Account take over – ATO

ATO, or account takeover, is a type of fraud that occurs when a third party gains access to and illegally uses a victim’s online account...

ATO, or account takeover, is a type of fraud that occurs when a third party gains access to and illegally uses a victim’s online account. This can happen if a malicious actor is able to obtain the victim’s login credentials (username and password) or, in some cases, exploit vulnerabilities in the account management system to take over the account without the victim’s knowledge. Once the account is taken over, the attacker can use it to commit fraud, such as making unauthorized purchases or transferring money out of the account.

What companies are the targets of ATO attacks?

There’s no single profile of an ATO target, as the attackers will go after any organization that has valuable data that they can sell or use to extort a ransom. But healthcare organizations, financial institutions, and companies in the retail and hospitality industries are often the targets.

These types of attacks are a growing problem as more and more businesses move their operations online. According to a report from the credit bureau Experian, ATO attacks increased by 71% between 2016 and 2017. And the problem is only expected to get worse as the number of online accounts and the amount of money being stored in them continues to grow.

Definitive conclusions

There are a few definitive conclusions from an ATO attack, and at the top of these conclusions lies a simple fact, which is that there has been a significant increase in ATO attempts in 2020–2021, with many organizations reporting increases of over 100% compared to previous years. The majority of ATO attempts target corporate accounts, followed by personal accounts. ATO attempts are typically carried out using phishing or social engineering techniques in order to obtain login credentials from the victim. Once an account has been taken over, the attacker will often use it to send spam messages or carry out other malicious activity.

OWASP’s Top 10 and ATO

OWASP’s Top 10 is a list of the most common attacks against web applications. ATO would fall under the category of “Injection”, which is the third most common type of attack according to the Top 10. In order to prevent ATO, web developers should make sure to validate and sanitize all user input, as well as use strong authentication methods.

How to protect yourself from ATO attacks

Fortunately, there are steps you can take to protect yourself from an ATO attack:

Account take over protection methods
  • Use a strong password that is difficult to guess.
  • Use two-factor authentication. 
  • Use a secure connection (SSL/TLS) when accessing your account. 
  • Avoid using public Wi-Fi networks.
  • Avoid clicking on links in emails or text messages.
  • Always keep your software up to date.
  • Monitor your account’s activity for unusual activity.

The above list is a great way to protect against an ATO, but most of them are on the user side, and the question that naturally arises is, can the protection begin at a much earlier stage even while DevOps are developing APIs, hence shifting left as much as possible.

The Importance of API Validation for DevOps

API validation is important for DevOps because it can help prevent issues that could arise from incorrect API calls. By validating the API calls, DevOps can ensure that the calls are being made correctly and that the data being returned is correct. This can help avoid potential problems down the road and help keep the development process on track.

This can be done during the API development process by utilizing API validation. API validation is a type of security measure that helps to ensure that only authorized users are able to access an account. It works by requiring users to provide additional information, beyond just a username and password, when they attempt to log in. This additional information is typically something that only the legitimate account owner would know, such as a security question answer or a code that is sent to the account owner’s mobile phone. By requiring this additional information, API validation makes it much more difficult for attackers to take over an account, even if they have the victim’s login credentials.

Business logic is overlooked

Companies are scrambling to shore up their defenses against potential attackers. One area of vulnerability that is often overlooked is business logic. Hackers can exploit vulnerabilities in business logic to gain access to sensitive data or take over entire systems.

Learn more

Not sure what is business logic? click and learn!

In conclusion

While API validation is an effective way to protect against ATO attacks, it is important to note that it is not a perfect solution. There have been cases where attackers have been able to bypass API validation measures by, for example, using malware to intercept the additional information that is being sent to the victim’s device.2 Therefore, it is important to combine API validation with other security measures, such as two-factor authentication, to create a robust defense against ATO attacks.

Touchless API Discovery
Discover all unknown APIs in your organization & reduce cloud costs.
• Powered by BLST Security
Share this article
Subscribe for weekly API Security news