Account takeover (ATO) attacks happen when a bad actor gains unauthorized access to a victim’s account. The perpetrator does this by stealing, finding, or brute-forcing the victim's login credentials. Once inside, they can carry out fraudulent transactions, change account details, or even lock the original user out of their account by changing login credentials and recovery details.
ATO attacks can’t happen unless the attacker finds a way to compromise the authentication method protecting the victim’s account. As a quick refresher, authentication methods typically break down into three categories:
Something the user has (like a token or key)
Something the user is (biometric authentication like voice or fingerprint), or
Something the user knows (like passwords or SMS codes)
Depending on the circumstances, all of these categories can be a potential entry point for an ATO attack.
There are a few different ways that bad actors can go about compromising an account’s authentication methods.
Phishing, smishing, and vishing
Phishing is a social engineering attack in which a bad actor sends victims an email claiming to be from a legitimate source, in the hopes of tricking that user into downloading malware or logging into a fake page using their real credentials. The attacker can then take any captured credentials and use them to sign into the victim’s real account.
Phishing is the email variant of this process and the most common type, but it can also happen over the phone (vishing, or “voice phishing”) or text (smishing, or “SMS phishing”). While most tech literate users today know better than to click on suspicious links or give their passwords out, phishing attackers play the numbers game by sending their communications to as many potential victims as possible until they get a hit. Additionally, some phishing attacks are more sophisticated than others, using techniques such as domain squatting and domain spoofing to make their fake login pages look more legitimate.
Data breaches and leaks
Whene an app or website suffers a data breach that exposes user credentials, the attackers often sell or post this information online. Using a database of breached passwords, cybercriminals can then conduct what’s called a “credential stuffing” attack, in which they use a program to automatically input the affected credentials both on the victim website and on other sites and platforms.
Using this method, attackers can gain access to the original compromised account (if the owner hasn’t already changed their credentials or enabled multi-factor authentication) as well as any other accounts where the user has reused the same credentials.
Biometric authentication falls under the “something the user is” category of authentication types. Examples of biometric authentication types include fingerprint, voice, or facial recognition, or behavioral biometrics like location behavior. While biometric authentication factors often take more resources to trick than other common forms of authentication, they can often still be compromised in the right circumstances.
For example, if a fraudster is able to “spoof” attack a facial recognition system using a deepfake—a computer-generated, lifelike digital copy of a person superimposed over an existing video of another person—they could potentially gain access to that user’s account despite not having access to that user’s biometric data.
Everyone has heard the common password hygiene advice of using multiple letters, numbers, special characters, and longer length to craft a strong password. Brute-forcing attacks are one of the big reasons behind this advice. In a brute-forcing attack, threat actors use a software program to automatically plug in millions of different password combinations, pulling from sources like commonly used passwords, dictionary phrases, and more to inform its guesses. The most sophisticated of these attacks can guess one billion possible passwords per second—for weak passwords, that means that being compromised is a matter of if, not when.
Depending on the factors used, sometimes even having multi-factor authentication (or MFA) enabled isn’t enough to save a user from account takeover. For example, SMS codes are a notoriously low-security way to deliver a secondary authentication factor, mainly because they’re vulnerable to social engineering intercept attacks or SIM swapping.
A SIM swap attack, also known as SIM jacking, involves the threat actor tricking a mobile service provider into transferring the victim's phone number to a SIM card controlled by the attacker. Once the attacker controls the phone number, they can bypass security measures like two-factor authentication and OTPs that rely on the phone number.
How is a SIM swap attack done, exactly? The attacker contacts the victim's mobile service provider, pretending to be the legitimate owner, and convinces them that they have lost or damaged their SIM card. Once the swap is done, the attacker can receive any calls and messages directed to the victim's number, including those containing OTPs for account verification, enabling them to access and take over the victim's accounts.