• Latest
The fraud detection and prevention (FDP) market to surpass $100 billion by 2027

Pre-hijacking Account Takeover Fraud

July 13, 2022 - Updated On July 14, 2022
Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

February 28, 2025
Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

February 20, 2025
Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

February 18, 2025
Swap and Signifyd Partner to Empower Brands With Secure, Seamless Global Commerce

Swap and Signifyd Partner to Empower Brands With Secure, Seamless Global Commerce

February 13, 2025
Worldpay to Acquire Ravelin, a Leading AI-Native Fraud Prevention Platform

Worldpay to Acquire Ravelin, a Leading AI-Native Fraud Prevention Platform

February 12, 2025
Socure Verifies Over 2.7 Billion Identity Requests in 2024, Achieves Market-Leading Performance Amidst Increasing AI and Fraud Threats

Socure Verifies Over 2.7 Billion Identity Requests in 2024, Achieves Market-Leading Performance Amidst Increasing AI and Fraud Threats

February 10, 2025
NVISIONx Unveils Nx+RexAI: Redefining Data Security Posture Management with GenAI-Powered Contextual Classification

NVISIONx Unveils Nx+RexAI: Redefining Data Security Posture Management with GenAI-Powered Contextual Classification

February 5, 2025
AuthenticID Annual Report Reveals Surge in Identity-Based Fraud Across Businesses

AuthenticID Annual Report Reveals Surge in Identity-Based Fraud Across Businesses

February 3, 2025
N-able Furthers Open Ecoverse Vision with Launch of AI-Powered Developer Portal—Accelerating API Integrations for Faster, Seamless IT and Security Services Delivery

N-able Furthers Open Ecoverse Vision with Launch of AI-Powered Developer Portal—Accelerating API Integrations for Faster, Seamless IT and Security Services Delivery

January 30, 2025
Zest AI to Deliver First Seamless AI Application Fraud Detection for MeridianLink Clients

Zest AI to Deliver First Seamless AI Application Fraud Detection for MeridianLink Clients

January 29, 2025
Hiya Launches First AI Call Assistant That Stops Live and Deepfake Scams in Real-Time

Hiya Launches First AI Call Assistant That Stops Live and Deepfake Scams in Real-Time

January 28, 2025
Deep Instinct Expands DSX for Cloud Protection to Amazon FSx NetApp

Deep Instinct Expands DSX for Cloud Protection to Amazon FSx NetApp

January 24, 2025
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
Saturday, May 17, 2025
Merchant Fraud Journal
ADVERTISEMENT
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

Pre-hijacking Account Takeover Fraud

Pre-hijacking account takeover fraud is a form of fraud that compromises accounts before they are even created. How though, can a person fall victim before their account even exists? With some initial set up, fraudsters can do exactly that by potentially using one of five recently exposed ways to perform account takeover fraud pre-hjijacking attacks.

In 2020, the Microsoft Security Response Center offered a grant to fund multiple projects targeted at improving the security of its identity systems and protocols. The first resulting publication was a recent paper written by an external, independent security researcher, Avinash Sudhodanan, in partnership with Andrew Paverd from the MRSC. Within it, they explained these methods and how they were seen possible upon 35 of the 75 popular websites and online services that they analysed. These included LinkedIn, DropBox, Instagram an WordPress, who were all later informed of their vulnerabilities after the research was complete.

How Pre-hijacking Account Takeover Fraud works

In order for unauthorized access to be considered account takeover fraud pre-hijacking, the fraudster needs to perform some sort of action prior to the account even existing upon the platform. In these reported instances of exposure, the hijacker starts by simply creating an account using the potential victim’s email address. They could, even, just guess email addresses and hope that they belong to a genuine person or even check them against free online verification services to make sure they exist.

The accounts are typically created in bulk and, to find the most success for their efforts, bad actors will target popular apps and sites where there are greater chances of a genuine customer creating an account.

