What is account takeover (ATO) fraud?

July 5, 2019

By Brett Johnson, keynote speaker and consultant on cybersecurity, cybercrime and identity theft

Account takeover fraud

Account takeover (ATO) or account takeover fraud is when an unauthorized person acquires a legitimate user's sensitive data in order to take over existing online accounts with the malicious goal of profiting from the value of the compromised account. Credit card theft, identify fraud, and phishing attacks all describe ATO.

ATO affects multiple account types and various e-commerce transactions. Credit card, checking, savings, and brokerage accounts are at risk for ATO.  Additionally, identify theft criminals are just as willing to attack tax documents, social security profiles, and even entertainment services or social media accounts as they are financial service accounts. 

Cybercriminals are usually able to take over low-level accounts, such as streaming services and merchant or email accounts, with nothing more than one or two login attempts using stolen usernames and passwords. Once they gain access, some attackers act immediately, some allow a certain amount of time to pass. Either way, the customer may lose money or other assets before the institutional fraud detection systems recognize the breach.  

For higher level accounts such as financial services and government benefit accounts, cyber criminals, sometimes using malicious bots, collect sensitive data to use in the attack. Fraudsters compile this customer data into a “Fullz”--a complete profile which contains personal, and sometimes social media information, necessary to defeat digital security measures. A “Fullz” typically includes the intended victim’s:

  • Name
  • Address
  • Phone number
  • Social security number (SSN)
  • Date of birth (DOB)
  • Mother’s maiden name (MMN)
  • Driver’s license number (DL#)
  • Background checks
  • Credit reports

The identify thief builds or purchases a “Fullz,” then uses the information to defeat the knowledge-based authentication systems used for fraud detection at lower-levels. For attacks on higher level targets, the “Fullz” may not be enough to mask the suspicious activity; cybercriminals may need actual identity documents to breach an existing account or establish a new, fraudulent account.

Attackers typically use one of two types of counterfeit driver’s licenses to commit identify fraud and access user accounts. When a criminal needs a driver’s license or photo identification (ID) for an account takeover, they either create or buy documentation with the intended victim’s actual driver’s license information as listed in the “Fullz”. If the criminal needs to present the actual driver’s license, perhaps to withdraw cash or pick up a fraudulently purchased item, they use their photo on the false ID. If the ID is verified digitally, the thief can use a stolen photo of anyone and upload it for authentication.

Identity thieves rely on poor credit card fraud detection, weak security measures, untrained employees manually inspecting the bogus documents, and/or the hope of simply getting lost in the flow of legitimate customers to pass as the victim. Proper security, digital identity verification, and expert manual review help identify suspicious activity, including targeted spear phishing attacks.

Minimizing identify theft and recognizing the threat of fraudulent transactions requires advanced algorithms and artificial intelligence. These digital tools recognize malicious and suspicious activity employees simply cannot detect. Fully automated machine learning techniques applied to document capture, biometric facial comparison, liveness detection, document authentication and classification and extraction deliver near instant digital identity verification with outstanding results and minimum friction for customers and the financial institution. 

Risk-based and knowledge-based authentication work. Indeed, today’s fraud detection technology is so sensitive and effective, criminals are targeting financial businesses which rely solely on human verification or organizations using digital verification software with known weaknesses rather than risk being caught.

Read more about our identity verification service

Mitek Fraud series: Biometrics and Fraud in the COVID era. What's changing? | Identity Verification through the customer journey The Pandemic blindsided us; will surging digital fraud do the same? | How to fight fraud with data | What is a Deepfake and how does it impact fraud? | Financial services and online marketplaces face shifting fraud landscapes What is synthetic identity fraud? | What is Account Takeover Fraud