Account takeover prevention

Discover how ATOs work and how to reduce ATOs with advanced fraud prevention solutions.

Account takeover prevention: what ATO attacks are and how they work

Account takeover (ATO) attacks happen when a bad actor gains unauthorized access to a victim’s account. The perpetrator does this by stealing, finding, or brute-forcing the victim's login credentials. Once inside, they can carry out fraudulent transactions, change account details, or even lock the original user out of their account by changing login credentials and recovery details.

ATO attacks can’t happen unless the attacker finds a way to compromise the authentication method protecting the victim’s account. As a quick refresher, authentication methods typically break down into three categories:

  • Something the user has (like a token or key)

  • Something the user is (biometric authentication like voice or fingerprint), or

  • Something the user knows (like passwords or SMS codes)

Depending on the circumstances, all of these categories can be a potential entry point for an ATO attack. 

There are a few different ways that bad actors can go about compromising an account’s authentication methods.

Phishing, smishing, and vishing

Phishing is a social engineering attack in which a bad actor sends victims an email claiming to be from a legitimate source, in the hopes of tricking that user into downloading malware or logging into a fake page using their real credentials. The attacker can then take any captured credentials and use them to sign into the victim’s real account.

Phishing is the email variant of this process and the most common type, but it can also happen over the phone (vishing, or “voice phishing”) or text (smishing, or “SMS phishing”). While most tech literate users today know better than to click on suspicious links or give their passwords out, phishing attackers play the numbers game by sending their communications to as many potential victims as possible until they get a hit. Additionally, some phishing attacks are more sophisticated than others, using techniques such as domain squatting and domain spoofing to make their fake login pages look more legitimate. 

Data breaches and leaks 

Whene an app or website suffers a data breach that exposes user credentials, the attackers often sell or post this information online. Using a database of breached passwords, cybercriminals can then conduct what’s called a “credential stuffing” attack, in which they use a program to automatically input the affected credentials both on the victim website and on other sites and platforms.

Using this method, attackers can gain access to the original compromised account (if the owner hasn’t already changed their credentials or enabled multi-factor authentication) as well as any other accounts where the user has reused the same credentials. 

Biometric spoofing 

Biometric authentication falls under the “something the user is” category of authentication types. Examples of biometric authentication types include fingerprint, voice, or facial recognition, or behavioral biometrics like location behavior. While biometric authentication factors often take more resources to trick than other common forms of authentication, they can often still be compromised in the right circumstances.

For example, if a fraudster is able to “spoof” attack a facial recognition system using a deepfake—a computer-generated, lifelike digital copy of a person superimposed over an existing video of another person—they could potentially gain access to that user’s account despite not having access to that user’s biometric data.


Everyone has heard the common password hygiene advice of using multiple letters, numbers, special characters, and longer length to craft a strong password. Brute-forcing attacks are one of the big reasons behind this advice. In a brute-forcing attack, threat actors use a software program to automatically plug in millions of different password combinations, pulling from sources like commonly used passwords, dictionary phrases, and more to inform its guesses. The most sophisticated of these attacks can guess one billion possible passwords per second—for weak passwords, that means that being compromised is a matter of if, not when. 

SIM swapping

Depending on the factors used, sometimes even having multi-factor authentication (or MFA) enabled isn’t enough to save a user from account takeover. For example, SMS codes are a notoriously low-security way to deliver a secondary authentication factor, mainly because they’re vulnerable to social engineering intercept attacks or SIM swapping.

A SIM swap attack, also known as SIM jacking, involves the threat actor tricking a mobile service provider into transferring the victim's phone number to a SIM card controlled by the attacker. Once the attacker controls the phone number, they can bypass security measures like two-factor authentication and OTPs that rely on the phone number.

How is a SIM swap attack done, exactly? The attacker contacts the victim's mobile service provider, pretending to be the legitimate owner, and convinces them that they have lost or damaged their SIM card. Once the swap is done, the attacker can receive any calls and messages directed to the victim's number, including those containing OTPs for account verification, enabling them to access and take over the victim's accounts.

The challenges of account takeover fraud detection

The risks involved in account takeovers are significant and far-reaching. The direct financial loss can be substantial, but there are also indirect costs such as damage to a brand's reputation, loss of customer trust, data theft, and the potential for regulatory fines. What’s more, every discrete account takeover event requires valuable resources to be spent on investigating the ATO, restoring the account, correcting any damage caused, and patching any discovered vulnerabilities.

Stopping account takeover attacks is mission critical for platforms who care about their users’ safety and security, but unfortunately preventing ATO is usually not as simple as using a strong password and moving on with your day.

Vulnerable credentials 

One of the primary challenges in preventing ATO attacks lies in the vulnerability of user credentials. Users often reuse passwords across multiple sites, making them easy targets. Furthermore, many users opt for simple, easy-to-remember (and consequently, easy-to-guess) passwords, increasing the risk of account takeovers.

But even strong, unique passwords can be brute-forced or exposed in a data breach. This means that even if a user follows all of the proper password hygiene, it still may not be enough to protect them from an account takeover attempt.

