Customer Account Takeover Detection and Response (2024)

By Stuart Keener, Cox Communications; Jacob Prosser, Cox Communications

Account takeover is a form of identity theft where a threat actor gains unauthorized access to online accounts using stolen credentials. As of 2023, 29% of American adults had experienced a form of account takeover1.

Account takeover affects business and personal accounts, causing different types of harm and requiring different methods for detection, containment, and response. A business account is issued by a company,for use by employees, contractors, or business partners when conducting businesses activities, such as administering servers or selling products. The business account is terminated when its assignee is no longer associated with the business. Personal accounts are registered by a customer to be used for personal activities such as purchasing or utilizing a company’s products or services. Credential reuse, which occurs when the same username and password are used across multiple companies’ systems, is common because it does not require the account holder to remember multiple passwords.

This paper focuses on Customer Account Takeover (CATO) where a personal account used by a customer when interacting digitally with a business is taken over by a threat actor. The business can take actions to protect the customer’s account by identifying suspicious activity through ingestion of multiple signals,relying on predefined baselines, and user behavior analysis to determine if a customer’s account is compromised. Methods to respond to a customer account takeover will also be explored with considerations based on the business’ industry.

By clicking the "Download Paper" button, you are agreeing to our terms and conditions.