Skip to main content
Learning Center
Account TakeoverATO Glossary

ATO Glossary

Central reference for authentication and account takeover terminology

Account Takeover Glossary

Central reference for authentication and ATO terminology

A

ABAC - Attribute-Based Access Control

AAL (Authentication Assurance Level) - "Lock strength" measurement from AAL 1 (password only) to AAL 3 (hardware key)

Account Recovery Abuse - Exploiting password reset workflows to gain unauthorized access

AuthN - Authentication - verifying identity during login

AuthZ - Authorization - checking what actions the user may perform

B

Banking Trojan - Malware designed to steal banking credentials and manipulate transactions

Behavioral Baseline - A record of how a user normally acts (login time, device, speed) so odd events stand out

BOLA - Broken Object Level Authorization (ID swap attacks like /accounts/123/accounts/124)

C

Credential Stuffing - Robots try millions of stolen username-password pairs on lots of sites until one works

Customer Service Social Engineering - Manipulating support staff to bypass security controls

F

Federated Authentication - Using an IdP pass instead of a local password

I

IAL (Identity Assurance Level) - Confidence level that a person is who they say they are (IAL 1 = self-declared, IAL 3 = in-person verification)

IAM - Identity & Access Management — controls and logs AuthN/AuthZ

Identity Provider (IdP) - The site (Google, Microsoft, Okta) that checks your password and hands out login passes

K

Knowledge-Based Authentication (KBA) - Security questions using supposedly private information

M

Man-in-the-Browser - Attack that modifies web transactions between user and banking website

Mule Account - An account criminals control to receive and launder stolen assets

O

OAuth Token - A signed digital pass that lets an app act on your behalf without your password

P

Passkey - A device-stored credential that typically requires biometric unlock, combining something you have and something you are

Password Spraying - Testing common passwords against many accounts to stay under lockout thresholds

Permission Creep - Gradual privilege accumulation over time

Privilege Escalation - Jump to higher permissions than originally granted

R

RBAC - Role-Based Access Control - managing permissions through user roles

Remote Access Tool (RAT) - Malware providing live control over victim's computer

S

Session - Period during which a user stays logged in after successful authentication

Session Hijacking - Stealing browser session cookies to impersonate authenticated users

Session Token - The cookie or header value that keeps a user logged in after successful authentication

SIM Swapping - Fraudulently transferring a victim's phone number to an attacker-controlled SIM card

Social Engineering - Manipulating people to divulge confidential information or perform actions

SSO - Single Sign-On - using one login to access multiple systems

T

Token Replay - Reusing a stolen login pass before it expires

W

Wire Transfer - Electronic funds transfer between banks, typically irreversible

Referenced across all Account Takeover learning modules. For module-specific terms, see individual glossaries.