A Closer Look at Account Takeover Attacks and How to Prevent Them

Last updated: July 16, 2023 Reading time: 6 minutes
Disclosure
Share
Look at Account Takeover

One of the most significant threats governments, businesses, and ordinary citizens face is account takeover. Exposure to online account stealing threats is exponentially increasing as more people go online to work, conduct business, attend classes, and do various other things. One study by an anti-fraud company showed that the volume of account takeover attacks drastically rose during the pandemic.

The study highlights a 282% increase in account takeovers between 2019-2020. The rise in account takeover scams is worrisome for e-commerce websites, as 61% target e-commerce marketplaces. What makes the situation worse is that 28% of consumers refuse to continue conducting business with an organization after a data breach incident.

Why account takeover is a primary concern

The ongoing Ukraine-Russia conflict has highlighted the prevalence of DDoS and ransomware, especially with the recent reports suggesting Russia has upped its cyber warfare activities. However, account takeover risks should not be downplayed as they continue to be serious threats with the pandemic and Eurasian armed conflict still going on.

Recently, there have been several reports of serious account takeover threats. A bug in the Zenly social media app was reported back in February. This bug allows threat actors to access a user’s location, conversations, notifications, and friends list, ultimately taking over the compromised account. Also, the Horde webmail service was reported last month to have a cross-site scripting vulnerability that enables account takeover.

Everyone is advised to beef up their account takeover prevention system. With automation involved, online fraud due to account takeover is becoming more complex and aggressive. Because of bot-driven attacks, threat actors now find it easy to steal usernames, passwords, and other related information. Brute force cracking tactics and credential stuffing techniques are no longer exclusive to advanced hackers. Even newbies can easily find the tools and information to do these online.

Additionally, the cavalier attitude of most people when it comes to cybersecurity makes it easier for hackers to hack accounts. Research states that 65% of netizens use similar passwords for multiple accounts. It makes it easier for criminals to crack passwords.

Everyone can be subject of account takeovers. Perpetrators do not only target big organizations, businesses, or government entities. Account takeover has been commoditized in the cybercrime ecosystem. Cybercriminals who manage to steal user data from an organization after a random attack, for instance, sell the data they collected to other cybercriminals that specialize in specific attacks that take advantage of stolen login credentials or online identities.

Proper account takeover prevention

Stopping cybercriminals from taking over accounts is always easier said than done. Theoretically, organizations must only focus on eliminating the factors that make attacks possible. As mentioned, these are about having the right tools and adopting the proper cybersecurity habits. Both of which are remotely straightforward and specific.

What constitutes good account takeover defense? Are there specific tools to use, or are the standard security controls most organizations already have adequate? Here’s a list of points to summarize the answers to these questions.

  • Not only practical but also efficient – If the goal is simply to block account takeover attempts, organizations can employ multiple tools from different vendors. However, this is not only inefficient, but it can also result in incompatibilities that lead to technical problems. Adequate security should not result in performance degradation for protected websites or web apps.
  • Multi-layered solution with the least possible false positives – About the need for efficiency, the right tool should not only focus on specific techniques but cover a spectrum of attack surfaces and strategies. It should be able to protect all possible access points, including mobile apps, APIs, and websites. This requires a solution built with contextual awareness that can examine issues holistically and an intent-based detection scheme for identifying malicious logins.
  • Advanced and up-to-date – As mentioned, account takeovers have become easy for criminals because of automation and other sophisticated tech. It only makes sense to address this by also using advanced technology. Find solutions that employ advanced bot protection without significantly impacting the flow of crucial operating traffic. Also, ascertain that the solution provider has a track record of keeping up with the evolution of threats.
  • Addressing critical threats – The right account takeover prevention tool should be able to address a host of threats, including account aggregation, ad fraud, CAPTCHA defeat, card cracking, expediting, fingerprinting, footprinting, credential stuffing, denial of inventory, scraping, scalping, token cracking, and vulnerability scanning, among others. The most reliable systems take into account the top OWASP threats.
  • Beyond the basics – Basic mechanisms to prevent account or identity theft, such as setting login attempt limits, configuring login alerts, and regularly scanning compromised credentials, are suitable and should always be in place. They are not enough, though. Given cyber threats’ aggressiveness, it pays to invest in more sophisticated defenses.
  • 2FA/MFA inadequacy – Even multifactor authentication does not guarantee adequate protection, as hackers have their way around it. For example, using SMS and Time Passwords (OTP) for authentication can be defeated by endpoint compromises and social engineering schemes. Organizations with high risks of being targeted with account takeover attacks need more complex solutions.

Is it a must to use tools specifically intended for account takeover threats? Not exactly. Next-generation antivirus and multifunction cybersecurity platforms come with functions that help address the risks of account takeovers. However, they may not be as effective as specialized solutions when faced with persistent threat actors. For large organizations with many online accounts, websites, and web apps, it is advisable to use advanced solutions, something capable of high-level bot protection in particular.

Fortifying the human defense side

Proper cybersecurity habits and practices are among the biggest challenges in account takeover protection. People with access and safekeeping responsibilities over login credentials are not as formidable as advanced software tools with bot protection features. People cannot be programmed to have specific responses to certain actions or situations.

Cybersecurity expert Lance Spitzner of SANS Institute has a compelling analysis of why people are the weakest factor in cybersecurity: lack of cybersecurity investment in people or the “HumanOS.” “Technology is important; we must continue to protect it. However, at some point, you hit diminishing returns. We must also begin investing in securing HumanOS, or bad guys will continue to bypass all of our controls and simply target the human end-point,” Spitzner explains.

Everyone in an organization should be trained to detect and address account takeover attempts. The best cyber protection systems immediately invalidate when people unwittingly give away their login 411s and disengage protective mechanisms.

Striking the perfect synergy

The best account takeover defense involves two crucial factors: technology and people. Strengthening only one of them is not enough. This sounds cliché, but it is a reality that is unlikely to change in the foreseeable future. The best cyber defense solutions become futile in the hands of clueless users, and people cannot rely on cybersecurity savviness to properly prevent account takeover attacks. Both should be at their optimum to achieve the desired outcomes.

Share this article

About the Author

Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.

More from Iam Waqas

Related Posts