An Account Takeover (ATO) occurs when a fraudster gains unauthorized access to a legitimate user's account. ATO can be accomplished through methods like phishing, social engineering, or exploiting data breaches. The fraudster, after taking control of the account, can make unauthorized transactions, steal sensitive personal information, or engage in fraudulent activities.
A wide range of accounts are vulnerable to ATO, including accounts at banking and financial institutions, email, social media, online retail, and gaming. Techniques for preventing ATO include the implementation of multi-factor authentication (MFA), use of identity verification processes, and monitoring for unusual account activity.
Techniques for preventing ATO include the implementation of multi-factor authentication (MFA), the use of biometrics, step-up processes for identity re-verification processes, and monitoring accounts for unusual activity.
Use case / examples for account takeover:
Financial fraud:
-
Unauthorized transactions: Transferring funds, making purchases, or using the victim's name to open new lines of credit are the most common types of ATO attempts. Bank accounts, credit card accounts, and payment platforms like PayPal, CashApp, and Zelle may be impacted.
-
Cryptocurrency theft: Targeting digital wallets to transfer out valuable crypto tokens. These transactions are especially difficult to trace or reverse.
-
Loyalty program fraud: Stealing and using the points or loyalty rewards the victim has accumulated, such as airline miles or hotel points. Frequently, the points are not used by the fraudster themselves but used to make reservations for others. Once fraudsters gain control of a victim's account, they often transfer funds, make unauthorized purchases, or attempt to open new accounts using the victim's identity. Common targets include bank accounts, credit card accounts, and payment platforms like PayPal, Cash App, and Zelle.
Identity theft:
-
Data harvesting: Harvesting personal data is frequently a secondary goal of account takeovers, as access to the account often also grants access to to the personal information attached to it, which can then be used for opening additional accounts, applying for loans, or committing other forms of fraud.
-
Medical identity theft: Taking over a victim's healthcare/hospital and insurance accounts, a fraudster can use the victim's medical profile to obtain prescription drugs, file fraudulent insurance claims for reimbursement, or even maliciously alter their medical information.
Other malicious activities:
-
E-commerce fraud: Compromising accounts on e-commerce (retail) sites can allow fraudsters to access and use stored payment or gift card information to make unauthorized purchases from that retailer.
-
Social media takeovers: Taking over social media accounts gives bad actors the ability to use them to spread misinformation, promote cryptocurrency or other investments, conduct phishing scams or financial scams (like asking for money by saying the user is stranded, for example) that target the user's friends and family, or post content that could damage the victim's reputation. Taking over the social media accounts of a political/business figure or a corporation provides these opportunities on a very large scale.
-
Business email compromise (BEC): Accessing business email accounts enables fraudsters to use them to request that employees make specific financial transactions to the fraudsters' accounts, or to steal sensitive corporate information by accessing internal systems or socially engineering other employees.
-
Gaming account takeovers: Taking over gaming accounts is commonly done to steal virtual goods, or in-game currency. These items can then be transferred to the fradusters' accounts, or sold to other users for real-world money.
Financial institutions can detect and stop unauthorized access to banking apps or digital wallets through biometric authentication and liveness detection. Telecoms can prevent SIM swap fraud by verifying user identity with Mitek’s ID document and facial recognition technologies.
