Account takeover fraud occurs when malicious actors steal login credentials to access customer accounts. Organizations that store user login information should be especially wary of these threats, both to protect themselves and their customers.
In 2018, account takeover fraud cost businesses in the United States $5.1 billion— three times the amount from the previous year. To make matters worse, the losses suffered may not be covered by insurance. A common form of this is corporate account takeover, when hackers steal login credentials to access your business’ bank accounts, and often drain your balance.
Fraudsters have at their disposal a wide range of methods for acquiring login information: phishing attacks, public website/database compromises, social engineering, and many more. Because they are using legitimate usernames and passwords, it can be hard to identify fraud scenarios in action.
Insiders are a main cause of account takeovers
A critical rule of thumb for protecting yourself from corporate account takeover is to safeguard your account login information from within. Customers and staff are frequently the cause of account takeovers, whether knowingly or inadvertently.
It’s important to proactively monitor for any issues involving customer account logins, password resets, or new account creations. These can be signs of a fraud scenario in progress and recognizing them early can make a crucial difference when mitigating or preventing damage. Additionally, the number of staff members with administrative access to account login information should be kept to a minimum.
What are the major indicators of account takeovers that businesses should be aware of?
When malicious actors are trying to gain access to accounts, they often leave a digital pattern of activity. Knowing what to look for and careful monitoring for these signs can help identify account takeover fraud in real time.
This is especially the case when cyber attackers steal volumes of customer login information from a single business—an occurrence not too uncommon these days. It’s important to be aware of the relevant signs so immediate action can be taken if customer accounts have indeed been compromised.
Multiple accounts suddenly share similar details
When cyber attackers successfully log in to accounts, they often change some of the account owner’s details. It’s not uncommon for criminals to target multiple customer accounts at one business in a short time span; when this happens, many customers may suddenly share the same details in their account profiles.For example, if 25 customers all change their shipping address to the same address on the same day, it’s highly likely that their accounts have been taken over.
Account takeover protection methods can include enforcing a stand-down period between account detail changes and purchases or requiring address verification to ensure legitimacy
Accounts accessed from IP addresses in different countries
Customers typically use the same computer and IP address to access their accounts. Because IP addresses are associated with specific countries, they can be used to monitor if a user has logged in from an irregular location. The IP addresses of active website users can also be matched to the usual IP addresses of account holders.
For example, an account holder usually based in Florida is accessing the website from an IP address somewhere overseas. They may have gone away on vacation, or it may be an account takeover in progress.
Numerous, unique account logins from a new location in a short span of time may also be a sign of an account takeover campaign. For example, if 10 different accounts are accessed from the same, new country—it’s safe to assume that not all those customers have traveled abroad at the same time, to the same place.
Change in customer details from multiple accounts
An effective way of identifying compromised accounts in a corporate account takeover campaign is to trick the malicious actor into making changes to the accounts in question, thereby flagging them for scrutiny.
This can be accomplished by sending an alert to a customer account when its details have been changed. This may trigger the malicious actor to change details such as passwords on all accounts they have access to.
At minimum, being aware of the overall behavior pattern of customers can make a critical difference. For example, it would be extremely unlikely for 15 customers to all change their passwords in the space of a few minutes, even if you haven’t signalled to the hacker that something might be awry.
Accounts being logged in from different devices
Customers tend to use the same devices when accessing their accounts. While it’s not uncommon for customers to use new devices, a large number of accounts accessed by an unknown device simultaneously is a likely sign of an account takeover.
Malicious actors can also use blocking software to hide information regarding the device in use. Customers may do this for legitimate privacy reasons, but again—a lot of these online at the same time is usually suspect.
Multiple accounts from the same device
This account takeover indicator is relatively easy to spot: multiple customers accessing their accounts from the same device. It’s highly improbable that several different customers would be using the same computer at the same time. If this scenario occurs, then an account takeover campaign is almost certainly in progress.
To make matters more difficult, cyber criminals are aware of the risk of discovery in this scenario; for this reason, they may conduct their activities outside business hours, when administrators are less likely to be monitoring website activity. It’s no wonder that 35 percent of attacks happen between 8pm and 8am, and 14 percent happen on weekends.
Signs of API Misuse
APIs are critical these days for integrating and connecting different web services together—they are the glue of the internet. For example, a merchant may use an API to connect its web store to the payment processor for clearing credit card transactions. While they are extremely useful tools for businesses and developers, they can be misappropriated by bad actors in an account takeover situation.
By using an automated attack bot, cyber attackers may attempt to break through an API’s security controls with randomized combinations of stolen usernames and passwords.This is one such example of why it’s important to monitor websites for API misuse, as its likely to involve a large number of failed login attempts in a short span of time.
How do businesses mitigate the risks of account takeover?
There’s no way to stop malicious actors from attempting account takeovers, but measures can be put in place for early detection and damage control..
Being able to recognize these tell-tale signs of account takeover is the first step towards minimizing the damage of digital identity fraud. Using these insights, alerts can be set up to notify an administrator if potential account takeover incidents are detected.
Better yet, sophisticated solutions like FingerprintJS Pro can help protect customers by generating a 99.5% accurate browser identifier. When malicious actors with a history of suspicious behavior attempt to log in to compromised accounts, FingerprintJS Pro can accurately associate their previous visit history, making it easy to take action to secure all impacted accounts. The platform seamlessly integrates into existing workflows and is available for a free 10 day test drive with unlimited API access.
Account takeover threats pose a grave risk to all organizations with an online presence. Customers expect to have their data protected and compromised login credentials are inconvenient at best, and at worst, cause for taking their businesses elsewhere. Data breaches are also brand damaging events—the kind of publicity to avoid at all costs. Fortunately, with these risk indicators in mind, companies can detect account takeovers and implement necessary damage control measures before they spiral out of control.