An account takeover (ATO) attack occurs when cybercriminals gain unauthorized control over online accounts using stolen usernames and passwords. Bank, e-commerce shop, and other financial accounts are the typical ATO attack targets as these could present substantial monetary gains for the attackers. ATO attacks are thus considered a form of identity theft.
You can liken an ATO attack to a physical theft where the thieves get hold of your credit cards, ATM cards, and IDs. They can use the stolen credit cards and IDs to purchase goods online or empty your bank accounts before you can report them stolen.
Read More about “ATO Attack”
Ever wondered where all the phished or breached credentials hackers get their hands on go? They usually get pooled together and sold in underground forums and the Dark Web to anyone interested in buying them. These data sets are the results of ATO attacks.
A recent Dark Web audit revealed that 15 billion stolen login credentials from around 100,000 breaches are currently up for sale.
Steps Taken in an ATO Attack
An ATO attack typically involves three steps:
- Data breach: Cybercriminals compromise a target network or system and obtain all of the username-and-password combinations saved on them.
- Credential purchase: ATO attackers buy stolen credentials from the Dark Web. Some may rely on do-it-yourself (DIY) tactics and guess username-password combinations on target accounts via dictionary attacks.
- Account hacking: The attackers test the credentials they obtained and lock their real owners out by changing the passwords, typically before these get reported as hacked. They then choose between two options—siphon money out of victims’ bank accounts into their own accounts, max out the stolen credit cards, or resell the stolen credentials on the Dark Web. All the goods purchased get resold, often at much lower prices, to attract buyers.
Ways to Avoid Becoming an ATO Attack Victim
The simplest way to protect against an ATO attack is by using strong passwords and changing them regularly, but there are others as well.
Use Strong Passwords
Websites typically suggest strong passwords that you can use for your accounts. It may be a good idea to use them or create something like them when creating an account for a subscription. Do not use common words or word patterns like “ILoveDogs” or a variation of your name and the like. Attackers can use “dictionary” words to guess them quickly. Change them regularly as well.
Apply Updates Regularly
Software and hardware vendors release patches for a reason. Failing to update and patch applications and devices can leave vulnerabilities open to hackers.
Anti-malware solutions and firewalls are an excellent means to keep your devices safe from cyber attacks. That way, threat actors cannot easily compromise them and steal data, especially if you save your usernames and passwords in your browsers.
Use Multifactor Authentication
Most banks employ two-factor or multifactor authentication, which usually requires an email or text confirmation to confirm a user’s identity. That way, even if hackers have your username-password combination, they still need access to your mobile device to get into your account. Choose to use the option for better security.
Use a Password Management Tool
A password management tool suggests strong passwords and keeps them in a secure location if you forget what password you use for each account. It also supports authentication features, quick password reset capabilities, and other capabilities that ensure better account protection.
Set Password Requirements
If you run your own website with payment capability, ensure that your customers set strong passwords. That way, even if your company succumbs to a breach, their accounts will remain protected. Follow these password requirements set by the National Institute of Standards and Technology (NIST):
- Require at least eight characters, a mix of special and non-special ones.
- Restrict sequences or repetitions.
- Avoid context-specific words and commonly used passwords, such as those cited in this post.
- Screen users’ passwords against lists of compromised ones.
Set Security Rules
To add another layer of protection against hacking on your e-commerce sites, allow users only a fixed number of login attempts. Lock the accounts if they keep failing until their owners are informed and asked to change their passwords. Permanently block IP addresses that are known to be malicious. Setting CAPTCHAs can also help you steer clear of automatic bot logins.
ATO attacks are a real and present threat. In fact, the number of ATO attacks increased by 282% between the second quarter of 2019 and the second quarter of 2020. Given that, users (individuals and businesses alike) would do well to protect against them.