Once the genuine email address owner makes their own account, a little time will be given for them to potentially add their personal details and, perhaps, store their payment credentials before one of the methods are then used to allow the perpetrator to gain access to the account and use as they choose, successfully performing an account takeover attack.

Pre-hijacking Account Takeover Fraud Methods

Classic-Federated Merge Attack

Federated identities are those services which already have customer identities stored are often used by additional websites and apps in lieu of having a customer go through the process of entering their details to sign up an sign in to their account. These are offered by Gmail, Yahoo and the like.

Some companies tend to merge these by default. Therefore, if an account is created by using a genuine gmail email address by an infiltrator, and then the genuine owner creates an account using their same gmail social login account, they will be combined into one and both the customer and fraudster will have access to it with their own independent login information.

Unexpired Session Identifier Attack

An attacker could create an account using a genuine customer’s email address but not close out their session with the service. When the owner creates their own account using the same email address, they get prompted that an account already exists and then might choose to reset their password. Although the customer would then have access to their “new” account, without the malicious session ended, the fraudster will still have access, as well.

Trojan Identifier Attack

The hijacker might create an account using a genuine patron’s email address and set up a secondary account recovery option. This could be their own email address or phone number. Once the victim attempts to create an account and reset their password upon notification of the account’s existence, the fraudster also gets a notification to reset the password. They do so and recover control of the account from the genuine user.

Unexpired Email Change Attack

Going this route, the fraudster will create an account using their target’s email address and then initiate a change of email request to an address that they own and have access to. The site will typically send a verification email to the bad actor’s email address, however, the attacker will not complete the process, saving it for later. Once the genuine customer goes through the creation and recovery process described in the previous two methods, the fraudster will complete the verification email actions and regain access to the account.

Non-Verifying IdP Attack

Simply put, an identity provider is any system entity that creates, maintains, and manages identity information for principals or authentication services within a network. If you collect such information for these purposes, which most online services do for the accounts upon their platforms, you are, in part, an identity provider. Some companies who allow for this, like with the federated identity merge, simply combine accounts sharing details.

For this method, the attacker targets apps and sites that do not verify email addresses. They will simply create an account using their victim’s email address and, when the genuine client creates their account, the merger will happen and the fraudster will have access to the later-created account.

Prevent Pre-hijacking Account Takeover Fraud

For Individuals

If you are attempting to register an account on a site or service that you have not previously used and are prompted that an account already exists, do not simply initiate resetting the password. If you need to create the account, use an email forwarding address that will send the messages to your main email account or a different email address all together. Report that this happened so that the platform may be made aware and look into the potential of this fraudulent activity happening within their networks.

I would also recommend that you create federated identities with secure services, but do not use them to create accounts with other services. Own both your email and their identifying social login information to avoid those potential mergers. Again, if you are a victim of a social merger, report it.

I have read of those suggesting the turning on of 2FA or MFA as soon as you change the password after getting the message that the account already exists if they are available options. However, those will not stop all of these methods from working. I would suggest doing your best to avoid them as best as possible.

For Merchants

Verify email address upon account creation. You should be doing this, but if you do not, watch for spikes in account creations and monitor high-velocities of email changes and secondary recovery emails and phone numbers being the same or following the same patterns across multiple accounts. Keep an ear to the ground for customer contacts aying they have not created an account but the platform is saying that they have when they try and make one.

Do not merge any accounts. If you do, do not do so automatically. This should be an additionally approved process from the verified owner(s) of both accounts if you must do it.

Expire sessions. You should not only have general security and safety expiration in place base on time and typical actions, you should also do so upon the unexpected and risky, such as two accounts being created with the same information. Force an end to all sessions on all of the accounts that share those details.

Expire password reset URLs, links, OTPs, emails and SMS pushes. Keep that window too narrow for fraudsters to attempt these methods. A genuine user is going to want to reassess their account immediately. There is no reason for these to be live for days. Not even a day. Give them an hour or two.


