3 common ATO attacks—and how to stop them

Legacy account security—e.g., passwords and usernames—is nearing the end of its usefulness as a means to protect against account takeover (ATO) fraud. In fact, ATO is growing exponentially. Accelerated by the global pandemic, more consumers are relying on online services rather than brick-and-mortar stores—leading to a reliance on digital accounts and the need to protect those accounts from cybercriminals who want to steal stored value, payment information, demographics, and personally identifiable information (PII).

Successful online businesses need a multi-pronged, layered approach that addresses every step of the user journey, authenticates users, secures accounts, and stops ATO while also future-proofing against the more aggressive fraud attacks emerging every day.

Each layer can be viewed as a tool among many to protect various points of the user journey. In this article, we’ll go over some of the common attack methods Sift customers face and how to combat them.

Stolen login credential attacks

We’ve all experienced it: you get an email or text notification about suspicious login activity on one of your accounts—and it definitely wasn’t you trying to access the site or app. It’s a quick way to ruin a day, and it happens all too often. Somewhere along the line, a fraudster gained access to your account credentials (whether that’s through the dark web, phishing, or some other means). Fortunately, it’s much less common for nefarious actors to gain control over your device. 

With this in mind, a common way to protect users and detect account takeover attempts is to analyze the device being used to log in. With Sift, you can use Device Fingerprinting to uniquely identify the device a visitor is using to interact with your site, determine whether you’ve flagged that device as being associated with fraudulent behavior in the past, and prevent that visitor from using your site in the future.

To learn how to implement Sift Device Fingerprinting, read our integration guide.

In addition to analyzing the device, it’s also important to analyze the connecting IP address to determine if this is an IP the customer has used in the past. This can be determined using the Sift Console. A login using an unfamiliar device but a familiar and commonly used IP address may be a signal that the legitimate user has a different or new device. If both the device and IP address are unfamiliar, this indicates a higher-risk login event.

Credential stuffing attacks

Credential stuffing attacks are a form of stolen login credential attacks, and are automated using scripts and/or bots. In this type of attack, fraudsters use these automated tools to test large lists of stolen login credentials for popular websites. Because the attack is automated, the speed at which the stolen credentials are tested is an indicator that an ATO attempt is in progress.

Sift’s industry-leading, custom ATO machine learning model detects real-time risk at the point of login using over 100 signals, and can alert trust and safety teams of suspicious failed login attempts and potential bot-based attacks.

Social engineering and phishing

Ninety-eight percent of cybercrime involves social engineering, with attacks becoming increasingly complex. In many social engineering attacks, the victim is convinced to reveal important PII to a fraudster or complete an action that gives a fraudster access to an account.

Protecting accounts against these types of complex attacks requires access to, and analysis of, real-time data at multiple touchpoints. Dynamic Friction can play a critical role here, guiding users along whatever experience is appropriate for them on your site, and preventing cybercriminals from successfully mimicking trustworthy customers.

Learn how to simplify account security and accelerate growth with Sift Account Defense.