One-time passwords (OTPs) 

One-time passwords (OTPs) are meant to provide extra security by acting as an additional authentication factor or as a sort of “moving target” alternative to a traditional password, but unfortunately they’re just as exploitable as regular passwords. Fraudsters can intercept these codes through methods such as SIM swapping or phishing attacks, effectively bypassing this security measure.

Low adoption of multi-factor authentication

Multi-factor authentication (MFA) adds another layer of defense by requiring additional verification beyond a password. However, the challenge lies in getting users to enable MFA. Many find it inconvenient, and this reluctance creates a gap in the security setup.

Limiting false positives and user friction

Tightening security around user logins and transactions might be one way to mitigate the risks of account takeover, but it often does so at the user’s expense. For example, imagine if you had to enter multiple codes or passwords, click email links, or open an authenticator app every single time you wanted to do something as simple as checking your balance on your bank’s mobile app. For accounts that we use multiple times daily, the multi-factor authentication that could make our accounts more secure would also make them more cumbersome to use.

This type of user friction is not only bad for platforms that want to provide their users with an enjoyable experience, but it might also work against itself. For example, if the account security measures in place are too frustrating, users might opt out of them altogether, making their accounts even more vulnerable than they might’ve been with less stringent security.

Limiting false positives is also a crucial factor to consider in any anti-ATO strategy. One of the only things that’s more frustrating than having to authenticate yourself three or more times for every login is being wrongly locked out of your own account—particularly if it’s something critical to your everyday life, like a banking or email account.

How to prevent account takeover fraud

We’ve established that account takeover is bad news and that preventing ATOs is a challenge. So, how should we as fraud prevention experts go about account takeover prevention?

One way to prevent an ATO attack from succeeding is through risk assessment and analysis. Think of the user account as a physical keyhole, and the ATO attacker as someone with a lockpick. Now imagine that the keyhole could identify red flags that it wasn’t dealing with an actual key or with the owner of the door, and based on that information, could decide not to unlock without further proof of identity. That’s what a risk assessment and analysis can deliver.

So, what factors make a login attempt high or low risk? There’s the obvious, like multiple incorrect password attempts, but that alone isn’t enough; after all, who among us hasn’t forgotten a password and entered enough guesses to lock us out of our own account? Instead, risk assessment works based on a combination of different factors analyzed holistically.

For example, Incognia’s technology uses location behavior and device intelligence to assess the risk of each login. When a login attempt occurs, Incognia’s solution first performs a device integrity check—is this the same device this user typically uses? Does this device have any “red flag” apps such as GPS spoofers, app tamperers, emulators, and so on?—and then checks the user’s location.

Incognia can create a reliable risk assessment by comparing a device’s location at the time of a login attempt with that user’s location behavior history; for example, we can look at whether this login is coming from one the user’s frequented locations, such as their home or workplace (we call these trusted locations).

Because these checks happen passively and in the background, low-risk login attempts can be a completely frictionless experience despite the additional layer of security. For higher risk login attempts, a method of step-up authentication would be used to help confirm the user’s identity.

Other solutions might use location and device information in a simpler way, namely checking whether a user has logged in using a certain device or IP address in the past, and sending a security alert or step up authentication request if they haven’t. These simpler uses of location intelligence are definitely a step in the right direction, but it’s important to note that GPS and IP address information alone are easily spoofable with the use of apps or a VPN. By contrast, Incognia’s location solution relies on a variety of different signals–including WiFi, Bluetooth, and cellular–to identify and prevent this kind of tampering.

Aside from risk assessments, there are a few other ways to defend against an ATO attack. Some companies have harnessed the power of artificial intelligence to help them identify bot-led account takeover attacks. AI’s powerful analysis capabilities can compare a user’s behavior to what’s expected from a human being: for example, does the user type and move their cursor at a normal speed? A brute-forcing program might be able to try hundreds of thousands of passwords per second, but a real person certainly couldn’t. Using a CAPTCHA (which stands for “completely automated Turing test to tell computers and humans apart”) is another way to potentially identify a bot-enabled ATO attack.

Measures like implementing a web application firewall or WAF to filter HTTP traffic are yet another way to help a site defend itself against account takeover fraud. Using a WAF can help websites identify and block access attempts from known attackers and identify signs of bot, brute forcing, and credential stuffing attacks.

Lastly, multi-factor authentication can be a game changer for protecting an account’s integrity in the event of an unauthorized login attempt. While some authentication factors are weaker–like SMS codes and one-time passwords–other methods such as the use of an authentication app or even a physical security key can help keep out unauthorized intruders.

Our online accounts are a piece of our lives that gets more important by the day, and it’s critical that the platforms those accounts belong to take the proper steps to secure them. The attack vectors are numerous: phishing, brute forcing, credential stuffing, SIM swapping, and so on. But fortunately, there are also many solutions that can be put in place to keep accounts secure. Risk assessment technologies like Incognia’s location intelligence and long-standing security measures like multi-factor authentication can help platforms keep unwanted guests out while making it easy for good users to get in.

Schedule a Free Demo

One of our specialists will be glad to meet you and go over Incognia's capabilities.

To help us personalize our conversation for your business, please fill out the following form.