What is an account takeover (ATO) attack?

Account takeover attacks are where fraudsters use stolen credentials to break-in to a genuine user account and take control. Manipulated digital identities, automated bots and scripts, and advanced evasion techniques make it difficult to spot account takeover attacks early in their tracks.

A successful account takeover attack allows fraudsters to remotely control a genuine user account. This enables them to siphon off funds, redeem reward points, and even access the saved passwords and payment details. However, the motivation for account takeover goes beyond financial gain. Fraudsters use compromised accounts for a number of crimes that can have far-reaching social consequences.

One in five logins is an account takeover attempt

Since account takeover enables fraudsters to manipulate the hacked account in various ways, account takeover attacks are on a steady rise. Our Q1 Fraud and Abuse Report reveals that one in every five login attempts on its platform was an account takeover attempt at the beginning of 2020.

The spate in account takeover attacks can be attributed to frequent incidents of data breach, which provide fraudsters with massive tranches of fresh consumer credentials. They use all of this data to corrupt digital identities at scale. Fraudsters impersonate genuine users and mimic their online behavior to fool fraud prevention teams. They also tap into the parallel ecosystem of cybercrime to access the tools and techniques that can help them evade detection.


Recommended Whitepaper: The Ultimate Guide to Account Takeover Fraud


How fraudsters orchestrate account takeovers at scale

The ultimate aim for fraudsters is to maximize profits from account takeover. Therefore, they tailor their attacks and mobilize their resources accordingly. To this end, apart from deploying automated bots and scripts, fraudsters hire cheap human labor; and use a combination of these resources to launch complex account takeover attacks.

Some of the common ways fraudsters employ to orchestrate account takeover attacks at scale are as below:

  • Bots: Bot-driven attacks allow fraudsters to maximize returns on investment by launching large-scale account takeover attacks.
  • Credential stuffing: Bots are used to try multiple combinations of usernames and passwords to find the correct matches. This provides fraudsters with the tools to launch large-scale automated account takeover attacks.
  • Sweatshops: Low-cost human laborers are hired to mimic good customers in order to circumvent fraud-prevention mechanisms designed to eliminate automated attacks. 
  • Account enumeration and account validation: Exploit the authentication processes with a view to check if the account identifier is valid or not.
  • Social engineering: The most common form of social engineering is phishing, where fraudsters harvest verified customer information by manipulating individuals into sharing personal details or redirecting them to fake websites.

Why account takeovers are challenging to detect

Automated bots and scripts allow fraudsters to scale credential stuffing attempts, whereas human sweatshops allow bypassing bot-mitigation solutions. Fraudsters use human sweatshops, especially where fraud prevention mechanisms require more nuanced human interaction. They pay these low-cost human laborers according to the defined number of login attempts in a stipulated duration. Even though all the attempts don’t succeed, those that do allow fraudsters to achieve scale, which justifies the investment in the attack.

An account takeover is particularly challenging to detect. This is primarily due to two reasons:

  1. Today consumer access to digital services is platform-agnostic, from desktops and mobile phones to gaming consoles and software APIs.
  2. Fraudsters lie dormant to play a longer game. Unlike CNP fraud, where it is possible to block the card as soon as fraud is spotted, account takeover has a longer lifespan. This allows fraudsters to hide their true intent and orchestrate multi-level attacks.

Recommended eBook: A New Way to Stop Account Takeovers in Banking


What businesses can do to fight account takeover attempts

Businesses that continue to use legacy and point solutions to thwart account takeover attempts are engaged in a constant cat and mouse game with fraudsters. This is because these solutions fail to adapt to the changing complexity of the attack types, which makes them ineffective in the fight against fraud.

Data-driven solutions, too, cannot provide robust protection, as they look for clear signals of ‘trust’ or ‘mistrust’ from incoming traffic. This clarity in signals is not always possible, as corrupted digital identities are increasingly causing signals to fall in a ‘gray’ area, which these solutions cannot comprehend. Further, they introduce unnecessary friction that disrupts the user experience.

The answer, therefore, is to adopt a long-term approach that strikes fraud at its roots—the economic incentive—without degrading the user experience. Arkose Labs makes account takeover attempts so expensive that fraudsters are forced to give up–all the while keeping user experience intact.

How to prevent account takeovers with Arkose Labs

Arkose Labs uses a bilateral approach of risk assessment and enforcement challenges to detect and block account takeover attempts. The solution triages all incoming traffic and assigns risk scores to each user. It affords all the users an opportunity to prove their authenticity by solving context-based 3D challenges.

Good users solve the challenges easily and sail through. However, bots cannot solve them, as these challenges are resilient to automatic solvers. Malicious humans, who try to clear the challenges at scale face incrementally complex challenges. This slows them down and progressively diminishes the returns, as they must spend extra time, effort, and resources to solve the challenges at scale.

Arkose Labs’ integrated, long-term approach helps businesses keep the user experience at the forefront while ensuring effective protection against account takeover attacks using targeted friction. To see how we can help you protect your company against advanced account takeover attacks, book a demo today.