Best Practices for Mitigating the Risk of Account Takeover (ATO)

Fraud and Financial Loss: Account Takeover Fraud

Account takeover fraud focuses on accounts associated with financial transactions, such as an online bank account or payroll. The aim is to steal money, make purchases, or gain information that can be used to steal money.

Sensitive Data Theft

Accounts that hold sensitive information, like names, addresses, phone numbers, medical history, and purchase history, attract ATO attackers. A cybercriminal can access this sensitive data by taking over an account. They can then sell that data to other cybercriminals or use the data to blackmail or socially engineer the legitimate account holder.

Reputational Damage and Loss of Customers' Trust

Cybercriminals often target customer accounts by looking for vulnerabilities in a company's account management system. Customer accounts that suffer ATO attacks are subject to ATO fraud, data theft, and loyalty point theft. Customers affected by ATO lose trust in the targeted company, damaging the brand's reputation.

Operational Disruption and Downtime

The disruption caused by Account Takeovers takes time to sort out. During this downtime and disruption, productivity is negatively impacted and damaged systems and stolen data cost money to fix.

Identity Theft

Once an account has been hijacked, the cybercriminal behind the attack can access personal data. These data are used to carry out fraud and theft in the name of the legitimate account holder. Identity theft can affect both the business and its customers.

Financial Fraud

Recent research shows that small companies take an average of 14 months to recognize fraud, and over half (54%) never recover their losses. The median cost of financial fraud to an SMB is $16,000.

Identity Theft

Business identity theft is increasingly a concern for SMBs. Once a business account is taken over, a cybercriminal can use the company's credentials, such as tax identification number, business license, and credit details, to obtain goods, services, or credit. Often, the hacker will also sell these data on the Dark Web to other fraudsters. Research from analyst firm Javelin Strategy & Research found that identity fraud cost US businesses $23 billion.

Business Email Compromise (BEC) Scams

BEC scammers compromise or spoof the email account of a CEO or other C-level executive. They then use that account to trick employees in accounts payable to transfer money to a hacker's bank account. BEC scams target both small and large businesses. Global business losses to BEC fraud have hit $55.5 billion.

Customer Impact

Most consumers (73%) hold brands accountable for preventing ATO fraud on their platforms. Once consumer trust is lost, it is hard to win back. Furthermore, 80% of customers would stop using an online retailer if they'd been a victim of ATO at the site.

Regulatory Fines From Non-Compliance

An ATO attack can lead to non-compliance with various regulations, including GDPR, PCI-DSS, and DORA. Fines can be onerous. DORA, for example, has fines of 2% of total annual turnover or up to 1% of the company's average daily turnover worldwide.

Security Awareness Training

Regular training on how cybercriminals operate and the tactics used to manipulate people helps employees to recognize a human-centered cyber threat. The training should include topics such as password hygiene and identifying phishing emails and vishing attacks. If possible, some form of security awareness should be made available to customers, such as blog posts on common scams, how to identify phishing emails, the use of strong passwords and MFA, etc.

Robust Identity Management and Zero Trust

Access control to accounts is at the heart of ATO prevention. A robust identity management approach must include the following:

• Strong, multi-factor authentication (MFA) adds a layer of security to control account access.
• Risk-based authentication is triggered if unusual account access activity is recognized, such as logging in from an unusual location. The system will either prevent access or request additional verification.
• Internal access for employees must be based on the principle of least privilege (PoLP). This principle assigns access rights based on a need-to-know basis. Privileged Access Management (PAM) tools can help enforce PoLP.
• Zero Trust security uses continuous verification of users when they access an account.

UEBA (User Entity Behavioural Analytics)

UEBA tools monitor network activity using machine learning and behavioral analytics. If the UEBA notices any unusual or anomalous activity, it will alert an administrator.

Limit attack vectors:

• Cybercriminals exploit entry points into a system, like the login page. ATO attacks can be mitigated by using various measures like:
• Rate limits on login attempts - this helps to prevent brute force attacks.
• CAPTCHA to stop automated credential stuffing and bots
• Blocklist suspicious logins from specific VPNs and public Wi-Fis.

Advanced Email Security

AI-powered email filters help prevent phishing emails from landing in employee inboxes. Natural Language Processing (NLP) ensures that even sophisticated spear phishing attacks are identified and stopped.

Device Security

Robust device security helps to prevent SIM Swap attempts that bypass authentication mechanisms. Mechanisms used to secure devices include:

• Device fingerprinting is used to identify non-sanctioned devices that are being used to log into accounts.
• Monitoring devices to identify anomalies that may indicate fraudulent activity.
• Combining device data and user behavior to identify risk.

For small to medium-sized businesses, a managed service provider (MSP) is often the best and most cost-effective option for providing the solutions and measures needed to prevent ATO.

Credential-Based

If a cybercriminal can get hold of login credentials, then they will have the keys to the account. The typical ways in which a hacker gains access to account credentials include credential stuffing; previously stolen login credentials, typically available on dark web marketplaces, are used as part of an automated credential stuffing campaign. Cybercriminals automatically try to access multiple accounts using the stolen login credentials.

Other popular methods of stealing credentials include email and SMS text phishing, social engineering, and SIM Swapping, where cybercriminals gain control of your phone number.

Malware-Initiated

Many types of malware are designed to steal login credentials for account takeover purposes. Infostealers, banking trojans, and keyloggers help cybercriminals gain unauthorized account access. The malware may gather keystrokes, take screenshots, or exfiltrate browser-based passwords.

Token/Session Hijacking

If online systems and websites are poorly secured or unencrypted, they can be exploited by attackers. During these attacks, hackers manipulate browser-based authentication cookies to gain unauthorized access to web applications. This is known as cookie poisoning. Even if the cookie has low-level access privileges, hackers can manipulate the cookies to escalate privileges and hijack sessions without login credentials. Hackers will eventually gain unauthorized access to highly privileged accounts business accounts.

Another method used to gain unauthorized access to accounts is a Man-in-the-Middle (MitM) attack. MiTM attacks happen because of insecure, unencrypted sessions, whereby hackers exploit people using unsecured WiFI and insecure websites to steal login credentials as they are submitted. Under these circumstances, if you enter login credentials and click submit, they will be unencrypted and accessible to hackers.

AI and ATO

AI-powered account takeover is making account takeover fraud more difficult to detect. Cyberattackers are using Generative AI to create highly believable and personalized phishing emails and associated spoof login pages. Fraudsters are now also using deepfake technology to carry out social engineering scams.