Skip to main content
  • Products

    Learn how you can make the most of financial data

    • Global coverage
    • AuthAccount and routing numbers
    • BalanceReal-time balance checks
    • IdentityBank account-holder information
    • TransactionsUp to 24 months of categorized data
    • AssetsPoint-in-time snapshots of users' finances
    • IncomeIncome and employment verification
    • InvestmentsRetirement, brokerage, and crypto data
    • LiabilitiesStudent loan, credit card, and mortgage data
    • SignalACH Risk Assessment & Scoring
    • EnrichCleanse and categorize internal transactions
    • Identity VerificationGlobal KYC and anti-fraud
    • MonitorAML and PEP screening
  • Use cases

    Learn how you can make the most of our products

    • Customer stories
    • Personal finances
    • Lending
    • Wealth
    • Open finance
    • Consumer payments
    • Digital banking
    • Business finances
  • Pricing
  • For developers

    Everything you need to integrate with Plaid and learn about our APIs

      GET STARTED
      • Quickstart
      • API documentation
      RESOURCES
      • Libraries
      • GitHub
    • About us

      Get to know the people behind the code and the mission behind the work

        GET STARTED
        • Company
        • Careers
        • Blog
        • Contact
        PRIVACY & SECURITY
        • Safety
        • How we handle data
        • Legal
      • For consumers

        Safely connect your accounts and control access to them

        • Trouble connecting?
        • Control access with Plaid Portal
        GET STARTED
        • How Plaid worksPlaid builds connections that enable you to securely share your data
        • Discover appsDiscover apps that are powered by Plaid
         
        • How we handle dataPlaid lets you securely share data from your financial institution with the apps you choose
        • Why is Plaid involved?Plaid powers the apps in your financial life
      Log in
      Get started
        • Auth
        • Balance
        • Identity
        • Transactions
        • Assets
        • Income
        • Investments
        • Liabilities
        • Signal
        • Enrich
        • Identity Verification
        • Monitor
        • Global coverage
        • Personal finances
        • Lending
        • Wealth
        • Open finance
        • Consumer payments
        • Digital banking
        • Business finances
        • Customer stories
      • Pricing
        • Quickstart
        • API documentation
        • Libraries
        • GitHub
        • Company
        • Careers
        • Blog
        • Contact
        • Safety
        • How we handle data
        • Legal
        • How Plaid works
        • Discover apps
        • How we handle data
        • Why is Plaid involved?
        • Trouble connecting?
        • Control access with Plaid Portal
      • Log in
        Get started
      1. Resources
      2. >
      3. Fraud
      4. >
      5. Account takeover: what it is and how fintechs can stop it

      Account takeover: what it is and how fintechs can stop it

      Account takeover—where fraudsters use stolen credentials to seize control of financial accounts in an attempt to steal money—is a growing threat. Here’s what fintechs and consumers can do to prevent it.

      March 28, 2023

      Tom Sullivan Pic
      Tom Sullivan

      Tom is a fintech industry writer who creates whitepapers and articles for Plaid. His work has been featured in publications like Forbes, Fortune, and Inc. He's passionate about the freedom that the union between financial services and technology can create.

      Table of Contents
      What is credential stuffing? How account takeover startsWhat is account takeover? How fraudsters use stolen credentialsWhy account takeover fraud is so prevalentNew account fraud vs account takeover fraudAccount takeover works because of password reuseHow to prevent account takeover fraud

      As technology expands so do diverse types of fraud. One such form, account takeover fraud, threatens companies that touch or hold customer money in any way. This means fintechs are especially vulnerable and should be doing everything in their power to protect their customers from this growing threat. 

      In the first 90 days of 2022, Okta reported that 23% of signup attempts for all companies using their platform were fraudulent. Financial services companies were among the most attacked, with 64.8% of registration attempts reported as fraudulent. 

      This prevalence is due, in part, to the high number of usernames and passwords (credentials) that have been exposed in data breaches over the years. These breaches have produced vast databases of compromised credentials that fraudsters use in an attempt to gain unauthorized access to protected accounts en masse. 

      In this article, we’ll look closely at how account takeover fraud is threatening fintech companies, and what they can do to prevent it.


      What is credential stuffing? How account takeover starts

      Credential stuffing happens when fraudsters attempt to log in to multiple users’ accounts with credentials stolen from a data breach. Attackers will use exposed credentials repeatedly over a multitude of accounts in hopes of finding one that works. Online banking accounts and fintech platforms that hold money are frequently the targets. 

      Fraudsters who employ this method don’t only use the credentials to log in to the account from which the data was stolen. They assume (often correctly) that these credentials have been re-used across multiple accounts. A leaked username and password combination from an online gaming service, for example, might be tried on dozens of crypto trading apps to see if it works there, as well. 

      This is not done manually. Fraudsters program bots to submit stolen usernames and passwords into various financial account login screens, allowing them to carry out credential-stuffing attacks at scale.

      Fintech accounts are likely to be targeted in these attacks, as bad actors follow the money. This makes it doubly important for companies to do everything they can to prevent fraudulent logins while communicating their efforts to keep customers’ funds safe. 

