What Every Retailer Should Do to Stop Account Takeover Attacks

According to a recent report from the Identity Theft Resource Center there was a 68% increase in data breaches in 2021 compared to 2020, awarding last year with the highest number of data breaches ever reported. Given that much of this compromised data will include email and password combinations, cybercriminals have been handed even more assets to perform Account Takeover (ATO) attacks.

ATOs occur when a cybercriminal steals login credentials to carry out identity theft and fraud. Attackers typically buy a list of credentials on the dark web and launch an army of bots across popular websites to test username and password combinations in login attempts.

Once the bot has identified validated credentials, the attacker will then access online accounts to steal personal or financial information, withdraw money, cash in on loyalty points, open new lines of credit, make purchases or resell the validated credentials to other attackers for further exploitation.

With 65% of people using the same password or a variation across multiple accounts, cybercriminals can often use a validated set of credentials to access other sites. This means once attackers have identified a valid combination, they can scale their efforts, targeting further sites and bringing in even more illegal income.


ATOs were traditionally more focused on financial services organizations, but as more people have turned to online shopping throughout the pandemic, this has put retailers firmly at the top of the hackers’ hit list.

A Rise in Retailer ATO Attacks

In the last two years, ATO fraud has significantly increased as a result of discounts for stolen user data on the dark web and cheap bots for hire. This has spurred a major increase in attacks targeting retailers, with research from PerimeterX revealing that during the last seven months of 2020, on average, over 75% of all ecommerce site login attempts were ATOs. To put this figure into perspective, during Cyber 5 2021, PerimeterX prevented more than $1.5 billion in attempted fraudulent purchases, which demonstrates just how much money organizations stand to lose from ATO attacks.

Today, through this proliferation of these bots-for-hire services, ATO attacks have never been easier or cheaper to carry out. Rather than manually checking sites for valid user credentials, attackers will deploy bots to automate the process — resulting in a much faster success rate. This also makes ATOs much harder to detect because bots will often mimic user behavior. If a retailer is suspicious of traffic activity and suspects a bot, without the proper tools this could result in blocking genuine traffic or a negative customer experience.

These attacks present a major threat to retailers and consumers, with research also revealing that 22%(24 million households) of U.S. adults have been victims of account takeovers. Retailers also stand to lose out on billions due to the threat through chargebacks or lost merchandise, as well as significant brand damage due to negative media publicity and criticism from customers who experience identity fraud from ATOs. 

Given the risks of ATOs, it is paramount that retailers disrupt the web attack lifecycle, which describes the cyclical and continuous nature of cyberattacks involving the theft, validation and fraudulent use of identity and account information. Protecting users’ account and identity information everywhere along their digital journey is absolutely critical.

To protect and mitigate ATOs, here are some steps to consider:

1. See yourself as a target.

All too often retailers do not see themselves as a target, but this puts them at greater risk. Never think you are too small or too unknown to get hit by attackers, because this makes you more vulnerable. Instead see yourself as a target, prepare for attacks and never let your security guard down.

2. Deploy firewalls (WAFs or ADCs).

Firewalls will allow retailers to block incoming traffic to specific ports and also allow them to add signatures for specific types of attacks or exploits. Putting a Web Application Firewall (WAF) in front of your application is table stakes. Oftentimes, WAFs are included in Application Delivery Controllers (ADCs). All major cloud providers offer WAFs and ADCs as a service.

3. Threat intelligence platform and subscription.

Having a firewall deployed is not enough on its own because attacks are ever changing, so having an active threat intelligence platform and live threat feed allows retailers to keep pace with attackers’ ever-evolving techniques.

4. Volumetric traffic detection and analysis.

This method allows web security teams to identify web traffic and spot spikes that could be down due to the work of bots. If usage increases during what are normally off hours, this could be a signal indicating an ATO attack. Likewise, abrupt changes in purchasing behavior, transfer of loyalty points or mass password resets are all triggers that should kick off deeper forensics and stricter challenges for questionable queries and users.

5. Machine learning pattern recognition and behavioral analysis.

The most advanced security tools retailers can deploy to stop ATOs are based upon machine learning to detect and identify bots from genuine user activity. These solutions identify the most sophisticated bot techniques and block automated web attacks. Using machine learning models, behavior-based and predictive analytics, they have the sensitivity to see patterns in the traffic and can swiftly detect and mitigate modern ATO attacks. This should be a priority for all retailers that are concerned about ATOs.

As more households turn to the digital world as their primary method to interact with brands and buy products, cybersecurity must become inherent within ecommerce websites. ATO attacks offer cybercriminals a double-edged sword where they can cause damage and steal money from both the customer and the retailer. Protecting against these attacks by disrupting the web attack lifecycle and implementing the right solutions must be a top priority for all ecommerce sites today.

Tony Klor is a Security Evangelist at PerimeterX, a leading provider of solutions that detect and stop the abuse of identity and account information on the web. Prior to joining PerimeterX, he held positions at TypingDNA and mobile analytics firm Appsee, which was later acquired by ServiceNow. Klor holds a bachelor’s degree in business management, with a focus on entrepreneurship, from the University of South Carolina.

Feature Your Byline

Submit an Executive ViewPoints.


Subscribe Today

Get access to exclusive content including newsletters, reports, research, videos, podcasts, and much more.

Please review our privacy policy for more information on how we will use your data.

© 2022 Emerald X, LLC. All Rights Reserved.

Privacy Policy | Terms Of Use | v4.0

Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: