One of the biggest threats that governments, businesses, and ordinary citizens face is account takeover. Exposure to online account stealing threats is exponentially increasing as more people go online to work, conduct business, attend classes, and do various other things. One study by an anti-fraud company showed that the volume of account takeover attacks drastically rose during the pandemic.
The study highlights a 282% increase in account takeovers between 2019-2020. The rise in account takeover scams is specifically worrisome for e-commerce websites, primarily as 61% of these scams target e-commerce marketplaces. What makes situations worse is the fact that 28% of consumers refuse to continue conducting business with an organization after a data breach incident.
Why account takeover is a major concern
The ongoing Ukraine-Russia conflict has highlighted the prevalence of DDoS and ransomware, especially with the recent reports suggesting that Russia has upped its cyber warfare activities. However, account takeover risks should not be downplayed as they continue to be serious threats with the pandemic and Eurasian armed conflict still going on.
Recently, there have been several reports of serious account takeover threats. A bug in the Zenly social media app was reported back in February. This bug allows threat actors to access a user's location, conversations, notifications, friends list, and ultimately take over the compromised account. Also, the Horde webmail service was reported last month to have a cross-site scripting vulnerability that enables account takeover.
Everyone is advised to beef up their account takeover prevention system. Online fraud due to account takeover is becoming more complex and aggressive with automation involved. Threat actors now find it easy to steal usernames, passwords, and other related information because of bot-driven attacks. Brute force cracking tactics and credential stuffing techniques are no longer exclusive to advanced hackers. Even newbies can easily find the tools and information to do these online.
Additionally, the cavalier attitude of most people when it comes to cybersecurity makes it easier for hackers to hack accounts. Research states how 65% of netizens continue using similar passwords for multiple accounts. It makes it easier for criminals to crack passwords.
Everyone can be a subject of account takeovers. Perpetrators do not only target big organizations, businesses, or government entities. Account takeover has been commoditized in the cybercrime ecosystem. Cybercriminals who manage to steal user data from an organization after a random attack, for instance, sell the data they collected to other cybercriminals that specialize in specific attacks that take advantage of stolen login credentials or online identities.
Proper account takeover prevention
Stopping cybercriminals from taking over accounts is always easier said than done. Theoretically, organizations only have to focus on eliminating the factors that make attacks possible. As mentioned, these are about having the right tools and adopting the right cybersecurity habits. Both of which are remotely straightforward and specific.
What constitutes good account takeover defense? Are there specific tools to use, or are the standard set of security controls most organizations have already adequate? Here’s a list of points to summarize the answers to these questions.
- Not only effective, also efficient – If the goal is simply to block account takeover attempts, organizations can employ multiple tools from different vendors. However, this is not only inefficient, but it can also result in incompatibilities that lead to technical problems. Adequate security should not result in performance degradation for the websites or web apps being protected.
- Multi-layered solution with the least possible false positives – In relation to the need for efficiency, the right tool to use should not only focus on specific techniques but cover a spectrum of attack surfaces and strategies. It should be able to protect all possible access points including mobile apps, APIs, and websites. This requires a solution that is built with contextual awareness that can examine issues holistically and an intent-based detection scheme for identifying malicious logins.
- Advanced and up-to-date – As mentioned, account takeovers have become easy for criminals because of automation and other sophisticated tech. It only makes sense to address this by also using advanced technology. Find solutions that employ advanced bot protection without significantly impacting the flow of crucial operating traffic. Also, ascertain that the solution provider has a track record of keeping up with the evolution of threats.
- Addressing critical threats – The right account takeover prevention tool should be able to address a host of threats including account aggregation, ad fraud, CAPTCHA defeat, card cracking, expediting, fingerprinting, footprinting, credential stuffing, denial of inventory, scraping, scalping, token cracking, and vulnerability scanning, among others. The most reliable systems take into account the top OWASP threats.
- Beyond the basics – Basic mechanisms to prevent account or identity theft such as the setting of login attempt limits, configuring login alerts, and the regular scanning of compromised credentials are good and should always be in place. They are not enough, though. Given how aggressive cyber threats are, it pays to invest in more sophisticated defenses.
- 2FA/MFA inadequacy – Even the use of multifactor authentication does not guarantee adequate protection, as hackers have their ways around it. The use of SMS and One Time Passwords (OTP) for authentication, for example, can be defeated by endpoint compromises and social engineering schemes. Organizations with high risks of being targeted with account takeover attacks need more complex solutions.
Is it a must to use tools specifically intended for account takeover threats? Not exactly. There are next-generation antivirus and multifunction cybersecurity platforms that come with functions that help address the risks of account takeovers. However, they may not be as effective as specialized solutions when faced with persistent threat actors. For large organizations that deal with a multitude of online accounts, websites, and web apps, it is advisable to use advanced solutions, something capable of high-level bot protection in particular.
Fortifying the human defense side
Having the right cybersecurity habits and practices is one of the biggest challenges in account takeover protection. The people who have access and safekeeping responsibilities over login credentials are not as formidable as advanced software tools with bot protection features. People cannot be programmed to have specific responses to certain actions or situations.
Cybersecurity expert Lance Spitzner of SANS Institute has a compelling analysis of why people are the weakest factor in cybersecurity: lack of cybersecurity investment on people or the “HumanOS.” “Technology is important, we must continue to protect it. However, at some point you hit diminishing returns. We have to begin investing in securing HumanOS also, or bad guys will continue to bypass all of our controls and simply target the human end-point,” Spitzner explains.
Everyone in an organization should be trained to detect and address account takeover attempts. The best cyber protection systems are immediately invalidated the moment people unwittingly give away their login 411s and disengage protective mechanisms.
Striking the perfect synergy
The best account takeover defense involves two crucial factors: technology and people. Strengthening only one of them is not enough. This sounds cliché, but it is a reality that is unlikely to change in the foreseeable future. The best cyber defense solutions end up becoming futile in the hands of clueless users, and people cannot rely on cybersecurity savviness alone to properly prevent account takeover attacks. Both should be at their optimum to achieve the desired outcomes.