Complete Guide to

Preventing Account Takeover

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Online business’ latest foe: compromised accounts. . . . . . . . . . . . . . . . . . . . 4

More data breaches = more ATO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

How fraudsters get a hold of credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Why ATO is attractive to fraudsters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Damage done by ATO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Measuring the impact of ATO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Detecting and preventing ATO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Implementing smart ATO prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Sift Account Takeover Prevention. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

sift.com | © Sift. All rights reserved. [email protected] 2

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Introduction
In December 2016, a Groupon user named Rachel casually Groupon is hardly the only brand—or the largest—to
checked her email and was shocked by what she found. see their name in the headlines due to an ATO attack.
A message in her inbox confirmed her successful order for Organizations ranging from Deliveroo to the UK National
an iPhone 6, bought using her Groupon account. But Rachel Lottery have suffered high-profile ATO attacks.
never made that order. Someone else had gained access to
her account without her permission.

She—and a handful of other victims of account takeover

(ATO) at the coupon site—soon took to social media to
voice their frustration about the situation.

And major news publications picked up the story, too:

Some of the most well-known ATO cases involve

celebrities and major social networks. Remember when
Mark Zuckerberg had his Twitter, Pinterest, and LinkedIn
accounts hacked (and the organization behind it claimed
it was because the Facebook CEO was using insecure
passwords that were easy to crack)? Or when Katy Perry
had her Twitter account compromised? Or the NFL?
The list goes on and on.

The brand damage done by ATO is palpable, immediate,

and very visible to consumers. But before we go any further,
let’s cover some basics... what exactly is ATO?

sift.com | © Sift. All rights reserved. [email protected] 3

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Online business’ latest foe: compromised accounts

ATO, also known as account compromise, is just what it write scripts that test various combinations of stolen
sounds like: a bad actor getting access to a good user’s usernames plus potential passwords across multiple
account. Once that access is achieved, the fraudster can websites and apps, until they find a way in. These brute
use the account for all kinds of opportunistic and malicious force attacks are helping fraudsters move as quickly
ends. As part of the ATO, the fraudster may change the as possible and focus on maximizing the value of each
user’s password to lock them out, and change their email successful ATO. Researchers at Shape Security found
address so the good user doesn’t receive any additional that criminals can have as much as a 2% success rate
communication about activity on their account. by using these automated attacks.

How fraudsters profit from ATO

How fraudsters
ATO IN AC TION profit from ATO
•• using up stored credits or rewards points
What does ATO look like? Here’s an example from
•• making high-value purchases a ticketing site:

•• buying digital goods

Fraudster accesses account

13458
•• scamming other users, phishing through hacked credentialsP
V IIP

7
bought on the dark web
•• creating fake listings

•• spamming

ChangesPthe password so real

13458
V IIP

134587
V IP
•• selling the credentials on the black market
account holder can’t access
7

•• extorting money from the legitimate account owner

•• assuming the identity of the real user

Adds a stolen credit card to the

13458

P
V IIP
134587

V IP

Any website or app where users have accounts is at risk of account and uses it to buy tickets
7

ATO. Criminals may target e-commerce sites, banks, gaming

sites, marketplaces, social networking sites—any site where
they can extract value from an account. The challenge
for these businesses is to quickly and accurately detect
fraudulent logins—protecting their users and their brand
Creates listings to sell the tickets
13458

reputation—without getting in the way of their good users.

IP
V IP
134587

they just bought fraudulently

V IP
7

Like so many other types of fraud, ATO is increasingly

committed at scale by bots, as well as manually. Hackers

sift.com | © Sift. All rights reserved. [email protected] 4

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

More data breaches = more ATO

How did ATO gain such traction over the past few years? You need only look

48%
at the big cybersecurity headlines to get a clue. We’ve entered the era of the
data breach.

of online businesses observed

a rise in ATO last year

Source: Information is Beautiful $2.3b

losses from ATO in 2016
The scale and sophistication of breaches is growing. 2016 brought us a revelation
of the first billion-account breach at Yahoo. Some of the year’s other notorious
breaches—and revelations of breaches—included social sites (LinkedIn, Dropbox,
AdultFriendFinder), the government (U.S. Department of Justice, Internal Revenue
Service), and universities (UC Berkeley, University of Central Florida). Some 554
61%
increase from the year before
million records were compromised in the first half of 2016 alone, according to the
Gemalto Breach Index.

