Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Account takeover fraud in marketplaces: what IAM teams need to act on


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Account takeover fraud has grown 141% from H1 2021 to H1 2025 and rose another 21% in the latest year, while marketplaces saw attack rates jump 90% year over year, according to Prove Identity. Passwords and MFA alone no longer establish account ownership once credentials are stolen. The control problem is continuous identity proofing, not stronger login steps.

NHIMG editorial — based on content published by Prove Identity: Account Takeovers: The Silent Revenue Killer

By the numbers:

Questions worth separating out

Q: What breaks when password-based login is treated as proof of account ownership?

A: Fraudsters can enter with valid credentials and still commit account takeover, refund abuse, and payment theft.

Q: Why do marketplaces face higher account takeover risk than many other digital businesses?

A: Marketplaces hold stored payment methods, transaction histories, balances, and customer trust in one account record.

Q: How can security teams tell whether identity verification is actually reducing ATO fraud?

A: Look for fewer risky refund actions, lower chargeback ratios, reduced account reuse across devices, and fewer takeovers that progress past initial login.

Practitioner guidance

  • Add step-up checks at value-moving events Re-evaluate identity at refund requests, payout changes, address edits, and unusual transaction patterns, not just at sign-in.
  • Correlate device reuse across accounts Link device intelligence, IP reputation, and session history so one fraudster device operating across many accounts becomes visible quickly.
  • Separate authentication from account ownership confidence Define policy thresholds that require stronger proof when a session moves from ordinary browsing to financially material actions.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • The full fraud trend breakdown by year, including the 141% growth figure and recent marketplace attack spike.
  • The refund abuse example showing how one device moved through more than 200 accounts and extracted value.
  • The article’s explanation of continuous identity verification signals across logins, account changes, and high-risk transactions.
  • The revenue and customer-trust impact discussion that connects chargebacks, disputes, and brand attrition.

👉 Read Prove Identity’s analysis of account takeover fraud in digital marketplaces →

Account takeover fraud in marketplaces: what IAM teams need to act on?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Account takeover is a trust failure, not just an authentication failure. Once the attacker holds valid credentials, the account itself becomes the attack surface. That shifts the governance problem from proving who logged in to proving whether the same identity still owns the session at the point of value extraction. Practitioners should treat ATO as a customer identity lifecycle problem, not a login-only problem.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should be accountable when account takeover drives revenue loss and customer harm?

A: Account takeover should be owned jointly by IAM, fraud, and platform risk leaders because the attack crosses authentication, transaction, and customer-impact boundaries. If those teams work separately, the attacker can move through the gaps between them. Accountability should be shared wherever identity decisions affect financial outcomes.

👉 Read our full editorial: Account takeover fraud is outpacing password-based identity controls



   
ReplyQuote
Share: