Account Takeover (ATO)

An account takeover (ATO) is a form of cyberattack in which an attacker takes control of another person’s account without authorization. This can be achieved through various methods, such as phishing, social engineering, exploiting security vulnerabilities, or using stolen credentials available through data leaks or on the darknet. 

How does an account takeover (ATO) work?

An ATO is the process of unauthorized takeover of a user account by an attacker. It can be carried out in various ways, although the basic steps are often fairly similar: 

Obtaining access data 

• Phishing: Attackers send fake emails or messages that mimic legitimate companies. These messages contain links to fake websites that resemble the user interface of the real website. The user unknowingly enters their login details there, which are then intercepted by the attacker. 
• Data leaks: Access data is stolen from a company’s database and then sold or published on the darknet or illegal marketplaces. 
• Social engineering: Attackers use psychological manipulation to get people to disclose sensitive information. For example, an attacker could pretend to be an employee of a company and ask the user directly for login details. 
• Brute force attacks: Automated scripts systematically attempt to guess passwords by trying different combinations until they are successful. 
• Credential stuffing: Attackers use already compromised credentials from one service to try them out on other services. As many users use the same passwords for different accounts, this method is often successful. 

Compromising the account 

Once the attacker has obtained the credentials, they attempt to log in to the account. If the login process is successful, the attacker gains full access to the account. 

For accounts with two-factor authentication (2FA) enabled, the attacker must also bypass the second factor, for example by using SIM swapping (taking control of the phone number) or by intercepting authentication codes. 

Use of the compromised account 

• Financial fraud: The attacker can carry out transactions, change bank details, or transfer money to themselves or accomplices. 
• Change of access data: Attackers often change the credentials (password, security questions) to lock out the legitimate user. 
• Sale or misuse of the account: Sometimes access to the account is sold to a third party or is used for illegal activities, such as sending spam or carrying out further fraud attempts. 
• Identity theft: The attacker can extract personal information from the account and use it for further fraudulent activities or to steal the victim’s identity. 

Cover-up 

To avoid detection, attackers may change security or notification settings in the account so that the user does not receive alerts about unauthorized access. In some cases, attempts are made to disguise activity in order to keep the account under control for as long as possible without the rightful owner noticing. 

How can you protect yourself against an ATO?

Several security measures are recommended to protect yourself from an account takeover (ATO): 

Use strong and unique passwords 

A strong and unique password should be used for each account. A strong password contains a mix of upper and lower case letters, numbers and special characters. Easy-to-guess information such as dates of birth or simple words should be avoided. 

Use a password manager 

Password managers help to create complex and unique passwords for each account and store them securely without having to remember them all. 

Activate two-factor authentication (2FA) 

Two-factor authentication provides an extra layer of security by requiring a second method (e.g., a code sent via SMS or generated by an authentication app) in addition to the password. Even with compromised passwords, access to the account is made more difficult. 

Regular monitoring of accounts

It is important to regularly check accounts for unusual activity, such as unauthorized logins or changes to account information. Many services offer alerts for unusual login attempts or security-related activities.

Beware of phishing attacks

It is advisable to be suspicious of emails, messages or websites that ask for login details, especially if they seem suspicious or ask you to act quickly. The URL of websites should be checked before logging in to make sure it is the legitimate site.

Install security updates and patches

Software, operating systems and applications should always be kept up to date. Many ATOs exploit security vulnerabilities that are fixed by updates.

Use of security tools 

Antivirus programs and firewalls should be used to protect computers and mobile devices from malware that could be used to steal login credentials. 

Restricted permissions 

Accounts should only be given the most necessary permissions and, where possible, separate accounts should be used for different purposes (e.g., one account for important personal data and another for less sensitive tasks). 

Caution when using public WLANs 

Logging in to important accounts via public or unsecured Wi-Fi networks should be avoided. When using public WLANs, we recommend using a VPN (Virtual Private Network) to secure the connection. 

How do you recognize an account takeover (ATO)?

An account takeover (ATO) can often be recognized by certain signs and unusual behavior in the affected account.  

Unexpected login notifications 

A common sign of an account takeover is the receipt of notifications about logins that were not initiated by the user. These notifications may indicate that someone has logged in to the account from an unknown device or from an unusual geographic region.  

For example, an email could arrive informing you of a successful login from a device in another country, even though this login was not initiated by the user. Similarly, warnings about repeated failed login attempts may indicate that someone is trying to access the account. 

Unknown activities in the account 

Unusual or unexpected activity within the account is a clear warning sign of a possible takeover. This could be shown by transactions or purchases that have not been made. For example, orders in an online store or transfers to an unknown account could suddenly appear.  

Likewise, the discovery of altered information, such as a changed email address, phone number or delivery address, could indicate that an attacker has manipulated the account. In addition, new devices or applications may have gained access to the account without authorization. 

Changes to the account settings 

Another indication of an account takeover is a change to the account settings without any action on your part. This includes changing the password, for example. If the password suddenly no longer works or a confirmation email arrives for a password change that was not initiated by the user, this may indicate a takeover.  

Changes to the security questions or deactivation of two-factor authentication could also be made by the attacker to secure access to the account and exclude the rightful owner. 

Unusual communication 

Communication that was not expected can also indicate an account takeover. This includes emails or messages confirming that security-relevant information, such as the password, has been changed. If such notifications arrive without any action on your part, you should act immediately.  

Notifications about rejected payment attempts or other financial transactions that were not carried out by the user can also indicate an attack. Such messages may indicate that an attacker is trying to cause financial damage. 

Missing access authorization 

If access to the account is suddenly lost, this may be a sign that an attacker has changed the password or otherwise locked the account. Difficulties logging in, even though the password was entered correctly, or an automatic logout from ongoing sessions for no apparent reason are strong indicators of a possible account takeover.  

In such cases, the attacker may have already taken control of the account and locked out the legitimate user. 

Unexpected notifications from third-party providers 

Unexpected notifications from third-party providers, such as banks, credit card companies or other financial institutions, can also indicate an account takeover. These institutions may become aware of suspicious activity and notify the account holder.  

Such notifications could, for example, indicate unusual transactions or attempts to transfer funds. In addition, friends or contacts may point out suspicious messages or requests sent from one’s account, indicating that the account is being misused for spam or other illegal activities. 

Loss of control over the account 

A complete loss of control over the account is a clear sign of a successful account takeover. In this case, the account may be completely blocked without any explanation from the service provider.  

It could also be that important emails or messages are no longer being received, which indicates that the email address stored in the account has been changed. In such a case, the attacker has taken full control and deleted or changed all traces that could point to the rightful owner. 

What to do if you suspect an ATO? 

• Change your password immediately, preferably from a secure device. 
• Consider changing passwords for other accounts that use the same information as the compromised account. 
• Activate or check two-factor authentication. 
• Contact customer support of the affected service to report the incident and secure the account. 
• Review all recent activity and, if necessary, reverse unauthorized changes. 
• Monitor financial transactions for suspicious activity and block payment cards if necessary. 

Share this post