Skip to end of banner
Go to start of banner

Account Takeover

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 20 Next »

Account Takeover

Addendum

  • Correct the conceptual diagram to expressly mention that it is without authorization

Alternative Forms

  • Account Hijacking

  • ATO Acronym

  • Identity Hijacking

  • Identity Takeover

  • Identity Usurpation

Definitions

Definition 1

An Account Takeover is a class of identity theft that consists for a perpetrator to take control of an existing identity of another entity without authorization. A common motivation for account takeover is to earn money by perpetrating fraud.

Conceptual Diagram

Examples

  • Eve found that Alice’s dog was named Bob. To takeover her social network account, Eve tried to login as Alice using “BOB” as a password. But because Alice was using MFA, Eve’s nefarious plan failed miserably, even though “BOB” was the right password.

Related Terms

  • Account

  • Credential Theft

  • Identity Theft

  • SIM Jacking

  • True Name Identity Theft

Quotes

The usual technique was to loot whatever customer accounts you could and send the money to compromised accounts at whatever bank was slowest at recovery. Of the £35m lost by UK banks in 2006, over £33m was lost by a single bank. One of its competitors told us that the secret was to spot account takeovers quickly and follow them up aggressively; if money’s sent to a mule’s account, he should find his account frozen before he can walk to Western Union.

(Anderson, 2020, p. 416)

Identity Theft/Account Takeover: Identify theft involves a perpetrator stealing another person’s personal identifying information, such as name or Social Security number, without permission to commit fraud. Account Takeover is when a perpetrator obtains account information to perpetrate fraud on existing accounts.

(FBI and IC3, 2019, p. 26)

- Enable two factor-authentication whenever applicable. Two factor-authentication can prevent account takeover.
- Use strong and unique password for every online service. Re-using the same password in various services is a serious security issue and should be avoided at all times. Using strong and unique credentials in every online service limits the risk of a potential account takeover to the affected service only. The use of a password manager software would make the managing of the whole set of passwords easier.

(ENISA, 2019, p. 45-46)

Identity takeover or identity usurpation: the actor takes over an existing identity of another individual (i.e., the original identity bearer) without this individual’s consent. In most cases, the acquired identity was already established in a certain social structure; authentication therefore already took place or can easily be carried out because the required information already exists.

(Koops and Geradts, 2009, p. 318)

Typically, identity thieves will use the personal information to obtain credit, merchandise, services in the name of the victim, or false credentials for the thief. This can result in such things as ruining the victim’s credit rating, generating false criminal records, and issuing arrest warrants for the wrong individuals. Identity theft is categorized in two ways: true name and account takeover. True name identity theft means the thief uses personal information to open new accounts. The thief might open a new credit card account, establish cellular phone service, or open a new checking account in order to obtain blank checks. Account takeover identity theft means the imposter uses personal information to gain access to the person’s existing accounts. Typically, the thief will change the mailing address on an account and run up a huge bill before the person, whose identity has been stolen, realizes there is a problem. The Internet has made it easier for an identity thief to use the information they’ve stolen because transactions can be made without any personal interaction.

(Harris, 2007, p. 266)

Bibliography

See Also

  • No labels