeating authentication checks when a customer logs in using a new device.
Because of these factors, we often hear from merchants who say it’s a challenge to get business leaders to recognize the risk of account takeover and allocate budget to the problem. But many businesses struggle to react quickly if they don’t have specific protection in place for this style of attack - so how can you raise the issue within your business?
How to raise awareness of account takeover
Make sure everyone understands the real costs of account takeover
It’s great that protection against typical online card fraud has advanced, but now the fraudsters are switching to new sophisticated tactics. Use statistics to highlight how much the risk is increasing - attacks tripled between 2016-2017 and mobile account takeover attacks increased again in 2018.
But the cost of account takeover is not limited to chargebacks - they are just the tip of the iceberg. Under GDPR and other privacy laws, fines relating to customer data can be in the millions.
Investigate the real impact of account takeover on your business
Talking about general statistics will only go so far - to get buy-in you need to relate to your own business. Look into instances of account takeover in your business. Find specific cases of customer complaints about their accounts being impacted on social media, investigate how this affected a real customer, listen to calls or read email complaints. Look into how long it took to resolve the issue across different teams and how the time impacted your response.
Don’t underestimate the cost of reputational damage
When multiple customers are the victim of an account takeover, customers often believe the merchant is insecure, regardless of whether they were the source of the data breach or not. News of a hack spreads fast on social media, and this reputational damage can cause you to lose new/repeat business and lead to customers closing their accounts entirely.
In today’s world, customers are increasingly focused on their privacy and security. It’s no surprise that 90% of companies say business security is a competitive differentiator and can help win new customers.
90% of companies say business security is a competitive differentiator and can help win new customers.
Form a united taskforce and relate the problem to each team’s priorities
As well as including different departments in the conversation, you also need to speak in their language. Speak about the aspects of account takeover that matter to them. Find out how to relate the problem to each department in this article on how to get buy-in for an account takeover solution.
Six ways to spot an account takeover attack
So, the same thing that makes account takeover so successful is also what makes it so hard to detect. A fraudster poses as a real customer with a healthy purchasing history and no indicators of fraud - making it more difficult for systems to spot abnormal behavior and prevent the attack.
So how can you stay on top of the growing threat? Here are six things to look out for to protect your customer accounts and prevent losses.
1- Multiple accounts suddenly changing details to the same thing
Some fraudsters want to claim an account, so that no one else can attempt to take it over after them. To do this, they change details on the genuine customer profile. They don’t have to change all details - often only one field needs to change.
In one case, we noticed a mass change of contact telephone number across a huge number of customer accounts. When we investigated we found all the customers had changed this to exactly the same phone number - likely owned by a fraudster.
2- New account details, new device and new delivery address
When there are no links or common details between customers, how can you spot the attack? Even the most sophisticated fraudsters still follow the same behavior patterns. We’ve found a combination of events that show an account has been hacked:
- The customer has updated a customer detail (telephone, email, name).
- The customer has had a login from a new device within a 24hour period of that change.
- After both 1 and 2, the customer has placed an order with a new delivery location.
3- Accounts with multiple IP address countries
A high number of country IP address countries is a good indicator of account takeover. When a fraudster is doing mass logins in order to check if they can access accounts, they don’t know the location of each customer, so they can’t check they are using the right IP address country every time.
Plus, there are often multiple fraudsters trying to access the same accounts, usually soon after a breached account list becomes available online. Even the most well-travelled customers couldn’t manage to span the globe this quickly!
4- Lots of customer detail changes happening at once
We often see a fraudster accessing an account in a takeover, and then doing nothing right away. In this case, we flag the login and the merchant takes precautionary actions to prevent account takeover, such as by sending the customer an alert.
This can trigger the fraudster to panic and try to secure the accounts they have taken over by quickly changing the email and passwords on all their victim accounts. We’ve recorded massive spikes in email changes immediately after precautionary action has been taken.
5- Ratio of known/unknown device models
Fraudsters often use software to try and hide what device they’re using - called device spoofing. This means that their devices come up with ‘unknown’ as the model. Victim accounts are usually connected to more ‘unknown’ devices than genuine devices with a known model.
6- Multiple accounts linked to the same device
Often, fraudsters don’t mask their device between logging into new accounts. This means all the affected accounts are linked to one device - the fraudster’s. However, it’s important to remember that devices may also be shared by family, friends or work teams so you should also look for other factors to confirm an attack.
If you notice two or more of these signs in your customer data, it could be the sign of an account takeover which you should investigate as soon as possible.
It’s a good idea to make sure you are collecting the data around all of these signs - in particular historical changes to the account eg. change of contact details, payment methods, passwords. The data should be stored in a way you can cross reference it - we’ll explain why below.
How to prevent and limit the impact of an attack
As we know, account takeover looks different to typical online payment fraud. Login rates, devices and customer credentials are important things to watch. Here are some of the ways you can prevent or contain an attack.
Set rate limits on login
Setting rate limits on logins around device, username and IP address can specifically target account takeover. You can set thresholds for this depending on your specific operational requirements and how your customers usually behave. You can also incorporate limits on other account takeover signals such as the use of proxies.
Cross reference login data with existing data
In your customer analytics, make sure you’re taking into account the specific login data for device, browser, IP address etc. Cross reference this with normal customer identity and behavior data and other information such as orders, payment methods, transactions and locations. This will make it easier to spot anomalies across your customer base.
Check for breached credentials
Using a breached credentials database, you can quickly check if a new user has signed up with known breached credentials or if an existing users’ details have been breached. This means you can prevent new users signing up with dodgy details, or proactively alert users when they have been compromised and recommend they reset their password.
Verify a user’s identity when they make a change
During account takeover, the fraudster often makes a change to the account eg. adding or changing payment methods, contact details or passwords. Of course, genuine users can do this too, so whenever this happens, send a challenge to authenticate it’s really the user wherever possible. You can do this by enabling two-factor authentication for your users.
Send users notifications of account changes
When a user does make a change, even if you have challenged the user to verify it’s them, you should still send them a notification of the change they made. This will ensure that even if the fraudster was able to sidestep the authentication, you can still alert the user about what’s happened. Here are some examples of how this looks...
Managing the aftermath of an account takeover breach
Create an account recovery process
If you alert a customer that a change has been made on their account and they confirm it wasn’t them, you need to have a process in place to keep their account safe. Draw up the possibilities of how you can recover the account for your genuine customer - for example:
- Place a temporary freeze on the account to prevent the fraudster from making purchases
- If the fraudster has changed their password, force a password reset with a new, temporary and unique password
Make sure you have consistent messaging
Customers can rightly feel angry, confused and invaded when their personal details are at stake. There’s a chance that they could blame you as the merchant even when it’s not your fault. This means it’s important to be consistent in your messaging around the issue and make sure you use terms which don’t make the customer feel they will have lost access to their account and their personal data. Some examples could be ‘freezing’ or ‘securing’ an account, instead of ‘blocking’.
Why machine learning is effective against account takeover
We know account takeover is incredibly hard to detect quickly because the fraudster can hide behind a user’s normal history and good trust built up with the merchant. Machine learning is adept at spotting lots of tiny signals and combining these to point to a bigger picture.
Machine learning is also incredibly quick to spot these anomalies when compared to rules-based systems, meaning you can respond to an attack as it happens, rather than when it’s too late.