A Snapshot of Account Takeover

Asset 21 L og in

Account takeover (ATO) –when a bad user gets access to a good user’s account – is a growing threat faced by online businesses across industries, from social networks and e-commerce merchants to SaaS and professional services.

Account takeover takes off
Asset 24 48% 48%

online businesses observed a rise in ATO in 2016

Asset 25 $5 . 1 Billion $5 . 1 Billion

was lost to ATO in 2017, a 120% increase from the year before

Asset 26 $290 $290

is the average victims pay to resolve ATO

Sources: Sift Science, Javelin Strategy & Research

More breaches = more ATO

How did ATO gain such traction over the past few years? You need only look at the big cybersecurity headlines to get a clue. We’ve entered the era of the data breach.

Asset 27 5,207 5,207

data breaches happened in 2017 (breaking records)

Asset 28 7 .89 Billion 7 .89 Billion

records were compromised worldwide

Asset 29 143 Million 143 Million

Social Security numbers were exposed in the Equifax breach

Source: Gemalto Breach Index

Asset 34 59% 59%

people reuse passwords on multiple sites

Asset 35 8% 8% 8%

use a password manager product

Source: Password Boss

Asset 30 Asset 31 Asset 38 Asset 39 Asset 40 Asset 41 Asset 42 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43 Asset 43
How fraudsters profit from ATO
  • Using up stored credits or rewards points
  • Making high-value purchases
  • Buying digital goods
  • Scamming other users, phishing
  • Creating fake listings
  • Spamming
  • Selling the credentials on the black market
  • Extorting money from the legitimate account owner
  • Assuming the identity of the real user
Asset 44
ATO in Action

What does ATO look like? Here’s an example from a ticketing site...


Asset 23

Fraudster accesses account through hacked credentials bought on the dark web


Asset 24

Changes the password so real account holder can’t access


Asset 25 202 VIP 23135 VIP 23135

Adds a stolen credit card to the account and uses it to buy tickets


Asset 26 VIP 23135 VIP 23135

Creates listings to sell the tickets they just bought fraudulently

Behavioral clues for ATO

Asset 27 @

Many of the signs of ATO are contained in subtle behavioral patterns across all of a user’s activity.
Here are some of the separate signals that may point to a potential ATO:

  • Login attempts from dierent devices and locations
  • Switching to older browsers and operating systems
  • Buying more than usual, buying higher priced items
  • Changing settings
  • Changing shipping addresses (especially just before ordering)
  • Changing passwords
  • Multiple failed login attempts
  • Unusual log out attempts. (It’s unusual for users to log out of certain services.)
  • Suspicious device configurations, like proxy or VPN setups

Taken individually, each of these signs may be normal behavior for a particular user. It’s only when you apply behavioral analysis on a large scale, looking at all of a user’s activity and all activity of users across the network, that you can get an accurate picture of whether someone is truly who they say they are. An effective ATO prevention tool is able to synthesize a range of activity and identify the anomalies.

Asset 28

Download our ebook the Complete Guide to Preventing Account Takeover

Read this Ebook to find out:

  • Why fraudsters are flocking to ATO
  • How to measure the damage done by ATO
  • Strategies for detecting an ATO attack before it affects your users

Download Ebook