• Products

    Digital Trust & Safety Platform

    Fight fraud without sacrificing growth

    Learn more

    Platform solutions

    • Payment Protection
    • Account Defense
    • Dispute Management
    • Content Integrity
    • Sift Connect

    Sift innovations

    • PSD2 Solution
    • New Releases & Enhancements
  • Industries

    One solution, any industry

    Learn how Sift can work for your industry

    Learn more

    Featured Industries

    • Fintech
    • Payment Service Providers
    • Retail
  • Customers

    Case studies by industry

    See how leading brands succeed with Sift

    Learn more

    Featured Customers

    • DoorDash
    • Uphold
    • Paula’s Choice
  • Partners
  • Fraud Center
  • Resources

    Fraud-fighting resources

    Explore fraud trends and insights

    Learn more

    • Blog
    • Demos
    • Infographics
    • Ebooks & Reports
    • Videos
    • Podcasts
    • One-Pagers
    • Webinars
    • Trust & Safety University
  • Company

    Why leaders choose Sift

    Technology, community, and partnership

    Learn more

    Our mission: Help everyone trust the internet

    • About
    • Careers
    • News & Press
Talk to an expert
Products
  • Digital Trust & Safety Platform
  • Payment Protection
  • Account Defense
  • Dispute Management
  • Content Integrity
  • Sift Connect
  • PSD2 Solution
  • New Releases & Enchancements
Industries
  • Fintech
  • Retail
  • Payment Service Providers
Customers
Partners
Fraud Center
Resources
  • Blog
  • Ebooks & Reports
  • One-Pagers
  • Demos
  • Videos
  • Webinars
  • Infographics
  • Podcasts
  • Trust and Safety University
Company
  • Search Careers
  • Our Company
  • Contact Us
  • Engineering Blog
Talk to an expert Sign in
  • Blog Home
  • Fraud
< prev / next >
Share this article on LinkedIn
Tweet this article
Share this article on Facebook
SOCIALICON
Share this article via email

SaaS: The Next Target for Account Takeover

By Roxanna "Evan" Ramzipoor  / 

27 Apr 2017

SaaS: The next target for ATO

When you think of account takeover (ATO), what comes to mind? High-profile data breaches? Embarrassing celebrity Twitter hacks? Although these companies are certainly at risk, they’re not the only ones vulnerable to ATO. Software-as-a-service (SaaS) businesses are equally – if not more – vulnerable to damaging account takeovers.

SaaS companies that offer services to other businesses store a wealth of customer data. That means data breaches can lead to extraordinary damage. For example, fraudsters who steal a customer’s account credentials can then reuse them to commit fraud on a massive scale. So, what is account takeover? Why should SaaS companies worry? And how can you take steps to protect your business?

What is account takeover?

ATO, also known as account compromise, is just what it sounds like: a bad actor getting access to a good user’s account. Once that access is achieved, the fraudster can use the account for all kinds of opportunistic and malicious ends: making high-value purchases, using up stored credits, scamming other users, creating fake listings, spamming, and more. In the case of SaaS companies, fraudsters may be targeting financial information, or they may be wanting to misuse or exploit customer data.

Fraudsters are often able to keep victims in the dark about attacks long after their account is hijacked. In many cases, businesses don’t know that their users’ data have been compromised – and neither do the users themselves – until significant damage is already done.

Why SaaS companies make good targets

Fraudsters love SaaS companies because they’re extremely lucrative. Each holds valuable customer data and financial information. Business-to-business (B2B) services are especially vulnerable, since a single account holder could provide access to private information for entire companies: dozens, hundreds, or even thousands of users’ credit card information and personal data.

Although SaaS companies may be doubling down on cybersecurity defenses, weaknesses still persist. Many SaaS companies comply with ISO 27001, an auditing standard designed to prove that service providers have control over the location and security of their data. But surveys show that even ISO 27001-compliant businesses commit “bad practices with regard to privileged user management.” The same features that make SaaS services so convenient–that data can be accessed anywhere, that storage is boundless – also contribute to an increased risk of ATO.

By attacking one B2B business, scammers can secure access to that business’s information, but also to their customers’ information. For example, if a hacker takes over a business’s account to access their profile on a customer relationship management (CRM) service, they can wreak serious havoc. Fraudsters could download the business’s client base and use it to hold the business ransom, sell the client base to a competitor, or damage the business’ reputation.

In another common scenario, fraudsters take over accounts to access listings on resume-hosting or real estate database services. Once they’ve accessed a listing, the fraudsters can change contact information. So, someone intending to send their resume to a company that’s hiring or their financial information to a real estate agent instead sends their information to the fraudster’s address. The fraudsters can then steal customers’ personal information.

Because SaaS companies are a recent target, many have yet to implement robust fraud solutions to counter these attacks.

How to prevent ATO

For SaaS companies, success breeds vulnerability. As a SaaS company grows, security takes on an increasingly central role. Customer safety is vital for preserving your reputation, protecting your bottom line, and continuing to scale. But that’s easier said than done! How do you deal with ATO and keep your customers safe?

When seeking to protect users’ accounts, many online businesses may introduce security checks like 2-factor authentication, email links, SMS codes, captchas, and even phone calls. When used selectively and intelligently, these checks can be a powerful tactic to prevent ATO. But they can also inconvenience honest customers, making it harder or less efficient for them to access their account.

The cost of an attack is high, but the cost of making it hard for people to log into their accounts is also high. If people find a service too cumbersome, they become less engaged, or stop using it entirely. A better solution is for SaaS businesses to stop ATO before it happens. The first step to earning your customers’ trust is ensuring their safety. Ready to start?

Related

account takeoverfraudtrends

Roxanna "Evan" Ramzipoor

Roxanna "Evan" Ramzipoor was a Content Marketing Manager at Sift.

  • < prev
  • Blog Home
  • next >
  • Company
  • About Us
  • Careers
  • News & Press
  • Partner With Us
  • Blog
  • Support
  • Help Center
  • Contact Support
  • System Status
  • Trust & Safety University
  • Fraud Management
  • Developers
  • Overview
  • APIs
  • Client Libraries
  • Integration Guides
  • Tutorials
  • Engineering Blog
  • Social

Don’t miss a thing

Get industry trends, insights, and actionable fraud-fighting tips.

You're on the list.

You can unsubscribe at any time. Please see our Website Privacy Notice.
Do Not Sell My Personal Information

If you are using a screen reader and are having problems using this website, please email support@sift.com for assistance.

© 2023 Sift Science, Inc. All rights reserved. Sift and the Sift logo are trademarks or registered trademarks of Sift Science, Inc.
Privacy & Terms

Secure your business from login to chargeback

Stop fraud, break down data silos, and lower friction with Sift.

  • Achieve up to 285% ROI
  • Increase user acceptance rates up to 99%
  • Drop time spent on manual review up to 80%
Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.