Sift Logo Several blue dots forming a sphere to the left of the word Sift in italic font.
  • Products

    Digital Trust & Safety Suite

    Fight fraud without sacrificing growth

    Learn more →

    Passwordless
    Authentication

    Account
    Defense

    Content
    Integrity

    Payment
    Protection

    Dispute
    Management

    Sift
    Connect

    PSD2
    Solution

    New Releases & Enhancements

  • Partners

    Sift Partner
    Program

    Join the leader in Digital Trust & Safety

    Learn more →

    Commerce platform partners


  • Industries

    One solution, many applications

    Learn how Sift can work for your industry

    Learn more →

    Featured industries


    Fintech

    Retail

    Food & Beverage

  • Customers

    See case studies by industry

    Sift works across every use case and region

    Learn more →

    Featured customers


  • Resources

    Explore our resources

    Access trends, guides, and insights from Sift

    Learn more →

    Blog

    Ebooks

    One Pagers

    Demos

    Videos

    Webinars

    Infographics

    Podcasts

    Trust & Safety University

  • Fraud Center
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more →

    Our mission: Help everyone trust the internet


    About

    Careers

    News & Press

Request a demo
Products
  • Digital Trust & Safety Suite
  • Passwordless Authentication
  • Account Defense
  • Content Integrity
  • Payment Protection
  • Dispute Management
  • Sift Connect
  • PSD2 Solution
  • New Releases & Enchancements
Why Sift
  • Salesforce
  • Magento
  • Shopify
Industries
  • Fintech
  • Retail
  • Food & Beverage
Customers
Resources
  • Blog
  • Ebooks
  • One Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Fraud Center
About
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Request a DemoSign In
  • Blog Home
  • Fraud
< prev / next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

SaaS: The Next Target for Account Takeover

By Roxanna "Evan" Ramzipoor  / 

27 Apr 2017

SaaS: The next target for ATO

When you think of account takeover (ATO), what comes to mind? High-profile data breaches? Embarrassing celebrity Twitter hacks? Although these companies are certainly at risk, they’re not the only ones vulnerable to ATO. Software-as-a-service (SaaS) businesses are equally – if not more – vulnerable to damaging account takeovers.

SaaS companies that offer services to other businesses store a wealth of customer data. That means data breaches can lead to extraordinary damage. For example, fraudsters who steal a customer’s account credentials can then reuse them to commit fraud on a massive scale. So, what is account takeover? Why should SaaS companies worry? And how can you take steps to protect your business?

What is account takeover?

ATO, also known as account compromise, is just what it sounds like: a bad actor getting access to a good user’s account. Once that access is achieved, the fraudster can use the account for all kinds of opportunistic and malicious ends: making high-value purchases, using up stored credits, scamming other users, creating fake listings, spamming, and more. In the case of SaaS companies, fraudsters may be targeting financial information, or they may be wanting to misuse or exploit customer data.

Fraudsters are often able to keep victims in the dark about attacks long after their account is hijacked. In many cases, businesses don’t know that their users’ data have been compromised – and neither do the users themselves – until significant damage is already done.

Why SaaS companies make good targets

Fraudsters love SaaS companies because they’re extremely lucrative. Each holds valuable customer data and financial information. Business-to-business (B2B) services are especially vulnerable, since a single account holder could provide access to private information for entire companies: dozens, hundreds, or even thousands of users’ credit card information and personal data.

Although SaaS companies may be doubling down on cybersecurity defenses, weaknesses still persist. Many SaaS companies comply with ISO 27001, an auditing standard designed to prove that service providers have control over the location and security of their data. But surveys show that even ISO 27001-compliant businesses commit “bad practices with regard to privileged user management.” The same features that make SaaS services so convenient–that data can be accessed anywhere, that storage is boundless – also contribute to an increased risk of ATO.

By attacking one B2B business, scammers can secure access to that business’s information, but also to their customers’ information. For example, if a hacker takes over a business’s account to access their profile on a customer relationship management (CRM) service, they can wreak serious havoc. Fraudsters could download the business’s client base and use it to hold the business ransom, sell the client base to a competitor, or damage the business’ reputation.

In another common scenario, fraudsters take over accounts to access listings on resume-hosting or real estate database services. Once they’ve accessed a listing, the fraudsters can change contact information. So, someone intending to send their resume to a company that’s hiring or their financial information to a real estate agent instead sends their information to the fraudster’s address. The fraudsters can then steal customers’ personal information.

Because SaaS companies are a recent target, many have yet to implement robust fraud solutions to counter these attacks.

How to prevent ATO

For SaaS companies, success breeds vulnerability. As a SaaS company grows, security takes on an increasingly central role. Customer safety is vital for preserving your reputation, protecting your bottom line, and continuing to scale. But that’s easier said than done! How do you deal with ATO and keep your customers safe?

When seeking to protect users’ accounts, many online businesses may introduce security checks like 2-factor authentication, email links, SMS codes, captchas, and even phone calls. When used selectively and intelligently, these checks can be a powerful tactic to prevent ATO. But they can also inconvenience honest customers, making it harder or less efficient for them to access their account.

The cost of an attack is high, but the cost of making it hard for people to log into their accounts is also high. If people find a service too cumbersome, they become less engaged, or stop using it entirely. A better solution is for SaaS businesses to stop ATO before it happens. The first step to earning your customers’ trust is ensuring their safety. Ready to start?

Related

account takeoverfraudtrends

Roxanna "Evan" Ramzipoor

Roxanna "Evan" Ramzipoor was a Content Marketing Manager at Sift.

  • < prev
  • Blog Home
  • next >
Company
  • About Us
  • Careers
  • Contact Us
  • News & Press
  • Partner with us
  • Blog
Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
Social

Don't miss a thing

Our newsletter delivers industry trends, insights, and more.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2022 Sift All Rights Reserved Privacy & Terms

Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.