Account Takeover (ATO) and Warranty Fraud

An Account Takeover (ATO) attack is when a hacker logs in to a user’s account successfully, then proceeds to change the password and the email address to one that they control. And voila, they then ‘own’ the account and all of the data within it until such a time as:

a) The user notices the breach and notifies the vendor, who then shuts down account access
b) The vendor is automatically notified of the ATO by a breach detection app like ThisData, and immediately shuts down account access

ATO attacks rose 112% from 2014 to 2015, and that number is expected to increase year on year. At the same time e-commerce fraud attack rates are up by at least 15% in 2016 over 2015’s total.

What’s changed is that a hacker can either sell a credit card number on the black market for about 22 cents a card, or they can sell account credentials – which give access to sensitive personal data, credit cards, and bank accounts – for $3 per account (source TrendMicro Report: Follow the Data: Dissecting Data Breaches and Debunking Myths). The long term value of the latter is what’s up for grabs here. And as we also now know, password reuse is commonplace, so acquiring the login credentials for one account, can in fact lead to the compromise of many accounts for that same user.

The kind of accounts that are most lucrative to compromise are those with online retailers, financial services, reward programs, mobile games, and other consumer-facing services where credit cards, PayPal or bank accounts are linked and verified. And the real bonus here is it could be a while before the user notices their account has been breached, especially if it’s an older or rarely used account.

Warranty Fraud

In order to out-smart traditional fraud detection, hackers are getting creative with how they can take money, or make money, from your compromised account once they have control. A recent example of this involves account compromise and Warranty Fraud at FitBit. In these cases a hacker compromises a customer account, changes the email to one they own, reports the customer’s FitBit as faulty, has a replacement sent out to a new address, and then it’s the customer’s obligation to send their ‘faulty’ FitBit back to the company. We know that these hackers are not really interested in getting mega fit, and they are instead on-selling the devices for a profit.

One FitBit hacker commented:

There are entire communities based around warranty fraud, and social engineering that I do and hacking,” the person said. “There are periods of time that a company’s warranty procedure is abused by us. … This continues until the company changes their policy.” – from BuzzFeedNews

So Warranty Fraud is effective, but it has a time-limit. And once the targeted company catches on and changes their policy or beefs up security, the hackers must move on to a new target.

But wouldn’t it be better if these consumer-facing services caught on well before their customers had to report an account breach? Well, they can, it’s just a matter of whether they choose to make it a priority or not. The solution is simple and it’s what we do here at ThisData. It’s about putting login monitoring in place that checks for malicious activity, black-listed IP addresses, unknown login locations and devices, and many other behavioral anomalies for users as they log in, without interrupting the login flow.