What is an ATO Attack?

Account takeover (ATO) attacks are on the rise, leaving individuals and businesses at risk for financial loss and reputational damage. These attacks involve breaches of login credentials—typically for online accounts or cloud platforms. For instance, at the individual level, ATO attacks on personal accounts may result in end users realizing a hacker has compromised their bank or Amazon account. However, ATO attacks in a business setting are potentially more devastating in scope.

Given the possibility of serious consequences following ATO attacks, managed services providers (MSPs) should understand how password security relates to ATO attacks in order to help their customers avoid falling victim to fraudulent activity.

What Is an Account Takeover Attack?

Account takeover attacks are essentially a form of identity theft. Identify theft involves stealing and utilizing personally identifiable identification (PII) like a driver’s license number or Social Security number to pose as someone else. An ATO attack is a form of identity theft in which the hacker uses stolen PII to gain access to an online account, such as an e-commerce, bank, or email account.

This type of account takeover is hard to detect and usually leads to fraudulent transactions on the stolen account. An ATO attack can result in expenses or other damages for the person whose sensitive information was stolen. Hackers may use compromised accounts to transfer money, make purchases, or lift data to use for other purposes. If this happens in a business context, it can impact productivity and company security. ATO attacks can easily damage company reputation—especially if a breach is widespread.

What Are the Steps of an ATO Attack?

An ATO attack typically includes the following steps:

  • Data Breach: A data breach may occur due to vulnerabilities in a system, network, or website. During the breach, hackers may gain access to information like usernames, emails, passwords, or account security questions and answers.
  • Credential Cracking: Credential cracking or stuffing is the process by which perpetrators attempt to discover and use complete login credentials, typically through automated bots. Hackers might guess passwords, use a word list method, or just utilize brute force through bots. These actions may result in a sudden uptick in invalid login attempts—a potential sign that hackers are attempting to access an account.
  • Financial Transaction: Hackers who steal usernames and passwords might not actually use them for an ATO attack—they may instead sell this sensitive data on the dark web for more specialized ATO hackers to purchase and utilize.
  • Fraudulent Account Usage: When a hacker does decide to perform fraudulent actions on an account, those actions may take several forms. For instance, the bad actor may steal further sensitive data, like addresses. They might steal funds outright. For e-commerce sites, they may take advantage of a user’s credit or rewards. If they access your email, they may use your account to send out spam or phishing emails. In many of these cases, the damage goes undetected until well after the fact.

Is My Password Secure from ATO Attacks?

Many victims of identity theft may not even be aware their data has been stolen. Your username, email, or password may already have been part of a data breach. While there are online tools available that help you check whether your information exists on the dark web, the best defense against ATO attacks is smart prevention.

There are a few security and password best practices that end users and companies alike should consider for preventing an ATO attack. These precautions help ensure customer information is as protected as possible.

Set Password Requirements: You don’t necessarily need to use a strong password generator, but companies should require strong passwords, as outlined by the latest guidelines from the National Institute of Standards and Technology (NIST). These password requirements include:  

  • Require at least eight characters, but not necessarily any special characters.
  • Restrict sequences or repetitions.
  • Avoid context-specific words and common passwords.
  • Remember—there isn’t necessarily a need to utilize a mix of upper and lower case letters plus special characters.
  • Importantly, require screening of new passwords against lists of compromised passwords.

Consider Strong Password Examples: For end users, it may help to see strong password ideas that illustrate some of the above principles. For instance, avoid using only English words or word patterns, like “ILoveCats.” Bots can test “dictionary” words very quickly—especially commonly used words, like “password.” However, it can be useful to include numbers or add additional words for a higher character count. 

Apply Updates: A failure to update and patch software or websites can lead to vulnerabilities hackers are eager to exploit. Make sure to update antivirus software as well.

Use Multi-Factor Solutions: A two-factor or multi-factor authentication solution—which may require an email or text confirmation to confirm a user’s identity—is more secure than a traditional login.  

Set Security Rules: Certain security rules and measures can help protect against hackers. Try only allowing a fixed number of login attempts, permanently blocking IP addresses that are known to be malicious, and ensuring sufficient firewall protection. A tool like CAPTCHA can help prevent against automatic bot logins.

Implement a Password Management Tool: Using a password management tool is an excellent way to ensure a high level of security. A password tool can support authentication features, quick password reset capabilities, auditing, and credential injection (the process of applying credentials without revealing the plaintext).

Implementing Password Protection

If you’re an MSP looking to offer password protection to your customers, start with N‑able® Passportal. Passportal is built for MSPs who want to provide their customers with password management that adheres to best practices and compliance requirements.

With Passportal, MSPs can easily set password requirements and ensure customers are able to change their passwords quickly in the event of an ATO attack. The tool also offers an automatic strong password generator to help protect against credential hacking and prevent ATO attacks. If you’re looking for a way to protect clients against all too common account takeovers, start with a demo of N‑able Passportal.

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

If this issue persists, please visit our Contact Sales page for local phone numbers.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site