What Counts as ATO These Days?

Preventing account takeover (ATO), alongside online identity proofing, is one of the two main coverage areas that I have here at Gartner.  Over the many hundreds of inquiry calls that I've taken with Gartner clients on the topic, I've seen that the scope of what clients consider to be ATO has broadened.  Once upon a time, ATO was pretty narrowly thought of as taking place when an attacker obtained your credentials, and then logged into your account without your knowledge.  That still happens of course, and is perhaps still the largest attack vector.  So, so many ways to obtain credentials.....breaking in and stealing from a honey pot of credentials; buying them online from someone else who has done just that; setting up a phishing site and tricking users into trying to log into it; putting malware on a user's device to search for files containing passwords; putting malware on a user's device to log their keyboard strokes when they log in somewhere; calling a user and socially engineering them to reveal their credentials; shoulder surfing; and probably many more attack vectors that don't spring to mind right now. However, ATO in this day and age can take place even if the attacker hasn't obtained your credentials.  Three examples: An attacker could gain control of a device, physically or virtually, that has an open authenticated session with the targeted service. Or obtain the authentication cookie that would allow them to continue the open authenticated session on their own device. An attacker could trick or coerce you into logging into your own account and carrying out the actions that they desire - actions that are almost certainly in the attacker's interests and not in the genuine user's interests.  Best known example of this is 'authorized push payment' fraud in the banking sector. An attacker could abuse the account recovery process - pretend they are the genuine user locked out of their account, and reset the password so that they can access the account.  Since most account recovery processes in the B2C space rely on sending a password reset email, the account recovery process is only as secure as the access to that email account.  How many users have MFA enabled on their personal email account...? The examples above really illustrate how thinking about ATO has evolved.  Gartner now views ATO as an attacker benefitting from actions performed on your account - and that could be by the attacker logging on with your credentials, resetting the credentials to ones of their choosing, taking advantage of an open authenticated session, or tricking the user into doing their bidding.  The attack vectors may vary, but the outcome is the same - the attacker benefits to the detriment of the genuine user. In our latest research, How to Mitigate Account Takeover Risks, we expand on the definition above, and describe the 'ATO prevention stack' that you need to try and stop the attackers.  If you're a Gartner client, take a look and schedule an inquiry call with me to discuss further.