Account Takeover: When Identity Theft Gets Really Expensive

For cybercriminals, account takeover attacks (ATO) are a highly effective method of attacking online companies with extensive customer contacts.

Apr 19, 2023 9:00:00 AM - 2 min.

Zurich, April 2023: For cybercriminals, account takeover attacks (ATO) are a highly effective method of attacking online companies with extensive customer contacts. These types of attack can be scaled and offer large financial rewards to the criminals. A recent study by research company Aberdeen on behalf of the specialists in secure login solutions at Nevis Security AG shows that the consequences of successful account takeovers have taken on frightening proportions. The financial losses incurred go far beyond simply the business costs and pose an existential risk to the companies affected.

Successful account takeovers are primarily due to the fact that people these days use countless online accounts and because of the way they manage the necessary credentials. For instance, the average user has up to 130 digital user accounts, each of which requires a password. Given this number, it comes as no surprise that users spend around 12 days of their lives keeping track of their usernames and passwords.

‘The resulting frustration among users causes additional security problems as they seek to make life as easy as possible,’ explains Stephan Schweizer, CEO of Nevis: ‘The most popular passwords are still “abc123”, “password” and the numerical sequence “123456”. What’s more, most passwords contain fewer than the recommended minimum of ten characters, and over half of users use the same password across multiple accounts.’

Cybercriminals profit from this lax approach to passwords because it makes it easier for them to penetrate and take control of digital user accounts. Nevis has identified the five most successful methods of attack that, in the worst-case scenario, can result in an account takeover:

  1. Phishing and social engineering: at over 17 per cent, this is the fourth most common type of attack. In this case, hackers exploit the trust that users have in the alleged sender. The attackers have long since ceased to rely solely on emails and text messages to access the account data but are increasingly also using telephone calls to manipulate users.
  2. Brute-force attacks: with a frequency above 18 per cent, this method is ranked in third place and involves cybercriminals making use of tools to try out login details automatically. This type of attack is promising because the passwords used are often neither as complex nor as varied as security experts recommend.
  3. Keylogger attacks: with this method, criminals use hardware or software to monitor the keystrokes made on a keyboard. This allows them to record combinations of letters and numbers from which the login data can be reconstructed.
  4. Man-in-the-middle attack: this type of attack involves inserting an intermediary between two communication networks to bypass the encryption systems used. This gives the attackers access to data such as usernames and passwords.
  5. Credential stuffing: this is where cybercriminals use login details that have either been made public following a data breach or have been purchased on the dark web. With the help of bots, they then initiate mass login attempts with other online services. Since users often rely on the same login details for multiple accounts, the chances that the attackers will succeed in taking over another account are good. Attacks based on credential stuffing often go unnoticed since the account takeover is performed following a ‘legitimate’ login.

A successful account takeover has far-reaching consequences: these can include fraudulent purchases, the theft of services or the registration of new accounts by criminal users for purposes like loan applications.

‘To reduce the risks of logins – and subsequent account takeovers – the role of passwords as vulnerabilities needs to be minimised. Biometric verification procedures help provide a customer experience that’s not only secure but also quick and easy. Instead of an endless cat-and-mouse game with cybercriminals, it’s important that companies make greater use of passwordless authentication,’ declares Schweizer in summary.


About Nevis

Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, UK and Hungary. 

Press Contact

LEWIS Communications GmbH
Mareike Funke,