Account Takeovers

Account takeovers have evolved over the past year, alone. They have become far more complex in their execution and lifecycle.

Their scripts can now revolve activities through lists of resources to look like many different devices and to be coming from many different IP addresses at varying velocities. Their activities are no longer simply login and use.

Account takeovers are more complex

Today, account takeovers run through their lists of credentials in stuffing attacks of various speeds to see which work and which do not. From there, they will take one of three different routes.

1. Condense their list to the account details that led to successful logins and sell the list as-is for another bad actor to use and make a profit.
2. Note the available details and payments stored to the accounts to add value to their successful list and sell it for even more profit.
3. Pass the list off to another teammate to login to and use to place orders to their clientele in a triangulation (reseller) fraud and/or transaction laundering scheme.

Even with the varied velocities, revolving data and lengthened lifecycle, many elements in account takeover detection and prevention remain the same.

Internal and external account takeovers

There are two main categories of indicators when it comes to account takeovers: INTERNAL and EXTERNAL.

Internal Indicators are the ones that are visible to systems. These are your security and risk systems and are generally triggered while an attack is happening. External Indicators are generated from outside contact. These are the emails and calls received by the victims or those contacting the company on their behalf.

The strength of your defense comes from your ability to use Internal Indicators to your advantage. The velocities of attacks can and do vary quite a bit from actor to actor and the tools they may use. Some will just use bots and jack them right up. Some may limit their speed or even use a bot/human combination to achieve their goal. You may find success in widening the pace you pick for your alerts. Still, even with rate limiting and revolving through devices and IP addresses, many simple detection methods may still have a positive impact.

• In a short period of time, many established accounts of various ages may have login attempts by the same IP address not seen on the accounts before.
• In a short period of time, many established accounts of various ages may become accessed or have attempted accesses from the same devices or unknown devices that have not accessed them before.
• An established account might have multiple login attempts in a short period of time by a new or unknown device with a new IP address not seen to have accessed the account before.
• A foreign IP address may access or attempt to access one or more established accounts with a new or unknown device not seen to have accessed the account before.
• Multiple new IP addresses might attempt to access one or more established accounts.

How to identify account takeovers

The key to identifying account takeovers and rooting out false positives when it comes to these activities based on Internal Indicators is NEW. Account accesses need to be attempted by a new device or a new IP address or a new geolocation. If all of the details have already existed upon the account, then the account is being accessed by someone known to the customer in some capacity and is Account Theft, not Account Takeover. Similar flags may be set to additional technical details you may be able to get from their devices and sessions. Look deep and experiment.

This is not always enough to just challenge or block a login. One example of this is in the case of pre-hijacking account takeovers that happen before a customer opens an account. Or, some companies will desire to be more certain that this activity is not coming from the genuine account holders before actioning. For that, you need a network view to see this activity happening across multiple accounts. The evolution of rate-limiting and resource lists have allowed fraudsters to often get away with an ongoing attack a little longer than they used to because of how long it takes them to cycle back to using the same details again. Cast your net wide and look for Internal Indicators on their own and in combination with one another to get alerted to smaller instances of suspicion that may need to be actioned.

That said, when pursuing a process, I would recommend requesting to challenge accounts upon suspicious logins instead of blocking them. You’ll probably find more success by still giving the user a chance to get into their account and place their order than to potentially block them out with a false positive.

Internal indicators

Additional Internal Indicators happen after an account has been successfully accessed and taken over.

• Many established accounts of various ages could have their personal details (phone number, email address, etc…) changed to be the same in a short period of time. ● Established accounts may have their financial information changed to the same details over a short period of time.
• Many orders placed to the same delivery address from different established accounts over a short period of time.
• An established account is logged into by a new or unknown device and new IP, their personal details are changed and transactions are made to new addresses, typically of abnormal values.
• An established account is logged into by a new or unknown device and new IP and all of their reward points are transferred to an unrelated account, often a fair distance away.
• Many established accounts could place orders to the same service provider, store or restaurant that is not near them, or for the same items, typically of higher value.

You’ll see with these indicators that, not only do they somehow meet one or more of the unsuccessful indicators you may be looking for, they will also be seen on more than one account as additional confirmation that there was an account takeover.

External indicators

External Indicators from outside sources are almost always from the account holders themselves but are not always communicated directly to the company. Some victims will immediately take to social media to blast and blame the company or go right to the press, which is another reason why systems must be in place for prevention and retention. Your customer service and follow up must be aligned to put the customer at ease after such a harmful event.

• Account holder claims their account was taken over, hacked or there was fraud on their account.
• Account holder claims they cannot access their account or the systems are saying no such account exists when they try to login.
• Account holder claims personal details on their account were changed or details have been added that they do not recognise (email address, phone number, name, credit cards, delivery address, etc..).
• Account holder claims orders placed were not by them and to unknown addresses that are foreign to them.
• Account holder claims they are missing reward points or credits that were previously on their account and they did not spend them.
• Account holder claims they did not receive payment or deposit of earned funds which should have been transacted to their associated financial details.

These External Indicators need to be manually reviewed for accuracy. As much as we would like to, we cannot just take the word of our customers. Some will be trying to defraud you. You have to be sure.

A three-tiered approach to preventing fraud

As with most fraud, one flag or piece of information is not typically enough to confirm that something nefarious has actually happened. A good rule of thumb is to follow a three-tiered approach when confirming fraud. Some instances may require more and some less. That is up to your discretion and how confident you are in the process you are looking to put into place.

There are a lot of details and signals that you can receive to help you determine if account takeovers are happening upon your platform. You need accurate device details and fingerprinting. Don’t use a process that is easily worked around. Get data enrichment around IP addresses to receive more details about them to use, if you can. Although it can be useful on its own and being accurate really helps in these situations, do not rely heavily on your location data on its own unless you have a way that you can be sure of it. For all three of these important data points, there are services out there that can help you with them. Don’t be afraid to just reach out to learn about what they might be able to do for you.

Account takeovers are presently impossible to prevent 100% of the time. However, with the right tools and rules in place, you can probably stop about 95% of them. Given how customers react to identity theft and account takeovers, and the extreme damage they can do to brand reputation, it is important to prevent as many of them as you can.

This article was contributed by Shawn Colpitts, Senior Fraud Investigator at Just Eat Takeaway.com