How to Prevent Account Takeover (ATO)
Lani Leuthvilay, HYPR
5 Min. Read | February 28, 2022
Account takeover (ATO) is when a malicious third party gains control of a user account and thus their access and action privileges. An attacker usually simply goes through the “front door” by using stolen or hacked credentials. By logging in with the correct details, they appear as a legitimate user and can bypass security detection tools. Some of the most damaging recent cyberattacks started with account takeover, including the massive Solar Winds supply chain breach and the Colonial Pipeline attack that created fuel shortages across the U.S. East Coast.
Account Takeover Attacks on the Rise
Account takeover risk goes far beyond headline-making attacks. In 2020, account takeover attacks grew 282%, affecting organizations of all sizes. An explosion in automated bot-powered attacks is driving much of the rise in ATO fraud, with bots being commandeered to perform millions of login attempts per day. Bot protection vendor PerimeterX found that 75-85% of all login requests are account takeover attempts. These numbers should make organizations very concerned about how to prevent account takeover.
Once they gain access to an account, attackers can launch a number of different attacks, such as:
- ATO fraud: Several ATO fraud attacks revolve around compromising a business email account and impersonating that person to convince people to send money to a fraudulent account. One example is supply chain or invoice redirect fraud, where a company receives an email from a supplier asking for legitimate payment, but the account information has been changed.
- Internal phishing: Most employee training around attack detection focuses on external or unknown emails, which is why internal attack escalation can be so successful. An email from a superior or a reply on an email thread can dupe an employee into giving away account details.
- Installing ransomware or other malware: From the compromised account, skilled hackers can probe for vulnerabilities and move laterally through a network, inserting backdoors, keyloggers and even ransomware.
- Data theft: By taking over the account of a privileged user, or escalating privileges once inside, an attacker can access and exfiltrate whatever they want, including extremely valuable assets such as IP and customer data.
- Financial theft: Depending on where the account is, a successful account takeover attack may give the attacker access to banking or other financial accounts (such as cryptocurrency wallets), from where they can directly steal money or assets.
Account takeover, and subsequent attacks, can have huge consequences in terms of direct financial cost. The FBI estimates that ATO fraud alone resulted in $26 billion in domestic and international losses between June 2016 and July 2019. Understanding how to prevent account takeover can minimize your organization's risk and prevent considerable future losses.
How Does Account Takeover Happen?
Compared to the difficulty of getting through firewalls or hiding from intrusion detection systems, it’s relatively easy to gain access to login details, especially when those details consist of a password or other phishable credential. Cybercriminals leverage a number of methods to take over accounts, including:
- Phishing (and variants): The typical phishing attack is an email from a seemingly legitimate source directing a user to log into a phony website. This delivers the user’s account and password directly to attackers. Variants of this include spear fishing (a focused attack on high-value users) and smishing (using SMS).
- Brute force: Despite years of warnings about the need for stronger passwords to prevent account takeover, many users still use easy-to-crack passwords. In dictionary attacks and other brute force methods, attackers use bots to input possible character combinations to see if one will work.
- Social engineering: Attackers befriend or track users on social media or dating apps to get information such as their mother’s maiden name, their favorite color or the name of their first pet to help guess their password and correctly answer any security questions.
- SIM swapping: Attackers can change a user’s number to a SIM card they control using personal information. Afterward, they’ll receive all push notifications or SMS one-time passwords (OTPs).
- Man-in-the-middle (MitM) attacks: Hackers can intercept communications on insecure networks such as public WiFi by diverting traffic through their own network, gaining visibility to steal login details and other sensitive data.
- Credential stuffing: Stolen login pairings from previous hacks are often sold online. Since many people use the same or similar passwords on every account, attackers can try all available known passwords to access their accounts.
- Malware: Malicious apps, especially on smartphones, can execute keylogging functions that record all data inputted at login time. This data is then sent to an attacker’s home server.
How to Prevent Account Takeover Fraud
The critical vulnerability at the heart of most account takeover attacks is password-based security. Its circumvention has become a modern criminal art form, with guides, tools and useful datasets readily available online for relatively low prices.
Organizations trying to work out how to prevent account takeover may introduce multi-factor authentication (MFA) in an attempt to improve security. However, traditional MFA still relies on shared secrets such as passwords and one-time passcodes (OTPs), and other methods that can be hacked, such as SMS messages and push notifications.
The best way to prevent account takeover is to completely remove passwords and any kind of phishable credential from the authentication process. There are multiple ways to authenticate users without using passwords, some more secure than others. FIDO-based methods are considered the gold standard for passwordless authentication by CISA and the OMB. Rather than use any type of secret sharing, a fully FIDO-certified solution employs public key cryptography protocols for the authentication process through the use of modern authenticators such as Face ID, YubiKeys, and Windows Hello. Identity verification is performed locally and credentials are never centrally stored or transmitted. This ensures secure authentication that avoids the risk from the vast majority of ATO attacks.
HYPR is the only solution fully FIDO Certified from end to end. It leverages the biometric mechanisms and secure hardware elements on the user’s smartphone to enable seamless secure login from the desktop to the cloud. With HYPR, both your remote and in-office teams can get on with their work without the constant threat of account takeover attacks.
By deploying HYPR, Aetna CVS Health achieved 98.4% ATO fraud reduction, which resulted in a decrease in their investigation and incident response costs by $2.4 million. To learn how HYPR can help protect your organization from account takeover risks, read about our solution here or talk to our team.