Secure Together: ATO Defense for Businesses and Consumers

Discover the essential strategies businesses and consumers can employ to fight account takeover (ATO). Sanjay Bhakta and Nitanshu Upadhyay from Centific share insights on proactive measures for safeguarding against this growing threat.

Cheryl is a hard-working nurse at a hospital whose life is about to be upended in the blink of an eye. She begins her day as usual, heading to work early in the morning. During a brief break, she decides to look up the balance of her checking account. As she opens her mobile banking app, she notices several large purchases and alarming money transfers that she does not recognize. The transactions are in different parts of the country she has yet to visit. Some are even international. Her account is being overdrawn, and her bank is tapping into her overdraft protection to cover the withdrawn amounts. 

Panic overtakes Cheryl. Her hands tremble as she grips her mobile phone and reviews the transactions again. No, these are not her transactions. Someone has taken over her finances. 

Welcome to the world of account takeover (ATO) – a personal violation of consumers and businesses with enormous consequences. By the time Cheryl resolves the problem, she will have experienced unbelievable stress. This breach will not only affect her financially, but it will also stir concerns about her personal and sensitive information being exposed. She will quite rightfully worry about the potential repercussions, including identity theft, damage to her credit score, and loss of her money. Businesses she works with will also be affected. Her employer must update her payroll data (because her direct deposit information could have been compromised). Numerous businesses, including her bank, could face financial losses and disruption as well.

Cheryl is not alone. 22% of U.S. adultsOpens a new window , or 24 million households, have been victims of an account takeover. According to Javelin Research, identity account takeover losses in 2021 increased by 90%Opens a new window on the previous year to an estimated $11.4 billion. ATO also hurts businesses dearly in other areas, such as eroding customer loyalty and trust. 

But neither businesses nor consumers are at the mercy of fraudsters. Both can protect themselves through proactive collaboration.

What is ATO?

Fighting ATO starts with understanding what it is and what it is not. ATO refers to unauthorized access to user accounts and passwords by fraudsters, who gain control of account data for financial gain. It’s one of the biggest fraud threats facing everyone today. But ATO is not to be confused with identity theft. ATO technically involves a bad actor hijacking an account that belongs to someone else. Identity theft is opening a new account with someone’s stolen identity information. Account takeovers can happen to both corporations and individuals. Identity theft typically occurs only to individuals.

Account takeovers can occur in various forms, usually depending on the fraudster’s objectives and the type of account in question. We won’t attempt to discuss them all here, but some of the better-known types consist of:

1. Credential stuffing: fraudsters use stolen or leaked usernames and passwords (often obtained from previous data breaches) to get access to multiple user accounts. With this type of ATO, fraudsters rely on the fact that people often reuse passwords across different platforms.
2. Phishing: this involves tricking individuals into providing sensitive information (like login credentials) by pretending to be a trustworthy entity, often through email, text, or fake websites designed to mimic legitimate ones.
3. Social engineering: techniques are used to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The recent devastating malware attack on MGM Resorts (technically a ransomware attack) relied on social engineering to breach MGM’s systems.
4. Brute force attacks: attackers use software to try many password combinations until the correct one is found, allowing them access to the account.
5. Malware: malicious software is installed on a victim’s device without their knowledge, which then records and sends their sensitive data to the fraudster. Keyloggers, for example, can record keystrokes and capture passwords and other sensitive information.

Unfortunately, the rise of AI makes these forms of ATO harder to stop. For instance, AI can craft more convincing phishing emails by analyzing and mimicking the writing style of legitimate entities or specific individuals. This makes the phishing attempt more believable and increases the chances that the victim will divulge sensitive information.

These security breaches are used for many forms of hacking beyond ATO. However, because they are commonly known in the fraud prevention industry generally, both businesses and individuals have access to readily available security measures that can fight them.

How Businesses Can Fight ATO

Both businesses and consumers can fight ATO by being proactive and accepting that this requires an ongoing effort – not a one-shot solution.

First off, businesses need to take the lead in forming a stronger partnership with their customers. This means educating both customers and employees on proper security measures. Websites operating with user accounts, engaging individuals and corporations, often find themselves in the crosshairs of swindlers intent on ATO. We mentioned above that phishing is a common tactic. It’s imperative to consistently enlighten customers and employees about the looming menace of online security breaches like phishing, including how phishing attempts trick people and tips for not getting tangled. Adopt a vigilant stance on security by ingraining robust preventive protocols, including routine password updates and providing guidelines for safeguarding user credentials.

