Account takeovers (ATOs) are a growing problem for online businesses of all types. Although not a new security threat, account takeovers have become a much bigger problem in recent years as fraud attacks have become more automated and more sophisticated. A Javelin Strategy and Research study estimates there was a 90% increase in ATO attacks between 2020 and 2021, and 2022 was even worse. Over 24 million Americans were victims of account takeover fraud last year.
What Are Account Takeovers?
Account takeovers occur when cybercriminals take control of legitimate customer accounts using stolen passwords and usernames. The dark web provides cybercriminals with ready availability to customer credentials that are mined from data breaches and phishing attacks. Using these credentials, hackers can deploy bots that automatically test password and username combinations and attempt to login to online accounts.
The Impact of ATOs
Every industry is vulnerable to account takeover attacks. Cybercriminals attack financial institutions to drain bank accounts and steal cryptocurrency. They steal from online gambling accounts. In the world of ecommerce, they take over existing accounts and use them to purchase expensive goods, changing the shipping address to their own.
Financial loss is a huge aspect of the harm caused by account takeovers, but negative customer experiences and damage to brand reputation may be the most long-lasting and hard-to-correct damages. Here are some examples:
- Financial loss: In November 2022, bettors on the DraftKings online gambling site lost a combined $300,000 stolen from accounts that were full of cash in anticipation of betting on the FIFA Men’s World Cup and the NFL playoffs. The cybercriminals compromised the accounts by using lists of username-and-password combinations gleaned from previous data breaches. In this case, to maintain customer satisfaction and loyalty, DraftKings agreed to reimburse its customers for their losses.
- Negative customer experiences and brand damage: Customers victimized by account takeover fraud not only suffer financial loss, but they also must deal with the inconvenience and stress of having their accounts compromised. In December 2022, a Wells Fargo customer suffered an account takeover of his consumer checking account that cost him $45,000. The perpetrators hacked into the victim's cell phone account and obtained his bank login details from the device's backup data. They then modified the bank login information, granting themselves permission to conduct wire transfers. Next, they transferred $45,000 to a New York-based bank, and it was never recovered. Wells Fargo argued that because the victim’s legitimate bank login credentials were acquired by the hackers, they were not obligated to reimburse him. Most customers that have this kind of negative experience will vote with their feet – they will move on to competitive companies.
How to Fight Account Takeovers
Verosint helps online businesses detect and prevent account takeovers in two important ways:
First, Verosint evaluates each account login in real-time and detects risk signals that point to account takeover attempts. Behavioral analytics, account profiling and otherrisk signals detected by Verosint including suspicious changes in browser use, ISP, new country or VPN use, multiple customers using the same IP or device; use of bots to automate credential stuffing, and more.
Second, Verosint provides configurable rules to respond to account takeover attacks. Working with partners like Ping Identity and Auth0, Verosint allows customers to challenge attackers with multi-factor authentication. Or, where needed, it can block the login completely.
Importantly, the Verosint approach minimizes unnecessary friction for online customers. With Verosint, companies can challenge or block access by account takeover attacks, while at the same time minimizing friction for legitimate customers who do not like security challenges slowing them down and disrupting their flow.
See how Verosint works and request a demo today.