      What is account takeover? How fraudsters use stolen credentials

      Account takeover is when a bad actor uses stolen credentials to take over a user’s account—most often through credential stuffing. The account takeover cycle typically follows the following three stages:

      1. Compromise: This is when bad actors gain access to credentials. Compromise most often happens from data breaches where usernames, passwords, and other personal information are exposed. 

      2. Validation: Compromised credentials can be used by fraudsters to log in to various accounts, most often through credential stuffing bots. When a match is found, the stolen credentials are validated. While a fintech company might succeed in blocking the takeover through two-factor authentication (2FA), the fraudster still knows the credentials are valid and can try to use them elsewhere. 

      3. Exploitation: If a fraudster succeeds in taking over an account using validated credentials, they will then try to exploit the account by moving money or committing some other type of financial crime. 2FA is effective here because it prevents account takeover and exploitation, even after validation.

      While fintech companies can’t prevent compromise, they can take steps to prevent validation and exploitation. For example, using Plaid for account connection prevents stolen credentials from being validated and successfully linked to third-party applications by bad actors. Plaid prevents fraudsters from using its network to take over compromised accounts through the internal defensive services built into Plaid Link. Check out our safety page to learn more about how Plaid keeps consumers safe.

      Guide to calculating the value of identity verification

      Prevent fraud, win users, and protect your bottom line

      Account takeover fraud has become increasingly popular with hackers in recent years due to the multitude of stolen credentials available from numerous data breaches. In 2022 alone, there were a total of 1,802 compromises with over 422 million victims affected. 

      1,802
      Data breach compromises in 2022 alone

      422 million
      Victims affected by data breaches in 2022

      65%
      Of people re-use the same password for some or all accounts

      Source: Identity Theft Center, Google Survey

      While only a tiny percentage of credential stuffing attacks actually work, the billions of available login credentials from stolen databases make it a worthwhile endeavor for fraudsters nonetheless. The sheer volume of this data means the use of bots to ‘see what sticks’ has become worth it. 

      Fintechs should assume their customers’ credentials have at some point been stolen from a data breach and are likely to have been reused (more on that below). They should also take every available precaution to prevent stolen credentials from being used on their apps.

      New account fraud vs account takeover fraud

      Account takeover fraud is just one of the ways stolen credentials are used. Fraudsters can also use personally identifiable information such as social security numbers, names, phone numbers, and addresses to create fake financial accounts or apply for loans. Once they get past a financial company’s KYC processes, they’ll most likely either open up a line of credit and max it out or use the account to move money that was gained as the result of a crime.

      This kind of identity theft can be devastating for the customer, who is left with a nightmare scenario in which their credit is potentially destroyed. Financial service providers, however, are the ones who will be left footing the bill, as those maxed-out credit lines will never get repaid. 

      Using a digital identity verification tool is the most effective way to prevent new account fraud. These tools use several data checks to determine if a user really is who they claim. However, a verification that’s overly disruptive to the normal account onboarding process can cause some users to abandon the process altogether. That’s why it’s important to choose a robust, yet seamless tool that can verify identity with high accuracy but low friction. 

      → Want to reduce fraud during new customer onboarding without sacrificing conversion rates? Plaid Identity Verification is the lowest friction identity verification experience available.

      Account takeover works because of password reuse

      A Google survey found that 52% of people re-use their passwords for multiple accounts while 13% re-use their passwords for all accounts. Password reuse gives credential-stuffing attackers a better chance of success when using stolen credentials to log in to various financial accounts—another reason it’s become so widespread. 

      At the same time, bots are getting more advanced. Most companies use application logic that stops users from attempting to log in to multiple accounts from the same device or session repeatedly in a short period, as it can be indicative of abuse. Fraudsters skirt this by using technology to mask their device fingerprints and true session details, distributing their traffic across a large number of IP addresses and device types to mimic real users. 

      Companies suffering an advanced attack like this might not know it, as the only indicator is an increased number of login attempts or sign-ups that otherwise appear normal. If they do become aware, they most likely won’t be able to stop the attacks without disrupting service for their customers.

      How to prevent account takeover fraud 

      Both businesses and consumers can take action to prevent credential-stuffing attacks from succeeding. Nonetheless, the onus remains on businesses to do all they can to protect their customers. Fintechs, especially, must prove that users can trust them with their funds by safeguarding them against identity theft and account takeover. 

      Companies can achieve this, in part, by protecting themselves against data breaches. They can’t, however, control when hackers use credentials stolen from external data to attempt a breach. 

      Instead, here are some critical actions businesses can take to stop credential-stuffing bots from logging in successfully. 

      Account takeover prevention for businesses

      Two-factor authentication (2FA)

      Using 2FA to send a one-time passcode (OTP) to a user's email or phone before logging in is a surefire way to reduce account takeover. Technically it’s possible for a hacker to get around 2FA. For example, they could use the same stolen credentials to log into a user’s email address so they can see the OTP. However, having it in place greatly reduces the chance of success. 

      Selfie re-verification

      Using live video verification to ensure the user’s face matches the ID on file is a typical practice when signing up for a new financial account. This can also be used when a credential-stuffing attack is suspected. 

