There are a range of methods that cybercriminals can use to mount an account takeover attack . They include :
Anthony Daniel , Regional Director – Australia ,
New Zealand and Pacific Islands , WatchGuard
• There must be a flaw in the setup process that allows an account to be created without needing to be verified .
It ’ s important to recognize that an attacker does not have to have access to a victim ’ s email account or mobile phone to successfully carry out this type of attack . There simply has to be no previous account on the service in the victim ’ s name .
• Unexpired session ID attack : In these types of attacks , the cybercriminal generates a new account using a victim ’ s email address as an identifier . When the victim tries to create an account , they are notified that it has already been created and are prompted to change their password . However , this does not prevent the attacker from continuing to gain access as the service allows multiple simultaneous sessions .
• Trojan identifier attack : This method involves an attacker generating an identifier on the new account , and then creating a secondary login with real customer data , such as an email address or phone number . Even if the victim tries to log in by recovering their password , the attacker will remain active in the account as a trojan .
• Non-verifying IdP attack : These types of attacks involve cybercriminals creating their own identity provider ( IdP ) and opening an account using its federated path . They then add a user by using that user ’ s email address . When the victim then tries to create an account , the system reminds them that it already exists . When recovering their