The downstream effect of more data breaches? A rise in ATO. Perhaps

Source: Sift Digital Trust & Safety
unsurprisingly, ATO is one of the fastest-growing forms of fraud and abuse.
Survey, 2019
All of those credentials floating around on the black market lead to a rise in the
number of individual sites like Groupon suffering ATO attacks. It’s becoming clear
that a password—no matter how complex—is no longer sufficient to protect a
user’s account.

How fraudsters get a hold

of credentials
Data breaches are one fruitful source of personal information. Here are some
other ways that criminals get their hands on users’ login credentials.

Phishing with fake websites

Have you ever received an email from a service you trust, but something seems
a bit off—like the “from” field or a URL? A Gmail phishing scheme in early 2017
brought renewed attention to a form of cyberattack where criminals set up

sift.com | © Sift. All rights reserved. [email protected] 5

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

a website to look exactly like it belongs to a company factor authentication text messages that allow them to
someone’s familiar with—down to the fine print at the access bank accounts and other sensitive information.
bottom of the page. Then, they email potential victims to
try to get them to click on the link. Without carefully Mining social media
checking the site address, someone could easily give over
their login details. Have you listed your hometown or high school on a public
social media profile? If so, know that fraudsters who easily

Malware, Trojans, spyware discover this information may use it to crack passwords on
sites that use “standard” security questions. Other common
Another danger of clicking on unknown links is malware. personally identifiable information that people list on social
For example, following a malicious link can inadvertently media include birth dates, children’s names and birthdays,
download key-loggers that track what people are typing addresses, and phone numbers.
into login and password fields. A keylogger called iSpy was
recently tracked by security researchers, who discovered

Why ATO is attractive

it could access passwords stored in web browsers, record
Skype chats, take screen shots with a webcam, and steal

to fraudsters
software licenses.

Social engineering
It’s no secret that people are moving more and more of their
In February 2016, The U.S. Department of Justice fell victim
lives online. Increasingly, the internet is where people meet,
to a hacker posing as a new employee who was struggling
date, engage on social issues, read news, and so much
to log in to the department’s online portal. He was given a
more. Websites and apps don’t just have access to one data
temporary token that gave him full access to data including
point—for example, a credit card—they hold an entire digital
email addresses and credit card numbers.
identity.
Social engineering attacks like these use psychological
Meanwhile, the fraud prevention community could be seen
tools to manipulate users into giving up confidential data.
as a victim of its own success. As the industry gets better
Criminals may call customer support and convince someone
at detecting some types of fraud, criminals move on to an
to give them access to a user’s account (especially if they
alternative method. For example, there’s already been ample
know some personal info, like SS#). Or they may send a
evidence that EMV has been pushing fraud from physical
phishing email to a company, carefully designed to look like
credit cards to the online channel. But increased security
it came from an executive at that business, asking someone
measures like EMV may also be leading more criminals
to turn over sensitive information.
to try their hands at ATO. More online businesses are also
beefing up their payment fraud detection capabilities, which
Hijacking a mobile device further squeezes fraudsters’ revenue sources and causes
them to look for alternative ways to make money.
The U.S. Federal Trade Commission reports an uptick in
mobile phone hijacking, where a criminal gains access to As fraudsters look to monetize different forms of data, the
a user’s mobile account. A thief can make use of a ton of price of non-payment-related account information has been
sensitive information if they have access to a mobile phone, driven higher and higher on the black market. Researchers
including payment credentials. And sophisticated fraudsters in 2016 found that account credentials command more
can also make use of a victim’s phone number to get two- money on the dark web than payment information

sift.com | © Sift. All rights reserved. [email protected] 6

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

How much credentials are worth websites are not yet set up to detect ATO. Fraudsters can do
a lot of damage before they’re discovered.
on the black market
New opportunities
Modern business models are introducing new ways for
criminals to monetize the information they steal—like setting
up fake Uber driver accounts and charging “phantom” rides
to stolen accounts. Account ransoms using Bitcoin are also
Source: TrendMicro
on the rise.

Let’s delve into a few more Lax password practices

reasons why fraudsters are Despite numerous warnings to not reuse passwords on
flocking to account data: multiple sites and apps, studies show that more than half
of people do just that. Since so many people use the same
username and password on multiple sites, one batch of
Built-in trust compromised info could potentially unlock accounts all
New accounts are more likely to be flagged for fraud or across the web.
given more scrutiny. Because the account already exists and
is connected to a legitimate user, the fraudster is effectively
camouflaged and more difficult to detect. SU R VE Y SHOWS ONLY

Richer data 59% 8%

Stolen identities or accounts are a richer form of data of people reuse of people use
than credit card numbers—they can even be used to create passwords on a password
new accounts. multiple sites manager product

Longer shelf life Source: Password Boss

Login credentials can typically be used for longer than

credit card numbers. A consumer can easily cancel their
card with a phone call, but it’s much harder to “cancel” all
the accounts where they use their email address.

