Account Takeover
What Is Account Takeover? Definition and How It Works
Definition
Account takeover (ATO) is a fraud attack in which an unauthorised party gains access to a legitimate customer account by stealing or guessing credentials, then uses that access to make fraudulent payments or extract stored payment credentials.
How it works
Account takeover attacks typically begin outside the payment system. Attackers obtain credentials through phishing, credential stuffing (using username/password pairs leaked from other data breaches), brute force attacks on login endpoints, or social engineering. Once they have working credentials, they access the account and either transact directly with stored payment methods or extract card data and session tokens for use elsewhere.
From a payment perspective, ATO fraud presents as legitimate-looking transactions: the payment method is one the cardholder previously used, the shipping address may initially match historical orders before being changed, and the session originates from an authenticated account. Standard card-level fraud signals are less effective because the card itself is not stolen.
Behavioural signals in transaction data are the primary ATO detection layer in payments: account access from an unusual device or location, a password change shortly before a high-value transaction, a shipping address update preceding an order, or a change in purchase pattern (product category, order size, or velocity) all signal potential account compromise.
Device fingerprinting and step-up authentication are the main mitigations. When account activity deviates from established behavioural patterns, new device, unusual IP, changed profile fields, risk-based authentication challenges the user with a step-up (OTP, biometric, or email confirmation) before allowing high-value transactions.
Why it matters
ATO fraud bypasses card-level controls: because the attacker is using a legitimate account with authenticated payment credentials, fraud scoring based purely on card signals misses ATO. Account-level behavioural signals and device consistency checks are required.
Stored credential exposure amplifies losses: accounts with multiple stored payment methods, loyalty points, or store credit give ATO attackers multiple vectors for financial extraction. The value exposed is higher than a single stolen card number.
Chargeback costs are borne by the merchant: chargebacks from ATO fraud that result in unauthorised purchases are typically classified as fraud chargebacks, and liability falls on the merchant unless 3DS authentication was completed. Merchants with no step-up authentication on high-risk account actions have elevated exposure.
Password hygiene and authentication strength are outside merchant control but affect merchant risk: merchants who enforce strong passwords, support passkeys or MFA, and monitor login anomalies reduce their exposure to ATO significantly compared to those relying on email-plus-password authentication only.
With PXP
PXP's risk engine evaluates account-level behavioural signals alongside transaction-level signals, including device consistency, login pattern deviation, and account change events preceding transactions. Merchants can configure step-up authentication triggers for high-risk account actions through PXP's risk rules interface.
Frequently asked questions
What's the difference between account takeover and card fraud?
Card fraud involves the unauthorised use of card credentials, typically a stolen card number. Account takeover involves unauthorised access to a legitimate user account, which may include multiple stored payment methods, loyalty balances, and personal data. ATO fraud presents as authenticated account activity, making it harder to detect with card-level fraud signals alone.
What are the most reliable signals for detecting account takeover in payment data?
The highest-signal indicators are: login from an unrecognised device or IP shortly before a transaction; a password or email change in the session window preceding a purchase; a shipping address change immediately before an order; and a purchase pattern that deviates significantly from account history in product category, value, or velocity. No single signal is definitive; combinations matter.
How does credential stuffing enable account takeover at scale?
Credential stuffing uses automated tools to test username/password pairs leaked from other data breaches against a target site's login endpoint. Because many users reuse passwords across sites, a fraction of leaked credentials from breach A will work on site B. Attackers run millions of login attempts and harvest successful ones for ATO exploitation. Rate limiting on login endpoints and MFA are the primary defenses.
Does 3DS protect merchants from ATO fraud chargebacks?
3DS shifts fraud chargeback liability to the issuer if authentication is successfully completed. However, in ATO scenarios where the attacker uses a real account with stored credentials, they may bypass 3DS via a stored credential (MIT) flow that does not require authentication. Step-up authentication at the account level, before the transaction reaches payment, is the relevant control, not 3DS at the payment level.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started