What’s the Risk of Account Takeover?

Early detection and prevention

Online payments and eCommerce have been targets for fraud ever since their inception. The availability of real monetary value coupled with the ability to scale an attack online attracted many users to fraud in order to make a quick buck. At first, fraudsters used stolen credit card details to make purchases online. As services became more widely used, a newer, sometimes easier alternative emerged: account takeover.

Account takeover (ATO) occurs when one user guesses, or has been given, the credentials to another’s value storing account. This can be your online wallet, but also your social networking profile or gaming account. The perpetrator is often someone you don’t know, but it can just as easily be your kid using an account you didn’t log out of. All fall under various flavors of ATO, and are much easier than stealing one’s identity; all that’s needed is guessing or phishing a user’s credentials and you’re rewarded with all the value they’ve been able to create through their activity.

Fraudsters takeover accounts and use them in one of two ways:

  1. Direct account usage: If you’ve seen a friend’s social network account untypically share links for a weight loss product, you’ve seen the most common example of direct usage of ATOed accounts. However, fraudsters use hacked accounts’ legitimate reputation in order to perpetrate much larger scale fraud. For example, accounts belonging to reputable sellers on marketplace websites get hacked by a fraudster, who then offers a too-good promotion to that seller’s loyal crowd, only to never ship the goods after they cashed out on the advance payments.
  2. Value extraction: ATO occurs in accounts that store some kind of value to be extracted. Accounts with working credit cards or a large balance can be used to transfer funds or make a purchase; gaming accounts often get stripped of high value items and virtual goods. In 2009, the World Bank estimated the lost value from this type of fraud at $3B.

When faced with ATO, many risk teams decide to add safe guards to the sign-in process. Companies have tried adding security questions, strong password requirements and even random key generators to make ATO more difficult. These measures often fail, mainly because users and their lack of security awareness are always the weakest link in security. When you complicate your security measures, you lose more activity from users that fail to use your product (in this case, fail to sign into their account) than in fraudsters you manage to deter. You end up managing more forgotten passwords by good users than by fraudsters.

What can you do? Letting other users flag compromised accounts and their untypical behavior (such as shared spam links) should definitely be utilized, but you must also attempt to detect the issue before it is noticeable. The early detection and prevention of ATO focuses on two methods:

  • Session linking. Any fraudster activity needs to happen at scale otherwise it is not going to be worth enough money for the attacker; the tools needed to perpetrate an attack cost more than the value one can find in most single accounts. This means that multiple accounts will be hacked and accessed, usually within a rather short period of time. Compare all user events registered in your system in a short time frame—the last minutes up to the last hour—based on IP, user agent, and Javascript signature. Find those that are connected, but come from completely different accounts.

    This method results in a list of accounts that are either hacked or are accessed from the same device or network, both usage patterns you need to pay attention to. In addition, you will often detect activity that signals abuse way before it happens: some fraudsters will not use the account themselves but rather sell it off to a third party after they’ve logged in and validated that it is worth selling. In many cases, session linking allows you to detect these “peeks” into hacked accounts before the account is sold and damage is done.
  • Session consistency scoring. Accounts get taken over for their history and reputation, but that history can also be used to detect the hack; takeover sessions look different than regular account use, so you have a basis for comparison. The difference can be caught by simple checks (new IPs, new geographic locations, new devices) but also by behavior.
    • On social network sites, browsing pattern and the way the account interacts with content are highly indicative (including the time, duration and nature of the interaction, which users created the content, and so on).
    • On eCommerce sites the time, amount, and category of purchases will be different than the regular user’s. Addition or alteration of details such as the recovery email, phone, or a shipping address is another very common indicator. In fact, browsing and usage patterns are some of the most common indicators of a kid using a parent’s account, a frequently seen type of friendly fraud; the kid will not interact with any content other than the game they’re playing, and purchases will be many and frequent.
  • Flagging accounts that display inconsistency in session details or behavior does not mean that they are hacked. This is when you should utilize in-flow challenge questions; challenging the user to recall details from the account’s history without looking at them. This is another instance where the history works against the fraudster; ask a user to name a few friends, identify purchases they made or complete an old shipping address—and measure their response time.

    To summarize, ATO is a lingering problem that’s being experienced by more types of businesses as we move more of our lives online. Using some mildly sophisticated methods and modeling will allow you to stop more of these attacks before they create substantial damage, while limiting your interference with regular users’ use of your product.

    If you’re interested in payment processing and fraud prevention, check out Introduction to Online Payments Risk Management.

    tags: , ,