Businesses playing catchup

We already mentioned that the technology used to prevent
fake accounts and credit card fraud is becoming more
widely employed and more sophisticated. However, many

sift.com | © Sift. All rights reserved. [email protected] 7

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Damage done by ATO

The damage done by ATO occurs on multiple fronts: a consumer’s credit card number is stolen and used
negative PR, legal and compliance implications, a drop fraudulently, not only is the crime typically detected quickly
in the value of your customers, financial loss, and more. by the issuer or merchant’s fraud detection system, but
One of the more easily identifiable costs of ATO attacks if the victim does discover a rogue transaction on their
is chargebacks. If a thief is using a legitimate user’s stored credit card statement they have zero liability for any
credit card information—or adding a compromised card purchases made.
number to a real user’s account—you’re on the hook for
With ATO, on the other hand, a consumer is more likely
lost goods and chargeback fees.
to discover fraudulent activity themselves. The victim
As we saw earlier, being associated with ATO can also may also encounter more customer support gray areas
be disastrous to your company’s brand. Why? Accounts and delays when sorting out the problem. That’s because
can feel very personal to users. Knowing that a fraudster many online businesses are playing catchup when it
had control of their account—and access to their personal comes to both detecting and handling ATO. It’s a new
information—can feel intrusive, and may raise concerns form of online criminal behavior that is growing rapidly
about your company’s security protocols. Unlike some other and requires a new mindset to thwart.
forms of fraud, ATO places the victim smack in the middle
of disputes, which can cause confusion, doubt, and anger.
HowVfraudsters
ATO profit
IC TIMS PAY O U from
T OF ATO
PO CK E T
As an example of how an individual could be affected by
a single ATO, imagine if you had your Facebook account A single user pays an average of $263 out of
taken over, but you didn’t immediately realize it. Your friends pocket to resolve ATO.
might contact you, asking you why you’re suddenly selling
Ray-Ban sunglasses or posting obscene images. Maybe Collectively, victims spent 20.7 million hours to
someone clicks on a rogue link that “you” posted, and their resolve ATO in 2016.
computer gets infected with a virus. Maybe the hacker
deletes some of your photos, or changes your personal
information. Who knows what private info they’ve been Source: Javelin Strategy & Research
digging around in? It’s like someone broke into your house,
messed everything up, and now you have to clean it up.

ATO may also be more difficult and costly for a consumer

to resolve than other types of fraud. Think about it: if

sift.com | © Sift. All rights reserved. [email protected] 8

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Measuring the impact

of ATO
Outside of counting your company lucky for not being Measure how ATO affects
in the headlines, how do you measure whether ATO is a
problem for your business? ATO can be harder to quantify
engagement
than payment fraud. There aren’t always chargebacks Once you have gathered both active and passive inputs, you
involved. And as we mentioned earlier, losing customers’ can compare the LTV of an affected user to that of a normal
trust and suffering brand damage are some of the most user. For an e-commerce site, this value may be measured
common—and serious—effects of ATO. in terms of money spent. For a social site, it could be how
often they visited or engaged on the platform.
However, it is possible to put a price on lost user
engagement with your site or app. We’ll walk you through
a way to do this, based on calculating the lifetime value
(LTV) of a user:

Collect active inputs

This bucket encompasses every complaint and reported
ATO. You can find this information by asking Customer
Support how many tickets, inbound phone calls, chats,
and emails they’ve received that mention ATO. If you
aren’t formally tracking this information, it’s a good idea
to start now.

Collect passive inputs

But not every ATO victim proactively reports what happens
to them. Some simply stop using a website or service, while
others close their account altogether. One way to gauge
passive ATO damage is to analyze all of the users who have Compare the delta between the ATO affected user and
deactivated their account. Do a post-mortem on a sample the normal user. That will give you a sense of how ATO is
or each one (depending on volume), trying to determine affecting your business from a monetary perspective.
whether they have suffered ATO.

sift.com | © Sift. All rights reserved. [email protected] 9

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Detecting and preventing ATO

ATO prevention is becoming a priority for more online businesses who want to protect themselves and their valuable users.
That brings us to the nitty-gritty: how do you tell the difference between a login from legitimate user and a fraudster?