For example, in 2017, Equifax was the victim of a massive data breach that exposed the personal information of more than 147 million Americans. After the breach, Equifax launched a comprehensive educational campaign to teach its customers about account security and how to protect themselves from fraud.

Training does not end there. The MGM Resorts cyberattack we cited above also involved a fraudster tricking a customer support help desk. Businesses must train their staff on how to stop these attempted breaches — for example, by knowing how to ask questions that only a legitimate account holder could know the answer to.

We recommend that businesses launch a proactive social engineering program that informs consumers – say texts, email, or a notice in their monthly statement – with alerts and notifications designed to educate them about ATO tactics. Offer your customers the option to opt in and receive them. This will ensure a recurring educational program, not a one-time training.

What else? Plenty! Going hand in hand with education, businesses need to implement security measures designed to help prevent unauthorized access. They include – and this is not an exhaustive list:

1. Accumulate verifiable customer information, including confirmed IP addresses and personal biometric details, among other data points: For enhanced security during trusted sessions, businesses might consider deploying mechanisms like one-time passwords (OTPs) or challenge-response protocols.
2. Introduce additional verification steps: Incorporating multi-factor authentication offers a reinforced shield against unauthorized entries. Users may be required to amalgamate knowledge-based information (like passwords or PINs), possession-based items (such as mobile devices or tokens), and inherent characteristics (including fingerprints or facial recognition). Enhancing the verification process mitigates the risk of unauthorized access even as scammers employ increasingly advanced techniques.
3. Keep abreast of the evolving toolkit that scammers deploy for account breaches: With fraudsters constantly refining their strategies, utilizing technologies like AI, machine learning, and deepfakes to breach defenses, businesses must respond with agility, adopting innovative technologies promptly.
4. Adopt measures to thwart bots: Employing tools like reCAPTCHA or alternative bot mitigation strategies will complicate efforts by malicious actors to infiltrate and seize control of customer accounts. Implement bot mitigation protocols, especially when there’s a spike in the number of validated transactions, signaling potential automated attack attempts.

How Consumers Can Fight ATO

Consumers aren’t going to like this, but on top of their increasingly busy lives, they’re going to need to take some measures to fight ATO constantly. It’s tempting to ask, “Who has time?” but trust me – you don’t want to experience what Cheryl, in my example above, endured. Here are some recommended steps:

1. Get educated. When an employer or your bank offers you security training, take it. Better yet, inquire with your bank about what resources they must keep you up to date. Here again, we bring up phishing because it’s such a commonly used tactic. Yes, most of us know by now to be wary of unsolicited communications asking for personal information. But that’s basic stuff. You have no idea how sophisticated phishing attacks can be until you ask for insight from your bank.
2. Consider subscribing to credit monitoring services that alert you to changes in your credit report, which may indicate identity theft or fraud.
3. Opt out of your data being shared. Many consumers don’t do this. You should, though. This will add a layer of protection by making it less likely that their personal information is floating around and used by different parties.
4. Install and update antivirus and anti-malware software on your devices to provide a basic level of protection against malicious software.
5. Stay up to date. Always use the most up-to-date version of your web browser, and continuously update your operating system, primarily to ensure that security patches are applied. Software updates exist for a reason. Take them seriously. And while we’re at it, businesses need to stay up to date, too, by being careful not to support outdated browsers.
6. Set and update account recovery options, including security questions and alternative contact details, to regain access if locked out.
7. Avoid easily guessable passwords, and don’t use the same one on all your sites. You hear this all the time, right? However, many consumers continue to ignore this advice. Don’t. Fraudsters will always look for the easy way to take over your account, just like a thief who searches a neighborhood for houses with unlocked doors. 
8. Enable two-factor authentication wherever possible. Doing so adds an extra layer of security by requiring a second form of identification beyond just a password. Does two-factor authentication create more work logging into an account? Yes. But consider this: it also takes a bit more effort to lock and unlock the doors of your house when you exit and return. Protecting yourself is worth the effort.

We’ve only scratched the surface here, but we want to give all readers a sense of the baseline steps required to protect yourself and your business. Bottom line: fighting ATO needs a one-two punch between businesses and consumers.

How do you protect your accounts? Why is ATO on the rise? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

MORE ON ACCOUNT TAKEOVER (ATO) 

• Defending Against ATO: A Layered Approach to Security
• Don’t Let Account Takeover Attacks Put Your Company at Risk
• Collecting Digital Details: What ATO Fraud is and How to Stop it