Preventing Account Take Over (ATO) - Best Practices
Account Take Over Best Practice
The Payrix risk team strives to ensure we are protecting your merchant account by utilizing various fraud detection tools to catch bad actors throughout the life cycle of the account. This guide explains what account takeover is and best practices to protect your merchant accounts from becoming victims of account takeover.
What is an account takeover?
Account takeover, also known as ATO, is a form of identity theft in which a bad actor gains access to or “takes over” a merchant account. It is one of the fastest-growing cybersecurity threats today.
How do account takeovers occur?
Fraudsters can gain access to target account’s credentials through various methods. Some common examples include phishing attacks, malware infection, stolen cookies, and compromised API keys.
What are red flags to watch out for account take over?
After merchant successfully boards onto the Payrix platform, the Payrix risk team utilizes various risk tools for ongoing account change monitoring. Common red flags for account takeover include merchant changing account credentials, adding or modifying bank accounts, changing phone numbers, and adding new email addresses. To validate account change information, Payrix risk team run checks to verify that the true account owner requested the changes.
Educate your employee for common scenarios of account take over
Do not click on hyperlink unless you know the source is legit
Do not share or write down your password anywhere
Use strong different password for different accounts
Do not use public or unprotected WIFI to access sensitive account information
Be on the lookout for fake Payrix website
Do not respond to unsolicited text messages if you do not know who the sender is
Best practices to store and protect passwords in your software
Payrix uses one-way encryption with salting called “hashing and salting”1 and does not store passwords within its systems. Payrix recommends following best practices from OWASP, NIST, PCI, and SOC2. These Cybersecurity requirements are audited at Payrix and certified annually by Qualified Security Assessors from PCI DSS and SOC 2 councils.
Hash functions can take plaintext passwords and transform them into a ciphertext that erases all traces of the original plaintext passwords. This allows systems to verify passwords in the backend, without saving the actual password in plaintext within their system. Hashes are safe to store as they cannot be reverse-engineered to gain the original password.
Hashing with salting is an additional step to keep passwords out of the hands of malicious hackers. It works rather simply when a password is collected, salt is added to the password (like a pin code). This password is then hashed.
Top 10 Cybersecurity Tips to Consider
Manage Access
Control and monitor access for all regular, privileged, and third-party users connecting to your IT system
Use a Password Manager Tool
KeePass
LastPass
1Password
Roboform
Increase Employee Awareness
Train your team to think before they click, and run phishing campaigns frequently
Keep Systems Up to Date
Establish a robust cybersecurity policy
Use Firewalls, Antivirus Protection, and Wi-Fi Network Security
Use antivirus software like McAfee, TOTAL AV, Norton, etc., and firewalls, such as NGFW, NAT firewalls, etc.
Avoid Online Use of Debit Cards
Configure the following: withdrawal limits, notifications, and multi factor authentication on your personal and business accounts
Avoid Unfamiliar Websites and Useless Downloads
Back Up & Protect Data
Control Access to Your Systems
How Payrix can support you in protecting confidential information:
Cybersecurity controls | Supported By Payrix |
IP Whitelisting: Grant network access only to specific IP addresses | Yes |
Single Sign-On (SSO): Permit a user to use one set of login credentials, automating access management | Yes |
Control and Configure Access to Sensitive Data: Use the principle of Least-Privilege or the Zero | Yes |
Trust model, only granted to authenticated and verified users | |
Monitor and record all user’s activity in your infrastructure: Create an audit trail and collect cybersecurity evidence | Yes |
Create Notifications: Stay alert on important account changes | Yes |
Conduct Regular Cybersecurity audits and penetration tests: Work with a security export or a qualified security assessor to ensure complete PCU compliance and run regular simulated attacks to evaluate system security | Payrix is PCI-DSS and SCO2 certified |
Set Up Multi Factor Authentication: Require users to provide two or more verification factors to gain access to a resource such as an application, online account or a VPN | Yes |
Consider cybersecurity insurance: Coverage against data breaches and other cybercrimes that may compromise sensitive information | Payrix is cybersecurity insured |
Questions?
Please contact your relationship manager with any additional questions.