Account Takeover (ATO) – All You Need to Know

Being in the web application security space, we continue to see increased growth in all types of automated attacks, one type stands out: account takeover attacks, which are increasingly being made possible by attackers who have automated the testing of user credentials against account login systems. Account takeover is known to be a critical automated threat to most online businesses. Around 68% of all login attempts seen by our customers are bots launching automated account takeover attacks.

Unauthorized access and fraudulent transactions are committed at large scale through account takeover. In this blog post, we will include an overview of what account takeover is, the impact of compromised accounts on your customers and business and how you can eliminate risks of automated account takeover.

What is Account Takeover?

Account takeover is one form of identity theft attack in which bad actors gain access to an account and make unauthorized transactions. Account takeover attacks can target any website that uses a login to guard valuable information, and the growth in these attacks is getting fueled by the growing ranks of companies whose breached sites have already yielded access to user credentials. The attacks can succeed because many users reuse their credentials - user ID and password pairs across multiple websites.

The most common methods that bad actors use to achieve account takeover that also has been identified by OWASP as:

1. Credential Cracking – OAT-007 – Credential Cracking is the process of determining valid login credentials by trying various values for username and password. It is also known as brute force cracking.


2. Credential Stuffing – OAT-008 – Credential Stuffing is the process of mass login attempts used to verify the validity of stolen username and password set on several other sites. When successful matches are discovered, attackers use these logins to take over the account for fraud or resell the confirmed credentials to others in the criminal ecosystem to commit fraud. Credential stuffing attacks are the first step in account takeover fraud. Once attackers have established that credentials are valid on a given site, they use that information for fraud.

What is the Impact of Account Takeover?

Once account details once compromised, bots make use of the same credentials and variations of the passwords to gain access to owner’s other accounts such as shopping sites, banking, insurance, fashion buying, corporate accounts and other personal accounts. Validated compromised accounts are used to make fraudulent transactions, to empty the account balance or sell on the dark web. The common element is that automation is required by the attacker to achieve what appears to be a significant return on their investment of focusing on these types of attacks.

Account takeover is a threat to payments, ecommerce, travel, banks and credit card companies at large. The very nature of account takeover results in more loss for the merchant than it does for the cardholder. If the problem cannot be eliminated, businesses could suffer the impact of chargebacks and penalties on a more frequent basis, even if the customer's credentials have been breached from other websites and reused.

Along with the financial impact of account takeover, businesses could also experience damage to their brand reputation and customer's trust.

From an IT infrastructure point of view, excess bot requests can drain system resources, can reduce bandwidth capacity and also lead to performance degradation.

Symptoms of Automated Account Takeover

• A large number of failed login attempts


• Many requests containing variations on the account name and/or password


• Elevated account lock rate


• Rise in traffic on your signup/login pages


• Complaints from users regarding locked account

How big is The Account Takeover Problem?

With several billion user accounts compromised last year and sold online, account takeover is a growing risk for online businesses today. Compromised credentials can then be sold on to thousands of cybercriminals around the world who employ bots to automate thousands of web login forms in real-time. The profit motive behind Account Takeover attacks must be quite high because the attackers are very evasive. They deploy advanced persistent bots to bypass CAPTCHA. They evade web application firewall controls by routing their requests through massive proxy networks that allow them to keep their request rates below that of typical human users.

What is The Ways to Prevent Account Takeover?

With automated website threats on the rise, businesses need to recognize the importance of their web application security readiness. Here are a few ways to prevent account takeover attempts.

1. Login History - Allowing your applications to store the history of user's location, address, device, cookies, and browsers can help in finding compromised accounts.


2. Limit Login Attempts - A standard method to stop credential cracking would be to limit the number of failed login attempts. However, limiting failed login attempts will not help protect against credential stuffing where the hacker tries out one email address with one password.


3. Multi-Factor Authentication - Once login history has been built up and if there is a deviation in ‘user behavior' a request to authenticate using multi-factor authentication (MFA) can be sent if supported by your application. A popular way to do this is requesting OTP with Google authenticator. If your application does not support MFA, you can send an email notification to your customer on the user behavior changes, so that they can flag if it is suspicious.


4. CAPTCHA - A standard risk reduction technique in your login processes, although CAPTCHA will protect against some bots, there are several other methods that hackers use to bypass CAPTCHAs such as browser plugins, advanced bots, and CAPTCHA forms. But CAPTCHA is a great start to tackle account takeover challenges, but with advances in AI, bots are now more effective in solving CAPTCHA than humans.


5. IP Blacklisting – Almost every business will have the ability to blacklist IP and user agents if suspicious behavior is identified. The issue with IP blacklisting is that advanced bots even rotate IP ranges on a daily basis to pretend they are real users.


6. Rate Limiting - Monitoring network traffic for spikes in requests from an IP address can be used to address the credential cracking behavior. However, this process may take longer and makes rate limiting difficult.


7. Web Application Firewalls – WAF is the most common web application security solution for online businesses. Web application firewalls are designed to protect an application from being exploited by common software vulnerabilities. However advanced persistent bots have been designed to bypass WAF by mimicking human behavior.


8. Customer Education - Educating customers regarding good security is a free and often easy way to implement protection against account takeover. Encourage your customers to create strong passwords, recommend them to use minimum eight characters long password with a combination of uppercase, lowercase letters, numbers and special characters can help protect their accounts and your businesses.


9. Dedicated Bot Mitigation Solution – Bot management and anti-automation is a new space. InfiSecure can detect if a human is requesting a browser or a bot performing credential stuffing or price aggregation. The techniques being used include biometrics - an analysis of the interactions with a keyboard, mouse movements, mobile device gyroscope and accelerometer to determine if a human is driving the session or if it is a bot.

Traditional security tactics and practices are no longer robust enough to protect against automated threats. With these approaches, businesses run the risk of accidentally blocking good bots and genuine users. Deploying a bot mitigation solution will help your business identify and tackle the threat of account takeover and protect you against OWASP Top Automated Threats.