Account Takeover (ATO) attacks are on the rise, affecting an estimated 24% of companies globally. In the United States, 22% of the adult population, equivalent to 24 million people, report falling victim to this type of incident. 

It is projected that ATO fraud will result in losses exceeding USD 343 billion globally between 2023 and 2027, according to research from the American Bank. The financial industry is a primary target for fraudsters, with 84% of financial institutions having already faced this digital threat, resulting in losses amounting to 8.3% of their annual revenues, as per the Aberdeen Group's study.

Now, delving into the matter, what exactly is account takeover, and how is this form of fraud evolving?

What is an account takeover attack?

Account takeover (ATO) is a form of fraud in which cybercriminals illicitly access and take control of users' bank accounts to perform unauthorized transactions, transfer funds, or engage in other malicious activities.

To execute this type of crime, fraudsters will typically need to be able to access or fake at least one of these three things:

Username and Password: The most prevalent method for breaching accounts involves using stolen or leaked combinations of usernames and passwords. The risk is heightened by weak or reused passwords, underscoring the importance of users employing robust, distinct passwords for each of their accounts.

Phone Number: This is exploited by fraudsters to gain access to the second factor for authentication (2FA). By compromising the victim's phone, cybercriminals can intercept authentication codes sent via messages, circumventing additional security layers. 

Phones can also be manipulated by fraudsters leveraging accessibility permissions, enabling control of the victim's device through malicious apps that monitor all displayed content and provide access to other installed apps.

Email Account: Email accounts play a pivotal role in account recovery processes. Fraudsters who gain access to victims' emails can reset passwords for various accounts linked to the email address.

Such information is obtained through techniques such as:

  • Social Engineering Attacks: Fraudsters manipulate users to expose data, infect devices with malware, or gain access to restricted systems.
    Phishing or spear-phishing is an example of this type of threat and is the most common in ATO. In these attacks, criminals send messages or emails that appear to be from legitimate sources, such as banks or trusted organizations. These messages often contain links to fake websites/apps created to collect confidential information or to trick the user into installing malware. According to some estimates, more than 3.4 billion malicious emails are sent every day.
  • Brute Force Attack: fraudsters employ a trial-and-error method to uncover login information. Through relentless attempts, they systematically work through all conceivable combinations in the hopes of stumbling upon the correct credentials. They may also use tools to automate the attack.
  • Credential Stuffing: Fraudsters use bots to test combinations of usernames and passwords on various sites. For instance, they might test the credentials of an e-commerce account on a banking account, taking advantage of people often reusing passwords across different platforms. This implies that if one account is compromised, others are also at risk.
  • SIM Swap: Criminals deceive the victim's mobile carrier and convince them to transfer the mobile number to a new SIM card, to which only they have access. This allows them to receive authentication codes and control accounts linked to the victim's phone

Exploring a New and Alarming Tactic: Accessibility Permissions Exploit

As technology advances, the techniques employed by fraudsters to execute account takeover (ATO) attacks evolve into increasingly sophisticated forms. Fraudsters consistently alter their strategies to outwit security systems, posing a constant challenge for detection and prevention.

Beyond the methods mentioned above, there's a new and particularly alarming tactic at play: fraudsters now exploit accessibility permissions for Account Takeover (ATO). Unlike traditional tactics, where fraudsters need access to email accounts, usernames & passwords, or a phone number to execute the fraud, this new approach allows them to gain remote control access to users' devices. Scary, right? Before delving into the details of how this works, let's understand what it is.

Accessibility features are available on Android and iOS operating systems to assist users - such as individuals with disabilities and the elderly - in using their smartphones. The functionalities include screen readers, voice commands, keystroke capturing, and other assistive technologies.

In order to use these services, accessibility permissions must be granted which gives applications full access to the user's device. While enabling accessibility permissions is crucial in this case, users also risk compromising their data. This is because, if used by fraudsters, it can become a tool for malicious activities.

Fraudsters are increasingly abusing this feature to take control of smartphones and commit fraud. When this happens, users become unable to uninstall the app or even restart the device.

Here's how the abuse of accessibility permissions looks like in action:

1. A user installs malware through a phishing link received via email or SMS, disguised as a legitimate app.

2. The malicious app initiates push notifications, urging the user to grant accessibility permission.

3. The user grants permission, enabling the fraudster to take control of the device (monitoring everything on the screen, keystrokes, and all installed apps).

4. The cybercriminal accesses the list of installed apps, collecting data the user types or displays (login credentials, passwords, credit card numbers), and intercepts authentication codes.

5. Armed with this information, the fraudster infiltrates the victim's bank account, conducting fraudulent transactions and pilfering funds.

Throughout the attack, the malware exploits accessibility services to:

  • Spy on user activity
  • Prevent the removal of the malicious app, whether from the home page or settings
  • Evade suspension or shutdown of the process

Impact of Bank Account Takeover Attacks (ATO) 

In the world of digital banks, where all transactions happen online, account takeover (ATO) fraud is a big issue.

Here are the main impacts of this type of fraud:

Financial Losses: Account takeovers result in financial losses for both financial institutions and the customers whose accounts have been compromised.

Data Breach: A successful ATO often entails the breach of the user's confidential information. This may include login credentials, personal details, and financial data. The exposure of such information can lead to severe consequences for the affected individuals and erode trust in digital banking services.

Identity Theft: By gaining control of a user's account, fraudsters can impersonate the account holder, allowing them to commit various other identity-related crimes, such as applying for loans, credit cards, and other financial frauds in the victim's name.

User Trust Erosion: Customers expect their financial institutions to deliver reliable services, ensuring the security of their data and money. An account takeover incident can fracture trust and prompt users to close their accounts and migrate to competitors.

How to prevent ATO and ensure the security of users’ accounts?

Protecting your banking app and your customers' accounts from account takeover fraud is crucial, and this involves implementing fraud prevention software with a proactive approach to the constant and evolving problem.

SHIELD’s device-first risk intelligence solution is powered by cutting-edge device fingerprinting and the latest in AI & machine learning algorithms. It identifies fraud at its root and analyzes thousands of devices, network, and behavioral data points to provide actionable insights in real time. Our technology enables the detection of account takeover attempts through the combination of features:

SHIELD Device ID

Identifies each physical device used to access your banking application. It is extremely accurate and persistent, detecting when a fraudster attempts to mask the device fingerprint or reset the device to appear as new.

Our proprietary device fingerprinting technology is key to detecting and eliminating account takeover attacks. It flags suspicious devices and configurations that indicate someone is attempting to forge a device to access an account.

SHIELD Risk Intelligence

We continuously profile each device session, returning real-time risk signals to provide a comprehensive picture of user activity in your ecosystem. This involves detecting abuse of accessibility permissions and precisely identifying when a good user suddenly displays signs of fraudulent behavior. The tools utilized for such activities  can include autoclickers, screen sharing, and emulators — clear indicators of an accessibility permissions exploit.

We enrich your data models with accurate device signals that identify the use of malicious tools and techniques employed in account takeover (ATO) attacks, such as emulators, app cloners, virtual OS, GPS spoofers, among others.

Our technology also ensures that your platform stays ahead of fraudsters with our Global Intelligence Network: a continuously updated library containing all fraud patterns we have encountered, as well as the latest malicious techniques. With over 7 billion devices and more than 1 billion user accounts analyzed worldwide, we leverage this intelligence to synchronize real-time attack patterns, ensuring a proactive approach to fraud prevention.

Bank Account Takeover Fraud