Based on article originally published in Forbes
Account Takeover (ATO) isn't a singular attack, but the culmination of an integrated set of cyberattacks. At the heart of an ATO is an account and the value therein. To capture that value, attackers traverse an entire web attack lifecycle that goes from stealing credentials to validating them, to using them to take over accounts, to committing post-login fraud and then doing it all over again. Understanding this lifecycle will help you detect and defend against these attacks more efficiently.
An ATO starts with stealing credentials via data breaches, PII harvesting, malware or phishing.
After stealing credentials, hackers often sell them to other cybercriminals for use in future attacks. There are billions of credentials for sale on the dark web—more than 24 billion according to one study. And research results show that 66% of people reuse passwords across multiple accounts. So, when a certain site is hacked, the stolen credentials would not only jeopardize the accounts on that site, but they’d likely also work on other sites as well.
Validating the stolen credentials is the next step. Attackers use bots to attempt thousands or millions of logins across hundreds or thousands of websites. If the bot is able to log into the account, the stolen username and password pair can be resold for a higher profit. There’s a full market on the dark web offering validated accounts for different prices, ranging from a few dollars to several tens of dollars per validated account if it’s on a coveted website.
This is the heart of the attack and where the attackers typically extract the value. Modern applications allow users to store a lot of value, including credit and debit card numbers, gift card balances, loyalty points, airline miles and other digital currency. If a fraudster gains access to an account, they can steal that value by making fraudulent purchases or credit transfers.
But it doesn’t end there. There are many ways to steal value from different applications after taking over an account.
In order to prevent ATO attacks, website owners must address every phase of the attack lifecycle. Here are a few steps you can take:
HUMAN account takeover defense provides online fraud detection that safeguards accounts throughout users' entire digital journey. Our solutions detect and mitigate sophisticated bot attacks, client-side threats, and post-login account abuse.