Preventing Account Take Over (ATO) - Best Practices

Owned by Miles Graves
Last updated: Aug 03, 2023
3 min read

Account Take Over Best Practice

The Payrix risk team strives to ensure we are protecting your merchant account by utilizing various fraud detection tools to catch bad actors throughout the life cycle of the account. This guide explains what account takeover is and best practices to protect your merchant accounts from becoming victims of account takeover.

What is an account takeover?

Account takeover, also known as ATO, is a form of identity theft in which a bad actor gains access to or “takes over” a merchant account. It is one of the fastest-growing cybersecurity threats today.

How do account takeovers occur?

Fraudsters can gain access to target account’s credentials through various methods. Some common examples include phishing attacks, malware infection, stolen cookies, and compromised API keys.

What are red flags to watch out for account take over?

After merchant successfully boards onto the Payrix platform, the Payrix risk team utilizes various risk tools for ongoing account change monitoring. Common red flags for account takeover include merchant changing account credentials, adding or modifying bank accounts, changing phone numbers, and adding new email addresses. To validate account change information, Payrix risk team run checks to verify that the true account owner requested the changes.

Educate your employee for common scenarios of account take over

  • Do not click on hyperlink unless you know the source is legit

  • Do not share or write down your password anywhere

  • Use strong different password for different accounts

  • Do not use public or unprotected WIFI to access sensitive account information

  • Be on the lookout for fake Payrix website

  • Do not respond to unsolicited text messages if you do not know who the sender is

Best practices to store and protect passwords in your software

Payrix uses one-way encryption with salting called “hashing and salting”1 and does not store passwords within its systems. Payrix recommends following best practices from OWASP, NIST, PCI, and SOC2. These Cybersecurity requirements are audited at Payrix and certified annually by Qualified Security Assessors from PCI DSS and SOC 2 councils.

  • Hash functions can take plaintext passwords and transform them into a ciphertext that erases all traces of the original plaintext passwords. This allows systems to verify passwords in the backend, without saving the actual password in plaintext within their system. Hashes are safe to store as they cannot be reverse-engineered to gain the original password.

  • Hashing with salting is an additional step to keep passwords out of the hands of malicious hackers. It works rather simply when a password is collected, salt is added to the password (like a pin code). This password is then hashed.

Top 10 Cybersecurity Tips to Consider

  1. Manage Access

  • Control and monitor access for all regular, privileged, and third-party users connecting to your IT system

  1. Use a Password Manager Tool

  • KeePass

  • LastPass

  • 1Password

  • Roboform

  1. Increase Employee Awareness

  • Train your team to think before they click, and run phishing campaigns frequently

  1. Keep Systems Up to Date

  2. Establish a robust cybersecurity policy

  3. Use Firewalls, Antivirus Protection, and Wi-Fi Network Security

  • Use antivirus software like McAfee, TOTAL AV, Norton, etc., and firewalls, such as NGFW, NAT firewalls, etc.

  1. Avoid Online Use of Debit Cards

  • Configure the following: withdrawal limits, notifications, and multi factor authentication on your personal and business accounts

  1. Avoid Unfamiliar Websites and Useless Downloads

  2. Back Up & Protect Data

  3. Control Access to Your Systems

How Payrix can support you in protecting confidential information:

Cybersecurity controls

Supported By Payrix

IP Whitelisting: Grant network access only to specific IP addresses

Yes

Single Sign-On (SSO): Permit a user to use one set of login credentials, automating access management

Yes

Control and Configure Access to Sensitive Data: Use the principle of Least-Privilege or the Zero

Yes

Trust model, only granted to authenticated and verified users

 

Monitor and record all user’s activity in your infrastructure: Create an audit trail and collect cybersecurity evidence

Yes

Create Notifications: Stay alert on important account changes

Yes

Conduct Regular Cybersecurity audits and penetration tests: Work with a security export or a qualified security assessor to ensure complete PCU compliance and run regular simulated attacks to evaluate system security

Payrix is PCI-DSS and SCO2 certified

Set Up Multi Factor Authentication: Require users to provide two or more verification factors to gain access to a resource such as an application, online account or a VPN

Yes

Consider cybersecurity insurance: Coverage against data breaches and other cybercrimes that may compromise sensitive information

Payrix is cybersecurity insured

Questions?

Please contact your relationship manager with any additional questions.