By NHI Mgmt Group Editorial TeamPublished 2026-07-03Domain: Governance & RiskSource: Prove Identity

TL;DR: Account takeover fraud has grown 141% from H1 2021 to H1 2025 and rose another 21% in the latest year, while marketplaces saw attack rates jump 90% year over year, according to Prove Identity. Passwords and MFA alone no longer establish account ownership once credentials are stolen. The control problem is continuous identity proofing, not stronger login steps.


At a glance

What this is: This is a Prove Identity analysis of account takeover fraud showing that stolen credentials, refund abuse, and chargeback losses are scaling faster than password-based controls can contain.

Why it matters: It matters because identity teams and fraud teams now have to govern trust across the full customer journey, not only at sign-in, if they want to protect revenue and user accounts.

By the numbers:

👉 Read Prove Identity’s analysis of account takeover fraud in digital marketplaces


Context

Account takeover fraud is a governance problem for digital identity because the attacker is not breaking authentication in the abstract, they are abusing a legitimate account after credentials have already been compromised. In marketplace and gig environments, that means the identity boundary extends beyond login and into refund flows, payment actions, and support interactions.

Password and MFA controls still matter, but they are no longer sufficient proof of account ownership once a session starts with stolen or purchased credentials. The practical issue for IAM and fraud teams is continuous trust evaluation across the customer journey, especially where account value, stored payment methods, and transaction history make takeover profitable.


Key questions

Q: What breaks when password-based login is treated as proof of account ownership?

A: Fraudsters can enter with valid credentials and still commit account takeover, refund abuse, and payment theft. The failure is assuming that successful authentication proves the same person remains in control for the rest of the session. In practice, identity assurance has to continue after login, especially when money, payouts, or account changes are involved.

Q: Why do marketplaces face higher account takeover risk than many other digital businesses?

A: Marketplaces hold stored payment methods, transaction histories, balances, and customer trust in one account record. That makes each compromised account more valuable and easier to monetise through refunds, chargebacks, or fraudulent orders. The more legitimate history an account has, the better it can hide malicious activity.

Q: How can security teams tell whether identity verification is actually reducing ATO fraud?

A: Look for fewer risky refund actions, lower chargeback ratios, reduced account reuse across devices, and fewer takeovers that progress past initial login. If fraud still concentrates at payout or support workflows, the identity model is too static. Effective controls should reduce abuse at the points where value leaves the platform.

Q: Who should be accountable when account takeover drives revenue loss and customer harm?

A: Account takeover should be owned jointly by IAM, fraud, and platform risk leaders because the attack crosses authentication, transaction, and customer-impact boundaries. If those teams work separately, the attacker can move through the gaps between them. Accountability should be shared wherever identity decisions affect financial outcomes.


Technical breakdown

Why stolen credentials turn into account takeover

Account takeover begins when a fraudster obtains valid credentials through breach reuse, credential stuffing, phishing, or purchase on criminal markets. Once inside, the actor behaves like a legitimate user because the login itself is authentic. That is why ATO is hard to detect with perimeter authentication alone. The control failure is not simply weak passwords, but the assumption that successful sign-in proves ongoing account ownership. In high-volume consumer environments, the attacker can then move through normal workflows without tripping obvious access alarms.

Practical implication: treat login as one signal, not the decision point, and evaluate trust again at every high-risk account action.

How continuous identity verification changes the control model

Continuous identity verification uses multiple signals during the session, including device context, possession evidence, behavioral patterns, and transaction risk. The aim is to confirm that the same person who entered the account is still the one acting at payout, refund, or profile-change points. This is different from one-time authentication because identity confidence can rise or fall as the session evolves. For marketplace teams, that matters because the fraud often appears after the account has been accepted as valid. The technical shift is from static login assurance to continuous trust scoring.

Practical implication: add step-up and challenge logic at refund, payout, and account-change events instead of only at initial authentication.

Why marketplaces are attractive targets for ATO abuse

Marketplaces and gig platforms concentrate stored value, repeated transactions, and established account reputation in a single identity record. That creates a favorable abuse path because a compromised account can be used for fraud, refund exploitation, and chargeback generation before the victim notices. The article's examples show that one device can operate across many accounts, which is a classic sign of organised abuse rather than isolated misuse. The operational challenge is that the platform must detect risk without adding enough friction to drive legitimate users away.

Practical implication: correlate account, device, and transaction events so fraud teams can spot reuse patterns across many accounts.



