What Are Account Takeover, Credential Stuffing and Fake Account Creation?
Account takeover (ATO) is an attack in which cybercriminals take unauthorized ownership of online accounts using stolen usernames and passwords. Attackers typically buy a list of credentials on the dark web - often obtained from data breaches, social engineering and phishing attacks - and launch an army of bots across popular retail, travel, social media, bank account and e-commerce sites to test username and password combinations in login attempts. In the end, they get a list of validated credentials they can profit from by abusing the account or by selling the validated credentials to others. Account takeover attacks result in a form of identity theft.
Users don’t change passwords often, and they reuse login credentials across multiple sites. Bad bots make it easy to execute brute force and credential stuffing attacks by quickly rolling through countless username and password combinations to execute account takeover. Attackers can break into authentication login pages on websites, mobile sites and native mobile application APIs. Once attackers gain access, they conduct account takeover fraud and abuse, for example draining the loyalty points of the users.
Another type of account takeover attack , known as fake account creation, happens when fraudsters use bots to create new accounts that are not linked to real users. Login pages are the primary targets for fake account creation attacks. Fake accounts are leveraged to conduct account takeover fraud attacks or fraudulent transactions. With advanced methods, such as malware installed as malicious browser extensions, fraudsters generate new accounts at scale for subsequent misuse in card fraud and gift card cracking attacks, warranty claims, bad reviews and denial of inventory.
How Account Takeover (ATO) Attacks Work
- Stolen credentials from data breaches are sold on the dark web
- Attackers buy a list of stolen credentials from the dark web
- Attackers leverage bots to perform credential stuffing on websites
- Validated credentials are ready for Account Takeover
- Fraudulent transactions are made on compromised accounts
Account Takeover (ATO) Attacks Are on the Rise
For cybercriminals, account takeover is easy to do and very profitable. Bots continuously evolve to evade detection mechanisms, so account takeover attacks get through and website owners are none the wiser. Bots can mimic user behavior and hide inside a validated user session by running as malware on actual user devices. Even if the attacks take over a very small percentage of your user accounts, the damage can be enormous depending on the value of the user account. For example, theft of stored credit card numbers or loyalty points could easily exceed millions of dollars. The end users are also negatively impacted with identity theft. The industries most commonly targeted include e-commerce, financial institutions and travel and hospitality.
How Are Companies Fighting Account Takeover (ATO)?
The speed and evolution of today’s account takeover attacks present significant challenges for businesses. Unfortunately, some of the most commonly used techniques aren’t enough to stop ATO attacks.
Web Application Firewalls
While web application firewalls (WAFs) help secure web servers, they are not as effective in detecting account takeover attacks or triggering alerts. WAFs are largely bypassed and ignored by the latest, sophisticated bot attacks, but their prevalence has contributed to a false sense of security among website owners. Neither WAFs nor regular website logging have the sensitivity to be able to see patterns in the traffic and detect modern account takeover attacks, so they go largely undetected.
Homegrown Bot Management
Homegrown solutions use signatures and pre-configured rules and policies, such as volumetric-based and geo-based detection to stop bots. But, the efficacy of signature-based detection has declined rapidly over time. If you block traffic because of an unknown spike, you might also block real users. Signature-based systems also have a hard time dealing with hyper-distributed bot attacks.
CAPTCHAs, a type of security measure known as challenge-response authentication, is a test used in computing to determine whether or not the user is human. Over time, the original CAPTCHAs have become easy to solve for bots equipped with image processing software. Some bots have a 90% success rate for solving CAPTCHAs. To counter the growing capabilities of bots, CAPTCHA authentication services have gradually increased the difficulty of the challenges, ultimately escalating to visual processing challenges that are actually hard for humans to solve. At the same time, more challenging CAPTCHAs also go against a core user experience principle: make the user’s experience smoother, faster and better, not more disjointed, slower and worse.