When a customer receives an email that their account has been compromised in a breach, or notices an unfamiliar transaction on a statement, they may call the bank and are told they’re the victim of unauthorized push payment (ATO). ATO fraud is expensive for banks and fintechs – a single incident can result in lost revenue and costly charges – but it also damages brand trust and loyalty. According to Alloy’s State of Fraud Benchmark Report, customers and organizations are increasingly frustrated with accounts being taken over by criminals.
Understanding Account Takeover
Understanding account takeover (ATO) of the ubiquity of digital communication and data storage to steal sensitive information for their own gain. ATO attacks are usually a result of compromised credentials, often obtained through old-fashioned phishing and malware that targets specific individuals or groups. Because people tend to reuse the same passwords across multiple services, attackers can use stolen credentials from breaches to gain access to a variety of accounts.
Once in control of an account, a criminal can drain funds or monetize stored value and impersonate the account holder. They can even leverage account information to execute a wider attack, such as in the case of account takeover fraud of rewards cards like hotel points or airline miles.
Preventing account takeover requires continuous monitoring of accounts, not just at the time of login, but throughout the account’s lifecycle – so that suspicious activity can be spotted and quickly acted upon. Technologies like login attempt limits, device tracking and rate limiting, and deploying a dedicated security operations center enable teams to detect and stop these attacks.