Illustrations of how fraudsters use identity theft and account takeover fraud using stolen credentials

Account takeover (ATO) fraud is a form of identity theft in which a fraudster gains access to legitimate user accounts. Once they have breached the compromised account, fraudsters can steal sensitive data including personally identifiable information (PII), credit card or debit card numbers, or bank account details. Feedzai’s Pablo de la Riva Ferrezuelo outlines how fraudsters use social engineering, keyloggers and malware, brute force attacks, and credential stuffing attacks to commit ATO fraud. Learn about one person’s personal experience with ATO and how banks can prevent future account takeover attempts.

A transcript of the account takeover fraud workshop with Pablo de la Riva Ferrezuelo follows. 

How Account Takeover Fraud Works

ATO basically stands for “Account Takeover” — an unauthorized access to an account that belongs to another person. So it’s a cybercriminal activity that implies identity theft. The reasons behind these kinds of attacks are pretty simple: getting funds or getting data, such as user and password, a credit card, PII information, et cetera. 

4 Account Takeover Fraud Scenarios

Here are four different scenarios in which ATO fraud can happen.

Social Engineering Enables ATO Fraud

The first one is through social engineering. You’re probably already familiar with things like phishing, pharming, cross-pharming, smishing, vishing, and spear phishing. 

All of these are basically variables of the same kind of example, which is when a fraudster uses a site that seems pretty similar to the one that the victim is used to working with and is sent to them by a different method. Through an email, an SMS, a WhatsApp conversation, by phone call, or even a phone call they can request the user and password. It also can be targeted through an email saying that this is coming from somebody that you trust. 

Open Networks Create Unsafe Digital Environments 

The second will be when you are using an unsafe environment. For example, when you are in a computer in which you are not the owner or that has been already compromised. And those computers can have keyloggers, which imply that something can get access to all the keys that you are pressing on the keyboard. 

Another example inside unsafe environments could be phone grabbers, which implies a malware infection, and they just are going to automatically pick the fields in which you are going to fill in the username and the password. 

Another kind of malware is called a stealer which is also specialized in getting a specific kind of data from the machine that has been infected. There are also man-in-the-middle attacks. This happens when you are in a network that is not trustworthy and you are sending data, for example, through a rogue IP in an unsecured WiFi in an airport. That’s another possibility in which somebody could have access to your data and potentially steal your username and password or PII information or credit card, etc. 

Credential Tracking is a Favored Technique for ATO Fraud

The third one will be credential tracking, which implies that somebody tried to authenticate based on brute force or dictionary attacks, trying to authenticate the online service. For example, it could be the online banking application – by just testing a combination of users and passwords. 

Credential Stuffing Combines Account Takeover Hacking Techniques 

The fourth one will be credential stuffing. That basically comes from a combination of the previous ones and then those are leaked on the internet. So for example, purchases on the dark web or some things are just published in Pagebin or on many other sites. 

How to Prevent ATO Fraud

If you work at a banking institution, take into account that digital trust solutions are going to take advantage of all different kinds of combinations of techniques, like device assessment, malware analysis, and behavioral biometrics, to guarantee that the user is the owner of the account or if it’s infected with malware and potentially, afterward, that account is going to be compromised.