      Essentially, when an account takeover attack is suspected, an app can prompt the user to do a selfie check re-verification, which a bot or fraudster can’t pass. Customers most likely won’t mind providing a quick selfie if it ensures their account is safe—especially if the messaging around the reason why is clear. 

      Plaid IDV uses cutting-edge facial comparison and 3D facial recognition analysis to quickly and easily check that a user’s selfie matches their ID documents. 

      Device/IP fingerprinting

      IP addresses can be checked for other factors that may indicate a bot. These include the use of a VPN or the Tor browser. While many people use a VPN, it can indicate a slightly elevated risk of a bot. The use of Tor, however, signals a high risk. 

      Other IP address checks include association with a data center, mismatched geolocation between the IP address and the home address provided, and a timezone mismatch. All of these factors can help stop bots and fraudsters from signing up or logging in with stolen credentials. 

      Behavioral analytics

      Bots behave differently than humans. Activities that can reveal bot behavior include the speed with which one’s personal information is entered, the error rate of the entry, the use of copy and paste, and the order in which the data is entered. 

      During the new verification process, Plaid Identity Verification uses behavioral analytics like these to determine whether a user is a bot or a human. 

      Account takeover protection for consumers

      Ensure MFA is turned on

      While it’s still possible to hack multi-factor authentication (MFA) in a credential-stuffing attack by logging into email with stolen credentials, it makes it much harder. It’s also more difficult to hack a phone than it is to hack an email, so encouraging customers to use MFA on their phones is a safer bet. 

      Eliminate password reuse

      As mentioned above, password reuse is what allows credential stuffing to work. Never using the same password twice, especially for financial accounts, is one of the best ways to protect against these attacks. 

      Look up data breach exposure

      There are numerous data breach lookup websites that make it quick and easy for people to find out if their email address or phone number has been compromised. Websites like haveibeenpwned.com will show all data breach exposures in seconds. 

      Users with an older email address might be surprised to see that their credentials and personal information have been exposed dozens of times over the years. Some of these sites offer notifications as well, enabling users to instantly change their password shortly after a breach occurs.   

      Keep devices updated

      Operating system updates most often include patches that prevent malware from affecting a device. Keeping up with the latest updates on phones and computers helps ensure a device stays one step ahead of any vulnerabilities that hackers might exploit to steal credentials and other personal information. 

      Never log in to personal accounts from other devices

      Logging in to a personal account on a computer that’s infected with malware is a surefire way for credentials to be stolen. If it’s unknown whether a public computer or a friend’s device is infected, it’s best to not log in at all.

      Account takeover and new account fraud prevention is crucial for fintechs

      Reputation management in financial services is crucial—especially for fintechs. Budding companies must earn customers’ trust, assuring them that their funds and accounts are as safe as possible. 

      Using a mature identity verification solution prevents fraudsters from creating new accounts using stolen credentials (which ultimately costs the company money while destroying the victim’s credit). With Plaid, identity verification can be completed in as little as 30 seconds, without disrupting the onboarding experience. Additionally, Plaid’s account verification services make it virtually impossible for fraudsters to get past the validation and exploitation phases of account takeover fraud.  

      In the current world of extensive data breaches and account takeover attacks, this type of solution is paramount to lasting business success.

      Learn more

      Recommended reading

      How digital identity verification works: 7 vital data checks

      Read article

      Selfie identity verification: A key part of fraud prevention

      Read article

      Digital identity verification for lending: less fraud, more approvals

      Read article

      Find out how Plaid can help your business grow

      By submitting this form, I confirm that I have read and understood Plaid’s Privacy Statement.

      This form goes to our sales team. If you have questions about connecting your financial accounts to a Plaid-powered app, visit our consumer help center for more information.

      • Products
      • Auth
      • Balance
      • Identity
      • Transactions
      • Assets
      • Income
      • Investments
      • Liabilities
      • Identity Verification
      • Monitor
      • Signal
      • Enrich
      • Global coverage
      • Pricing
      • Use cases
      • Personal finances
      • Consumer payments
      • Lending
      • Digital banking
      • Wealth
      • Business finances
      • Open finance
      • Customer stories
      • For developers
      • Quickstart
      • API documentation
      • Libraries
      • About us
      • Company
      • Careers
      • Blog
      • Contact
      • Partners
      • Press
      • Resources
      • Fin
      • Safety
      • How we handle data
      • Legal & Privacy
      • Plaid Link
      • About us
      • Company
      • Careers
      • Blog
      • Contact
      • Partners
      • Press
      • Resources
      • Fin
      • Safety
      • How we handle data
      • Legal & Privacy
      • Plaid Link
      • Use cases
      • Personal finances
      • Consumer payments
      • Lending
      • Digital banking
      • Wealth
      • Business finances
      • Open finance
      • Customer stories
      • For developers
      • Quickstart
      • API documentation
      • Libraries
      • For consumers
      • How it works
      • Discover apps
      • Why is Plaid involved?
      • Trouble connecting?
      • Plaid Portal
      • FAQs
      • For financial institutions
      • Work with us
      • Data Connectivity
      • Privacy Controls

      © 2023 Plaid Inc.