Behavioral clues
Many of the signs of ATO are contained in subtle behavioral patterns across all of a user’s activity. An effective ATO
prevention tool is able to synthesize a range of activity and identify the anomalies. Here are some of the separate signals
that may point to a potential ATO:

•• Login attempts from different devices and locations

•• Switching to older browsers and operating systems

•• Buying more than usual, buying higher priced items

•• Changing settings

•• Changing shipping addresses (especially just before ordering)

•• Changing passwords

•• Multiple failed login attempts

•• Unusual log out attempts. (It’s unusual for users to log out of certain services.)

•• Suspicious device configurations, like proxy or VPN setups

But not every ATO victim proactively reports what happens to them. Some simply stop using a website or service, while
others close their account altogether. One way to gauge passive ATO damage is to analyze all of the users who have
deactivated their account. Do a post-mortem on a sample or each one (depending on volume), trying to determine whether
they have suffered ATO.

sift.com | © Sift. All rights reserved. [email protected] 10

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Implementing smart ATO prevention

When seeking to protect users’ accounts, many online businesses may introduce security checks like 2-factor authentication,
email links, SMS codes, captchas, and even phone calls. When used selectively and intelligently, these checks can be
a powerful tactic to prevent ATO. However, when used over-aggressively, they can be extremely disruptive to the user
experience. The key, as with any type of fraud prevention, is to get as close as possible to the ideal balance that minimizes
risk from bad users while also minimizing friction for good users. But how do you achieve that balance?

Dynamically adjusting the login experience

If you’re using a tool that can provide a risk score, you can dynamically adjust the login experience for risky users. For
example, if a user’s score is low, then you can remove all friction so they can easily sign in and keep engaging on your
platform without being bothered with captchas or codes. On the other hand, if the score is high, you have the option of
adding authentication steps to ensure that the user is really who they say they are. You could, for example:

•• Email or text the user a one-time passcode to enter after login to confirm their identity.

•• Email or text an account link that the user can click to approve the new login from a new device.

•• Email or text the user a notification of a login from a new device so that they can be aware in case it’s not them.

•• Limit a user’s account actions (e.g., no updating password, no placing orders) until the user logs in again from a
trusted device or location.

•• Have user fill out a Captcha or image identification.

You could choose to use a combination of the methods above to provide different levels of friction, based on the amount of
risk. When applied appropriately intelligently, these authentication steps not only minimize your risk, but could even increase
users’ trust in your site’s security, and by extension their trust in your product or service. You’ve got their back.

sift.com | © Sift. All rights reserved. [email protected] 11

 C O M P L E T E G U I D E T O P R E V E N T I N G A C C O U N T TA K E O V E R

Sift Account How fraudsters Fewer

profitaccount
from ATO
takeovers
Takeover Prevention Stop illegitimate account access
and malicious activity
Log In on trusted

user accounts.
Sift Account Takeover Prevention was designed to help
businesses achieve a perfect balance of strong fraud Fewer account takeovers Better user experience Re
defenses and an excellent user experience. ATO Prevention wi
uses machine learning and advanced behavioral analysis to Better user experience
keep bad actors from accessing legitimate users’ accounts, Reduce login friction for valid
while guaranteeing as little interruption to the login process
Log In
users, making account access
as possible. simple yet secure.

Fewer account takeovers Better user experience Resolve issues

How Sift ATO with confidence
Chargeback prevention
Prevention works Prevent fraudulent transactions
and incurred chargeback fees by
With a simple integration, we’ll be able to ingest
Log In and
stopping account hacking before
analyze your users’ behavior, and then compare that
it begins.
behavior with patterns of good and bad behavior on your
Fewer account takeovers Better user experience Resolve issues
site and across our network. Then, each time someone with confidence
logs in, we’ll return an ATO risk score in real time—so you
can instantly identify risky users and dynamically alter
their login experience.

To calculate a score, our technology looks at a range of

potential ATO signals, such as:
Conclusion
In this new world of ongoing data breaches, sophisticated
•• user browsing patterns phishing attacks, and personal information changing hands
on the dark web, all online businesses must come to terms
•• network and IP data with their vulnerability to ATO.

•• location history No company wants to be the next brand making headlines

for the wrong reasons, with users publicly complaining
•• device information that their accounts were hacked, their personal information
compromised, their lives inconvenienced. However, with the
proper tools and guidance you can not only protect your
We also leverage years of data we’ve already collected business, but also enhance the the overall user experience.
across our vast customer network of more than 6,000 sites You can not only avoid brand damage, but build long-term
and apps. brand loyalty.

sift.com | © Sift. All rights reserved. [email protected] 12