Account Takeover
Account Takeover
Alternative Forms
Account Hijacking
ATO
Acronym
Identity Hijacking
Identity Takeover
Identity Usurpation
Definitions
Definition 1
An Account Takeover is a class of identity theft where a perpetrator takes control of an existing identity of another entity without authorization. A common motivation for account takeover is to earn money by perpetrating fraud.
Conceptual Diagram
Examples
Eve found that Alice’s dog was named Bob. To takeover her social network account, Eve tried to login as Alice using “BOB” as a password. But because Alice was using MFA, Eve’s nefarious plan failed miserably, even though “BOB” was the right password.
Related Terms
Account
Credential Theft
Identity Theft
SIM Jacking
True Name Identity Theft
Quotes
The usual technique was to loot whatever customer accounts you could and send the money to compromised accounts at whatever bank was slowest at recovery. Of the £35m lost by UK banks in 2006, over £33m was lost by a single bank. One of its competitors told us that the secret was to spot account takeovers quickly and follow them up aggressively; if money’s sent to a mule’s account, he should find his account frozen before he can walk to Western Union.
(Anderson, 2020, p. 416)
Identity Theft/Account Takeover: Identify theft involves a perpetrator stealing another person’s personal identifying information, such as name or Social Security number, without permission to commit fraud. Account Takeover is when a perpetrator obtains account information to perpetrate fraud on existing accounts.
(FBI and IC3, 2019, p. 26)
- Enable two factor-authentication whenever applicable. Two factor-authentication can prevent account takeover.
- Use strong and unique password for every online service. Re-using the same password in various services is a serious security issue and should be avoided at all times. Using strong and unique credentials in every online service limits the risk of a potential account takeover to the affected service only. The use of a password manager software would make the managing of the whole set of passwords easier.
(ENISA, 2019, p. 45-46)
Identity takeover or identity usurpation: the actor takes over an existing identity of another individual (i.e., the original identity bearer) without this individual’s consent. In most cases, the acquired identity was already established in a certain social structure; authentication therefore already took place or can easily be carried out because the required information already exists.
(Koops and Geradts, 2009, p. 318)
Typically, identity thieves will use the personal information to obtain credit, merchandise, services in the name of the victim, or false credentials for the thief. This can result in such things as ruining the victim’s credit rating, generating false criminal records, and issuing arrest warrants for the wrong individuals. Identity theft is categorized in two ways: true name and account takeover. True name identity theft means the thief uses personal information to open new accounts. The thief might open a new credit card account, establish cellular phone service, or open a new checking account in order to obtain blank checks. Account takeover identity theft means the imposter uses personal information to gain access to the person’s existing accounts. Typically, the thief will change the mailing address on an account and run up a huge bill before the person, whose identity has been stolen, realizes there is a problem. The Internet has made it easier for an identity thief to use the information they’ve stolen because transactions can be made without any personal interaction.
(Harris, 2007, p. 266)
Bibliography
See Also
-
Account Takeover (Dictionary)
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.