NHI Mgmt Group analysis

Account takeover is a trust failure, not just an authentication failure. Once the attacker holds valid credentials, the account itself becomes the attack surface. That shifts the governance problem from proving who logged in to proving whether the same identity still owns the session at the point of value extraction. Practitioners should treat ATO as a customer identity lifecycle problem, not a login-only problem.

Passwords and MFA are brittle when identity proof is only checked once. The article reinforces a broader pattern we see in consumer and marketplace abuse: a successful login can be fully legitimate and still be operationally unsafe. When fraudsters use stolen credentials, the control gap is not missing authentication, it is missing ongoing assurance after authentication. Teams that stop at access acceptance are leaving the most profitable part of the attack untouched.

Continuous identity verification is really continuous risk re-evaluation. Device signals, behavioural context, and transaction history become more useful when they are combined into one decision model. That does not eliminate ATO, but it changes the economics by forcing the attacker to clear more checks at the exact points where value moves. Practitioners should expect fraud and IAM to converge more tightly around runtime trust decisions.

Identity blast radius: the account is now a revenue channel. In marketplaces, a compromised account is not only a privacy or support issue, it is a monetisation path for the attacker. That makes account controls part of financial risk governance, not only access governance. Security leaders should align fraud detection, IAM, and customer experience around the same abuse surface instead of managing them as separate problems.

From our research:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • For a broader breach lens, see 52 NHI Breaches Analysis for recurring identity abuse patterns across real incidents.

What this signals

Account takeover governance is converging with identity lifecycle management. When the platform cannot continuously revalidate the actor behind the session, fraud teams end up compensating for an IAM design that assumed trust was established once and held forever. That assumption no longer fits consumer marketplaces, where the attacker can monetize within the same session that passed initial checks.

The practical signal for programme owners is to move identity controls closer to the transaction layer and to make risk scoring part of account governance, not a separate fraud overlay. Teams that already use behavioural signals should now focus on where those signals trigger action, because dormant detection without enforcement does not change attacker economics.


For practitioners

  • Add step-up checks at value-moving events Re-evaluate identity at refund requests, payout changes, address edits, and unusual transaction patterns, not just at sign-in.
  • Correlate device reuse across accounts Link device intelligence, IP reputation, and session history so one fraudster device operating across many accounts becomes visible quickly.
  • Separate authentication from account ownership confidence Define policy thresholds that require stronger proof when a session moves from ordinary browsing to financially material actions.
  • Align fraud and IAM decisioning Use a shared risk model so access, transaction review, and account recovery decisions are not made from disconnected signals.

Key takeaways

  • Account takeover is an identity governance problem because the attacker exploits a legitimate account after authentication succeeds.
  • The article’s numbers show rapid growth in ATO, with marketplace attack rates far above the broader market and direct financial abuse inside single accounts.
  • The control shift is from one-time login proof to continuous identity verification at the points where value, refunds, and payouts move.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AA-01ATO weakens identity assurance after initial authentication in consumer accounts.
NIST SP 800-53 Rev 5IA-2Identity verification must extend beyond basic login for fraud-prone customer flows.

Treat post-login trust as dynamic and re-evaluate identity before high-risk account actions.


Key terms

  • Account Takeover: A fraud pattern where an attacker gains control of a legitimate user account and acts as the owner. The account remains technically valid, which makes abuse harder to detect than a typical access denial or malware event. The identity problem is not initial login, but sustained control of the account for fraudulent gain.
  • Continuous Identity Verification: A control approach that re-evaluates identity throughout a session using multiple signals rather than relying on one login event. In fraud-heavy environments, it helps distinguish the legitimate user from an impostor when actions become financially sensitive. The goal is ongoing assurance, not just successful authentication.
  • Refund Abuse: A monetisation tactic where an attacker uses a compromised account to request illegitimate refunds, credits, or reversals. It often follows successful takeover because the account has enough history to look trustworthy. In practice, refund abuse is a business-loss expression of identity compromise.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • The full fraud trend breakdown by year, including the 141% growth figure and recent marketplace attack spike.
  • The refund abuse example showing how one device moved through more than 200 accounts and extracted value.
  • The article’s explanation of continuous identity verification signals across logins, account changes, and high-risk transactions.
  • The revenue and customer-trust impact discussion that connects chargebacks, disputes, and brand attrition.

👉 Prove Identity’s full blog expands on fraud trends, refund abuse, and continuous identity verification signals.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-07-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org