What is Account Takeover (ATO)?

February 4, 2022 | by Tony Bailey

What is Account Takeover (ATO)

Account Takeover (ATO) happens when an attacker takes over a user’s financial, airline miles, retail, streaming, mobile device, or other password-protected accounts. Attackers that successfully bypass API security can then make wholesale changes to compromised accounts or use them as part of another attack. Compromised accounts can be used in phishing campaigns, wherein the recipients see the sender as a trusted account and the attack has a greater chance of success. The compromised account can also be used to gain further ingress into an organization. However, the most common end goal of an ATO is financial gain through fraud or theft.

Key Takeaways

  • According to Security.org, 22% of adults in the US. are victims of account takeover.
  • Bad or weak passwords are one of the most common reasons for account takeover.
  • Cybercriminals employ various attack techniques to execute an ATO , such as high-volume bot attacks, brute force, phishing, and malware.
  • The key target accounts for attackers are those with access to critical financial, employee, or other sensitive business information.
  • Once an account is compromised, it can be hijacked by an attacker to commit fraud, cause reputational damage, launch phishing campaigns, and more.

How does an Account Takeover Happen?

Organizations are accelerating their digital transformation efforts backed by a move to the cloud; they use an array of communication channels and leverage an IT framework underpinned by the diverse advanced systems. This has resulted in a growing attack surface and numerous potential vulnerabilities that cybercriminals can exploit to hack into accounts. Furthermore, there is a palpable lack of security awareness amongst people, and many don’t see account takeover as a critical threat. This means there is a tendency to take certain decisions that make it easy for criminals to gain access to accounts, for example, users tend to create weak passwords that can be cracked without much effort. In addition, some people fall for social engineering attacks and share their passwords or personal information with attackers.

Also, much of our personal information used for account login, like email, date of birth, etc., are available on the internet. When this information falls into the wrong hands, it can be used to log into accounts. When a hacker breaks into an account, they get access to other information that is used to keep the account secure, including usernames, passwords, and more. They change everything so much that the actual user then has no access to the accounts. Users’ attempts to access the account can look suspicious, as they do not know the account information changed by the hacker.

Attack Techniques Used

Some of the attack techniques used to compromise accounts include:

  • Credential Stuffing: The most common ATO vector is when hackers use the estimated one billion plus stolen credentials from other data breaches (usually unrelated) to take over an account. Often, these attacks are successful because of a common (bad) habit of password reuse. If the password leaks in a data breach, criminals will try this password to get into an account with the same username, which was unearthed in another breach. Commercially available tools help simplify the execution of credential stuffing attacks by giving threat actors a management portal that allows them to define a target organization, generate credential lists, distribute the attack, and modify behavior to evade detection.
  • Malware Attacks: Different types of malware such as keyloggers etc., are specifically created to collect and expose credentials. These are launched by an attacker through diverse ways and means to access needed information.
  • Phishing: Phishing is another form of committing ATO wherein victims are coaxed/convinced to share vital information they shouldn’t be sharing with a third party without due diligence. A typical phishing technique is sending emails that appear to be from a trusted source, which creates a sense of urgency so that users share information without thinking things through. Spear phishing is a subset of a phishing attack and is more targeted. In this case, the messaging will mention certain specifics that will be of interest to the recipient, increasing the chances of the attack succeeding.
  • Brute Force Attack: This hacking technique uses automated scripts expressly built to go through numerous password combinations and tries to freeze on the correct login credentials.

How to Identify Account Takeover?

From an end-user perspective, there are some tell-tale signs of account takeover. If the hacker has changed all account details, you won’t be able to log into the account. If the attacker has hacked into your email account, look for signs of suspicious activity in emails sent from your account to your contacts. There is also a chance that it is a multiple-account takeover wherein a single user has lost control of numerous accounts. If you are the user, you will realize that there are changes across various accounts, and you might receive multiple password change notifications. At the organizational level, tell-tale signs are high a higher than average level of login failures, many login attempts from a small number of IP addresses, often from locations where little or no business originates historically.

How To Prevent Account Takeover?

Account takeover prevention begins with recognizing the problem and its prevalence at both the user and organizational level. Users must be aware that their accounts are under threat and must take necessary steps to make it difficult for attackers to compromise your accounts. Some of the critical security measures that will help in your efforts include using a password manager to create and manage strong passwords, use two-factor authentication on your critical accounts, create security questions not easily uncovered from your social media profiles.

At an organizational level, detecting and mitigating automated threats targeting authentication infrastructure with ATOs is challenging, but the results of leaving applications or APIs undefended is known to negatively impact the business bottom line. A solution designed to stop account takeover attacks should deliver:

  • Simplicity of use and implementation: Today, you may achieve protection by redirecting to a Software-as-a-Service rather than a major installation. The software can protect apps smoothly without requiring JavaScript or mobile SDK integration.
  • High-efficacy prevention: Protecting against account takeover and related bot attacks means using a system stocked with useful countermeasures. Policies should reflect the latest threat intelligence, including data on the infrastructure threat actors are using in their automated attacks.
  • Customizable policies: While the mitigation policies that come with a security tool should be capable of defending important infrastructure, there should also be room for customization to reflect companies’ own leading themes.
  • Consistent protection for web, mobile and APIs: Companies that aren’t defending their APIs are leaving themselves vulnerable to major attack types, account takeover among them. Security tools should use no-client-integration methodologies to gain visibility and consistent policies across all apps and APIs.

Account Takeover Protection with Cequence Security

Considering the overwhelming popularity of API-based development, it’s likely that your organization already maintains numerous login APIs, with more to come over time. Protecting that potential attack surface is therefore a fundamental cybersecurity need that the Cequence Unified API Protection (UAP) solution addresses. The Cequence UAP goes beyond limited API security tools to address every phase of an organization’s API protection lifecycle.

  • First, organizations must discover their entire API attack surface, using both outside-in and inside-out methods to see what attackers will see. This includes finding shadow APIs, deprecated and outdated components and more potential risk factors.
  • Then, businesses need to employ real-time API threat detection methods to prevent all kinds of harmful traffic. Systems should be able to guard against both known threats and emerging threats, all according to customized rules.
  • Finally, as discussed above, IT security teams require comprehensive API threat prevention tools. These must be capable of providing customized and automated responses based on the type of harmful traffic detected, whether that means blocking, limiting, or even deceiving the attack.

Putting these API-focused advanced threat protection components together provides a more comprehensive approach to ATO defense than would be possible with a web of disconnected API security tools that only deal with parts of today’s varied threat environment.

See What Attackers See.
Get your free API security assessment and block attacks before they happen.

Free Assessment

Tony Bailey


Tony Bailey

Senior Director of Product Marketing

Additional Resources