Growth & Marketing

October 25, 2020

March 23, 2021

How to prevent account takeover attacks (ATO)

Table of contents

Account takeovers are a challenge for most online companies. The vulnerability of passwords and the evolution of malicious attacks make account takeovers one the most spread problems regarding user identification and online security. 

The great news? Technology for fraudulent actions arise, but so do fraud prevention systems. You can protect your users’ identity with a great security system, sophisticated flows that don’t hurt user experience and low-code implementations with a low impact on your company’s resources.

We have gathered some of the security systems you can implement in order to prevent account takeovers (also known as ATO) and offer your users the best experience. 

What is account takeover (ATO)? 

An account takeover (ATO) is a fraudulent attack that aims to obtain users’ data and credentials in order to benefit from the deceitful use of the user’s account. Generally speaking, account takeover can lead to credit card fraud, fraudulent shopping or money transferring, but it can also imply identity theft. In this case, there is a fraudulent impersonation in order to cause other malicious actions.

How does account takeover happen? 

Account takeover happens more easily when the only credentials are username or email and passwords. Passwords have been proven to be a poor authentication system, aside from being less user friendly than other authentication methods. The following methods are mostly used for account takeover attacks, and most of them imply password theft.

Some methods used for ATO attacks

  • Phishing. By impersonating a well-known brand, users can receive an email, SMS or social media message prompting them to click a link. This way, users are allowing the installation of malware in their devices that leads to account takeover.
  • Brute force attacks. By running a script that tries different combinations of passwords, fraudsters can guess the user password and access their account. Being an automated attack, hackers can try a different password each time with every login attempt and eventually find out the user’s password.
  • Credential stuffing. Similarly to the previous method, fraudsters can buy certain credentials from the Dark Web. These data are obtained out of data breaches or passwords leaks, and can give fraudsters way more clues to obtain the user’s password. Unlike brute force, these automated attacks are based on the user’s previous or current passwords. Since users tend to reuse their passwords in different accounts, the task gets easier.
  • Trojans. Trojans are one of the malware that can be used to intercept the user’s email and passwords. These are most used in online bank applications, where an additional screen is overlaid in the user's original screen. This way, fraudsters can know what the user types in the registration form and collect this authentication credentials.

Means to prevent account takeover from your signup forms

There are tons of security systems you can apply to your own business in order to protect your users. Let’s see when to proceed and what means you can use to enhance security. 

When to proceed and how to detect fraudulent ATO

Multi-factor authentication systems don’t necessarily need to be implemented by default. Adding verification factors can also affect the user experience and conversion rates, that is why it is advisable to implement risk-based security processes. With this system, you can determine what risk factors are key to your identification processes and trigger actions only when these are vulnerable. 

These are some of the risks you can take into account when implementing a risk-based authentication system with low friction for your users:


1. Limiting actions based on frequency

‍Determining a pattern of usage can be helpful when trying to block suspicious activity. Analyzing the general usage of the user’s account and its movements, a fixed frequency can be determined. Hence, suspicious frequency can also be drowned.

You can apply frequency patterns to different actions — login attempts, purchases, money transfers, publishing content, etc. Adding this personalized logic to your registration or payment forms can help you detect fraudulent activity and trigger actions to block them.

2. Limiting actions based on location

‍With a similar idea, you can also detect fraudulent attacks such as account takeovers based on the user’s location. In order to apply this method, you need to be able to detect the user’s location and trigger different actions based on this data. If a suspicious activity is detected, you can display an additional verification factor for the user.

‍3. IP blacklisting

‍IP scoring can be easily detected and used to determine if it is suspicious or not. Simply by integrating your registration, login or payment forms with an IP scoring tool, you can allow access or trigger additional verification methods.‍

4. Blocking sensitive actions by default

Apart from determining suspicious activity and trigger actions accordingly, you can also opt from blocking certain actions by default. This practice is pretty much used to safeguard actions like money transfers, purchases implying big sums of money, and so on.

What to trigger to enhance security after risk is detected

Since account takeover tends to happen by decoding the user’s passwords, adding a second layer of security to this method is always a good idea — if not getting rid of passwords and go for a passwordless authentication system!

Multi-factor authentication consists of implementing additional factors to verify the user’s identity, normally to complement the use of passwords. These are some systems you can use to complement passwords and that can be triggered after suspicious activity is detected.

1. Email verification. One of the most common multi-factor authentication methods are one-time passwords and magic links. Both of these methods can serve to verify the user’s email address, and make sure the truthful user is the only one accessing their account. 

The idea behind email verification is really simple — the user receives a unique code (one-time passwords) or an authenticating URL (magic link) in their email account, and they need to enter the code in the original code or simply click the magic link. This action

Email verification with magic link

ensures the person behind has also access to their email account, and adds a second layer of verification to the authentication process.

2. Phone verification. In a very similar fashion, phone verification can work with the same systems — one-time passwords and magic links. Generally speaking, phone verification tends to work with one-time passwords, or even with a tapping app. 

The procedure is almost identical — the user gets a code in the phone that needs to be entered in the form they were initially filling. In the case of tapping apps, the app would pop up in the user’s phone and users need to tap the correct option in order to access their account. This cross-device security system ensures that the user is verified and access can be granted afterwards. 

Phone verification with OTP to tackle ATO

3. Physical biometrics. Biometrics are personal characteristics that are unique to each individual, and can be used to determine online identities and grant truthful access to the user’s account or device. 

Physical biometrics are one of the most secure systems there are. Unique human features such as the fingerprints, the iris or retina, the veins or the facial features can be used to identify the user and make sure they are the only ones accessing their accounts. Biometrics is considered one of the most secure systems there are and they are thought to be the future in authentication trends.

4. reCAPTCHAs. Most of these attacks are automated and come from bots. Hence, it is no surprise that reCAPTCHAs are still in use. reCAPTCHAs are a free Google security service that aims to block bots and spam, by telling machines and humans apart. Unlike CAPTCHAs, this system only requires one click from your users, being way more user friendly than typing bizarre characters. hCaptcha also offers different ways to block bots with easy questions for humans, such as categorization, among others. If your company suffers from this kind of automated attacks, don’t hesitate to use them too. 

Implementing security procedures in your Arengu forms

The thread for fraudulent and malicious actions regarding user identification and online security is always expanding. But so can your identification flow! Being aware of the vulnerabilities of your identification system is key to know which method to implement to prevent account takeovers.

Whatever your preferred method, it is key to be on guard constantly and escalate or iterate your identification and authentication flows from time to time. Take a look at Arengu if you wish to create flexible and personalized logic and build your own risk-based verification flows. With it, you can implement risk-based security actions, simply by adding your own business rules and conditional logic to your forms, and edit them easily to always meet your security standards.‍

You might like to read

Subscribe to our newsletter

Subscribe to our email newsletter to receive article notifications and regular product updates.