What are Account Takeovers And How Do They Work?


There’s an old folk tale in which a wagon driver and a nobleman show up at the constabulary in a small country village. One man, dressed in dirty, pauper’s clothing, told the constable, “I’m the nobleman. This man was my driver.

He attacked me last night, stole my clothes and took my money.” The other man, dressed in great finery, the clothing of the noble class, replied, “Constable, this man is insane. He thinks he’s a nobleman. I’m the real nobleman. Arrest him!”

This story predates driver’s licenses and digital finger printing, but it offers a good example of what can go wrong in an account takeover situation. A person logs into an online bank account or mobile payments app. Is he actual account holder, or a hacker? Who is really who? These security issues affect organizations that allow self-service account access.

What is an account takeover?

An account takeover is a form of cyber fraud wherein a malicious actor impersonates the owner of an online account. Typically, the account is at a financial institution or an e-commerce business where the fraudster can steal money, merchandise or gift cards. The attacker uses stolen login credentials to access the account and then take it over, perhaps changing the password to lock the actual account owner out.

Less financial harmful but still damaging forms of account takeover involve the hijacking of social media accounts and the like. In these cases, the attacker is usually trying to spread malware or engage in phishing attacks against unsuspecting friends of the victim. Or, the attacker is trying to embarrass the victim, which sometimes happens with celebrities and politicians, for example.

How does a hacker take over an account?

Account takeovers, like so much cyber fraud, are mostly a matter of automated, mass processes. It’s rare for a hacker, clad in a hoodie in his mother’s basement, to type passwords into bank websites one at a time.

Rather, the practice relies on large-scale credential stuffing attacks that try millions of username/password pairs on dozens of target financial institutions in the hopes of unlocking a small subset of the accounts. Once the automated fraud software has gained access to the account, a human hacker may then get involved, but in some cases, not.

A lot of account takeover attacks are almost entirely automated.

Seeing it from the company’s perspective

To understand how problematic account takeover can be, consider what the experience looks like from the point of view of the financial institution. They handle millions of logins every day.

With the sophistication available in today’s attack tools, it’s extremely challenging to detect which, if any, are fraudulent. Then, a person calls the customer service line and says “My account has been attacked! I can’t log in and someone is stealing my money!”

Like the constable in the folk tale, how does one determine who is really who? If the attacker has enough stolen identity elements, like driver’s license number, social security number, mother’s maiden name, address, and so forth, it could be quite difficult to determine if the caller is the real account holder or an attacker trying to get a password reset on an account he wants to penetrate.

What can be done to stop account takeovers?

Financial institutions and eCommerce companies have processes and controls that mitigate some of the account takeover threat. These range from the old fashioned “what was the name of your best friend in elementary school” security questions to detection methods that ferret out suspicious IP addresses and mobile device profiles.

BotStop by hCaptcha provides one of the most advanced ways to mitigate the threat from fraudulent account login attempts, using machine learning to detect and stop bots, and effectively making it much harder or even impossible for fraudsters to engage in account takeover. Contact us to learn more!

By the way, here’s how the story of the nobleman and his driver ends: The constable made the two men sit in a room together for hours and get bored out of their minds. At the end of the day, he appeared and said, “I will speak with the wagon driver now.” The man in the noble clothing stood up. He was so bored, he forgot that he was only pretending to be the nobleman.