Account Takeover: Identity Theft With Serious Consequences

Account Takeover: Identitätsdiebstahl mit schwerwiegenden Folgen

Perpetrators break into bank or e-commerce accounts through targeted phishing, malware or man-in-the-middle attacks.

To prevent the account holder or company from noticing any illegal activity, the first step is to change account information, passwords and notification settings. Once the account is finally taken over and traces are covered, the fraudsters steal money by carrying out transactions in their own favour. The fraudsters also apply for new credit cards, bank accounts or other financial services under false names.

Preferred marketplace is the dark web

There are various ways in which attackers obtain account numbers and login data for financial services or online accounts. The preferred marketplace for this information is the dark web. This is where stolen access data is published after data leaks and can be bought and sold easily and cheaply. However, there are other common Account Takeover (ATO) attack methods:

1. Credential stuffi
In these attacks, bots attempt to access a user account using automated scripts. Since many people use identical credentials on different platforms, this method is particularly effective.

2. Brute force attack
This involves multiple login attempts, each using a different password. These attacks are often successful because many passwords are easy to guess.

3. Malware

Users are tricked into downloading apps from malicious sources via email, for example, and thus unknowingly install malware on their device. Shlayer, for example, is a downloadable macOS Trojan disguised as a Chrome browser update.

4. Phishing
In phishing attacks, fraudsters disguise themselves as a trusted brand or person and contact their victims mostly by email, but also via SMS or social media messages. They get users to click on links that redirect them to fake, malicious websites, for example. These often hardly differ from the imitated website and are therefore difficult to detect.

5. SIM card stuffing
In this type of social engineering, the criminal contacts a user’s mobile phone provider, poses as a customer and convinces a call centre agent to transfer the mobile phone number to an illegal SIM card. If this succeeds, the victim’s apps, including banking apps along with text messages for multi-factor authentication, can be activated on the fraudster’s phone. Perpetrators are thus given the opportunity to carry out fraudulent transactions.

6. Man-in-the-middle attack
In this type of attack, the fraudster positions himself between an organisation (e.g. financial institution) and user to intercept communications without being noticed. For example, an attacker can hijack the communication channel between the user’s device and a bank’s server by setting up a malicious Wi-Fi network as a public hotspot in a café. People use these public hotspots without knowing that they are transmitting their payment data over a compromised network.

Recognising and defending against ATO

ATO is difficult to detect, but there are signs that companies should look out for:

  • Multiple users suddenly, and in a short period of time, request a password change.
  • There is an unusual accumulation of unsuccessful login attempts.
  • Users accessing a customer account in Europe, and ten minutes later trying again to access the account from a completely different location.

However, all these signs can only be detected through continuous monitoring of user accounts. To do this, companies need not only complete insight into user activities, but also real-time functions that can detect these behavioural patterns.

Furthermore, additional authentication of the user (so-called “adaptive authentication”) can make it difficult or impossible to take over an account. For example, additional authentication is required when certain parameters change, such as the user’s device or geo-location. In simple terms, companies should require a higher level of authentication in these cases before allowing access to the account or allowing a transaction.