This article was contributed by Shawn Colpitts, Senior Fraud Investigator at Just Eat Takeaway.com

Tags: Account Takeover Fraud
TweetShareSend
Previous Post

VISA Amends Its Dispute Management Guidelines for Merchants

Next Post

The Worldwide eCommerce Fraud Detection & Prevention Industry is Expected to Reach $83.9 Billion by 2026

Next Post
Silverfort Raises $65m Series C for World’s First Unified Identity Threat Protection Platform

The Worldwide eCommerce Fraud Detection & Prevention Industry is Expected to Reach $83.9 Billion by 2026

Download our latest report:

Our Latest Reports

2024 Fraud Trends Report

2023 Consumer Payments Survey Report

2023 Fraud Trends Report

2022 Chargeback Consumer Survey Report

Fraud Prevention Tactics that Enable Exceptional Customer Experience

Addressing Payment Fraud and The Customer Experience in 2022

2022 Fraud Trends Report

ATO Fraud In Retail Report

2022 Customer Experience Report

3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue

Digital Trust And Safety Report: Combating the Evolving Complexities of Payment Fraud

On-Demand Webinars

New Trends in The Payments Ecosystem

Balancing Customer Experience and Fraud Prevention: What’s the Secret?

Stopping Fraud Across the Customer Lifecycle

Addressing Payment Fraud and the Customer Experience in 2022

 

Featured Directory Listings

  • Signifyd
  • TransUnion
  • PayRetailers
  • Spotrisk
  • CB-ALERT
  • Chargeflow
  • Corepay
  • AtData

Get the 2024 Fraud Trends Report

Search Our Site

No Result
View All Result

Our Sponsors

Fraud Industry News

Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

February 28, 2025
Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

February 20, 2025
Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

February 18, 2025

Connect With Us

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Popular Posts

  • What Is a Chargeback: A Primer for Merchants

    What Is a Chargeback: A Primer for Merchants

    0 shares
    Share 0 Tweet 0
  • Twitch Chargebacks for Streamers: Prevention and Recovery Opportunities

    0 shares
    Share 0 Tweet 0
  • How to win a fraud dispute: Get educated on the process and requirements for victory

    0 shares
    Share 0 Tweet 0
  • How Does the Chargeback Process Work?

    0 shares
    Share 0 Tweet 0

Featured Vendors

  • Signifyd
  • TransUnion
  • PayRetailers
  • Spotrisk
  • CB-ALERT
  • Chargeflow
  • Corepay
  • AtData

Download the 2023 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
    • Merchant Fraud Journal Editorial Guidelines
  • Advertise on Merchant Fraud Journal
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Chargebacks Consumer Survey Report 2022
  • Download Evolving Complexities of Payment Fraud Report
  • Download Fraud Prevention Tactics that Enable Exceptional Customer Experiences Report
  • Download Merchant Fraud Journal 2023 Fraud Trends Report
  • Download Merchant Fraud Journal 2024 Fraud Trends Report
  • Download Merchant Fraud Journal Generative AI Fraud Prevention Checklist for SMBs
  • Download Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 2023 Consumer Payment Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Home Elementor
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • Merchant Fraud Journal Advertising Agreement – Signifyd
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • #9978 (no title)
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 2023 Consumer Payments Survey Report
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Chargebacks Consumer Survey Report 2022
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Tactics that Enable Exceptional Customer Experiences
    • Fraud Prevention Training and Certifications
    • How to Build a Recession Proof Chargeback Prevention Strategy
    • How to Reduce Customer Friction During Holiday Sales Season
    • How to Stop Fraud During the 2022 Holiday Season
    • Jobs Board
    • Merchant Fraud Journal 2023 Fraud Trends Report
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Generative AI Fraud Prevention Report: A Checklist for SMB Companies
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
    • Stopping Fraud Across the Customer Lifecycle
    • The surprisingly easy way to secure your payment data, reduce your risk, and win the war on ecommerce fraud
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?