In today’s online economy, account takeover (ATO) is a new and pressing challenge that both individuals and corporations alike need to fight. Account takeover is when a fraudster uses the credentials of a genuine user to gain access to multiple online accounts of theirs, and misuse them.
According to Action Fraud, account takeover can happen to bank accounts, credit cards, email accounts, and other online accounts such as e-commerce accounts, payment gateways, mobile wallets, and pretty much any website where we make commercial transactions. We depend on these online accounts on a daily basis for everything from banking, to buying merchandise, and paying for services. These accounts have become the lifeblood of our modern economy. It’s natural that if these accounts are compromised, it profoundly affects our quality of life and the bottomlines of our businesses. But how big are the numbers related to Account Takeover? Turns out, they're pretty big.
Account takeover is a clear and present danger
Measures like the EMV chip cards have done a fair bit to prevent fraud. However, a study by the National Retail Federation (NRF) and Forrester shows that the transition to EMV has taken focus away from other forms of security like mobile payments and account takeover.
Research by Javelin Strategy reflects this when it says that overall fraud rose 16% in 2016 to impact 6.15% of total US consumers.
Of this, the total losses due to Account Takeover stood at $2.3B in 2016, a 61% spike from the previous year. Further, victims spent a total of 20.7 million hours resolving account takeover issues with banks and other organizations.
In a related Gallup poll, it was found that 62% of Americans believe that we will move to a cashless society in our lifetime. If this is true, the threat of account takeover will continue to grow, and needs to be dealt with head on.
Data breaches are driving account takeover
The website HaveIBeenPwned.com has an extensive list of companies that have had their user data stolen. It’s a pretty long list, with many of the world’s largest data companies on it.
The attack on Yahoo is one of the biggest data breaches we’ve seen yet. Yahoo says that no bank or financial information was stolen, but that’s hardly any consolation for users. With more than 500 million account credentials stolen, security experts say this breach could have ripple effects for the next few years. It’s so serious that even the FBI is investigating the case, and the government is considering more strict legislation to ensure companies secure their data and promptly inform users if there is a breach.
Recently, Google Docs was a victim of a phishing attack. The fraudsters sent an email with a malicious link to a Gmail user, the email mimicked the exact experience of Google Docs and tricked users into giving away their username and password. They even leveraged the Google oAuth API to do this.
Once they gained access, the hackers forwarded the same email to all the contacts of the user and harvested a large number of user credentials in this way. They may use this data to make fraudulent transactions on other websites like e-commerce sites, or bank accounts, or they may even sell it on the darknet - a place where illegal transactions occur off the radar.
The anatomy of account takeover
Despite increasing publicity, most internet users are completely unaware of the threat of Account Takeover. This is evident from the following facts about how we use passwords:
- 43% of internet users reuse the same password across multiple websites
- 35% of LinkedIn users have weak passwords, and the other 65% can be cracked easily
- 40% of organizations still store admin passwords in word documents
- 26% of IT pros admit sharing passwords in insecure ways
The following chart shows how long it takes to crack a LinkedIn password using a brute force attack via standard cracking software:
It’s scary to know that many passwords can be cracked easily, even if they’re highly complex. Apart from preying on insecure passwords, Account takeover hackers use many tactics such as malware, phishing attacks, and leveraging vulnerabilities in applications.
Typically, when a massive data breach like the ones at Yahoo and LinkedIn occur, it is followed by a wave of Account takeover attacks that happen periodically for a long time. This happens as fraudsters sell the valid credentials on the darknet for pennies per record, but which adds up to a large sum because of the sheer volume of data that a typical breach contains.
Hackers make the most of every stolen record by finding as many possible websites it can be used on. For example, if they find a Yahoo email ID and password, they’d use the same combination, or a similar combination on other popular websites like Amazon, or Dropbox. From here, they may find even more data like credit card information, and banking details. The chain is never ending, as one link leads to another.
But for hackers, gleaning this precious data is like finding a needle in the haystack. It takes thousands of attempts to find which websites the credentials can be used on. They can’t do this manually. However, cyber criminals have become extremely tech savvy, to the point, they use technology that rivals some of the most technologically advanced firms. For example, they use bots, a kind of scripted software, to test the credentials at massive scale.
They are aware that too many failed login attempts will result in a lockdown, and even worse, notify the user that their account is compromised. They avoid using the same IP for repeat logins. Instead, they leverage millions of IP addresses to fire off bot-driven login attempts at numerous websites using the compromised user credentials. At the end of a week, they’d have a list of successful logins for various websites, which they can now sell or manipulate as they wish.
The harsh reality is that in any online business where users have accounts there is a risk of those accounts being taken over, or of course accounts created for the purpose of fraud. Businesses need a way to monitor what is happening, to spot unusual behaviour and flag or prevent the compromised account being used for fraud. This has been very difficult to do but new techniques are emerging to help.
Ravelin - spot (and stop) account takeovers
Ravelin uses two core techniques to help businesses tackle and prevent account takeover. First our machine learning algorithms, part of our Ravelin Enterprise product, are trained to spot anomalous behaviour in account datasets. These algorithms detect hundreds of separate factors or features and are constantly learning what normal and good behaviour is and highlight behaviour that falls out of that category.
Account takeover is typically characterised by a change in behaviour. For instance a change of phone number or a new device is associated with a sudden increase in the average spend on an account. As the algorithms learn that this is associated with fraud then they will move to prevent the account from being used.
Added to this technique we also use link analysis to see if there are other accounts associated with the compromised account. For instance, a phone number or a device that the fraudster used will typically be used in a number of separate accounts that have also been compromised. This is very important as often the other accounts are unaware that they have been taken over as it is possible that those accounts have not yet made a fraudulent purchase. Customer service can get in touch to advise the other accounts to change passwords or take whatever other preventative measures that are required.
It is also possible using this technique to find other accounts that the algorithms missed. While unfortunate, it is still better to contact the the account, make them aware of the problem and issue a refund rather than suffer a chargeback.
Finally with it is also possible to share the data outside of a single merchant’s dataset with a product called Ravelin Lookup. Here merchants can share, or search for, an IP address that has been used in account takeover or any other type of verified fraud. This multiplies the opportunities to catch fraudsters as they target different merchants while operating from the same IP address.
Fraudsters have most certainly gained the upper hand in exploiting account takeover to date. Endless supplies of credentials matched with poor consumer-level security means that this type of fraud is not going away anytime soon. Fortunately machine learning, link analysis and anomaly-detection techniques added to user education are redressing the balance. It remains the duty of the sensible merchant however to make sure that they are investing in these techniques and technologies to keep their customer, their reputation and their bottom line safe.