The Rising Fraud Tsunami: Account Takeover

October 3, 2019

Businesses are struggling to fight account takeover attacks; loss of money, reputation, customer loyalty, and potential risk of litigation all loom large. There are more ATO related threats than ever, many of which serve as segues to CNP and loyalty fraud. According to an identity fraud study from Javelin, account takeover losses reached $5.1 billion dollars in 2017. Furthermore, victims of account takeover paid an average of $290 out-of-pocket and spent an average of 15 hours resolving the issue. 

Most businesses believe they have sufficient prevention methods in place to protect their customers from account takeover and other advanced fraud attacks. Yet these tools are outdated and cannot cope with the sophisticated tools being used to execute them, ultimately leaving gaps for fraud to go undetected. When it comes to account takeover, once a fraudster has their hands on a list of validated credentials, it is almost impossible to stop them.

The reality is that it is not possible to catch every single attack event, manual or automated, leading companies to yield to a certain amount of fraud losses. Growing investments are being made into developing tools to reduce this gap but adoption is slow. We are not going to explore these in this blog - what this space - we are going to explore account takeover attacks in more detail.

Read More on How to Foil Beastly Bots 

It’s An Easy Street for Fraudsters

While the above data is daunting, it no doubt highlights why fraudsters seem to be so motivated to execute this attack method, but that is not the only reason:

  • Acquiring stolen data is easier than ever
  • ‘Anyone’ can be a fraudster
    • Access to tutorials, tools and resources on the dark and grey web is easier than ever
    • Automated tools, used for scaling attacks, are often given away for free: bots & emulators can be used for credential stuffing and monetization 
  • Fraudsters are no longer “lone wolves
    • Online communities offer support and expertise to others
    • Account takeover attacks are approached like a business venture conducted by fraud rings
    • It’s a much larger endeavor to stop an entire group versus shutting down a single person
  • Proliferation of online commerce & digital channels
    • Trusted accounts are easier to intercept than setting up brand new ones
    • Payment details are often saved on accounts
    • Users are known to re-use passwords across multiple accounts 

Understanding the mechanics and different ways a fraudster might carry out an account takeover attack is crucial to understanding the bigger picture. 

Account Takeover in Real Life

Thank You for Your Loyalty

The image below was posted on the dark web as evidence that user credentials stolen from an online travel company site were legitimate. The fraudster committed loyalty fraud by using the stolen points to book and use this room. The photo helps hike up the prices of the combo list and serves as a teaser to entice buyers. 

Successul Account Takevoer AttackEvidence of successful account takeover attack on a hotel booking site. 

The Holiday She Deserved But Never Had

While the above example reveals to us fraudsters’ behavior, the following story tells a much more impactful and sad tale. Laura Ward was the victim of an account takeover attack that resulted in credit card fraud; her AirBnB account was hacked and her card was charged $1,181 for a stay in Malaysia that she never booked. What followed was a complicated series of events and conversations between Ward, her bank, Barclays, and AirBnB. During this 6-month long ordeal, Ward was also the victim of yet another attack and was locked out of her account. Despite her initial rejected chargeback request, Ward was able to finally get the money back after calling on the help of an IT professional and a consumer advocacy group. Undoubtedly, AirBnB will have lost her trust and most likely her loyalty.

An Illicit Marketplace for Digital Goods

In the screenshot below, one fraudster is selling multiple packs for different digital goods merchants: streaming services, gaming accounts, etc. The price per set depends on the quality of the user credentials and the subscription levels. This fraudster does not, however, show any evidence of the quality of the credentials. We have no way of knowing if these credentials were bought and used, the screenshot alone clearly illustrates that there is a demand in this market.

Digital Goods User Credentials for Sale on Dark Web

Rising to the Challenge of Account Takeover 

It goes without saying that the eCommerce industry is rife with fraud. Based on conversations with colleagues and clients, ATO is definitely one of their biggest and growing concerns mainly because of how easy and scalable such attacks are, and consequently how big the negative impact is on revenue, reputation and resources. 

As the number of ATO attacks is growing rapidly and consistently, it is clear that the popular fraud detection tools are not capable of taking on this onslaught of sophisticated techniques. There is a crucial need to rise to this challenge. Online businesses should focus efforts on examining their approach to fraud strategy to find a solution that not only can detect the growing sophisticated attack vectors but also stop fraudsters much earlier in the customer journey. 

Read More on How to Shed Light on the Darkweb

Recent Posts

Peak Season 2020: Account Takeover is Here to Stay and Other Takeaways
It's Time We Confront These Common Myths About Behavioral Biometrics
[Infographic] Breaking Down the Fraud Flow of Account Takeover
Emulator Fraud-as-a-Service: The Threat Landscape Continues to Evolve
Why reCAPTCHA v3 for Enterprise Matters

Follow Us