In today’s online economy, account takeover (ATO) is a new and pressing challenge that both individuals and corporations alike need to fight. Account takeover is when a fraudster uses the credentials of a genuine user to gain access to multiple online accounts of theirs, and misuse them.
According to Action Fraud, account takeover can happen to bank accounts, credit cards, email accounts, and other online accounts such as e-commerce accounts, payment gateways, mobile wallets, and pretty much any website where we make commercial transactions. We depend on these online accounts on a daily basis for everything from banking, to buying merchandise, and paying for services. These accounts have become the lifeblood of our modern economy. It’s natural that if these accounts are compromised, it profoundly affects our quality of life and the bottomlines of our businesses. But how big are the numbers related to Account Takeover? Turns out, they're pretty big.
Account takeover is a clear and present danger
Measures like the EMV chip cards have done a fair bit to prevent fraud. However, a study by the National Retail Federation (NRF) and Forrester shows that the transition to EMV has taken focus away from other forms of security like mobile payments and account takeover.
Research by Javelin Strategy reflects this when it says that overall fraud rose 16% in 2016 to impact 6.15% of total US consumers.
Of this, the total losses due to Account Takeover stood at $2.3B in 2016, a 61% spike from the previous year. Further, victims spent a total of 20.7 million hours resolving account takeover issues with banks and other organizations.
In a related Gallup poll, it was found that 62% of Americans believe that we will move to a cashless society in our lifetime. If this is true, the threat of account takeover will continue to grow, and needs to be dealt with head on.
Data breaches are driving account takeover
The website HaveIBeenPwned.com has an extensive list of companies that have had their user data stolen. It’s a pretty long list, with many of the world’s largest data companies on it.
The attack on Yahoo is one of the biggest data breaches we’ve seen yet. Yahoo says that no bank or financial information was stolen, but that’s hardly any consolation for users. With more than 500 million account credentials stolen, security experts say this breach could have ripple effects for the next few years. It’s so serious that even the FBI is investigating the case, and the government is considering more strict legislation to ensure companies secure their data and promptly inform users if there is a breach.
Recently, Google Docs was a victim of a phishing attack. The fraudsters sent an email with a malicious link to a Gmail user, the email mimicked the exact experience of Google Docs and tricked users into giving away their username and password. They even leveraged the Google oAuth API to do this.
Once they gained access, the hackers forwarded the same email to all the contacts of the user and harvested a large number of user credentials in this way. They may use this data to make fraudulent transactions on other websites like e-commerce sites, or bank accounts, or they may even sell it on the darknet - a place where illegal transactions occur off the radar.
The anatomy of account takeover
Despite increasing publicity, most internet users are completely unaware of the threat of Account Takeover. This is evident from the following facts about how we use passwords:
- 43% of internet users reuse the same password across multiple websites
- 35% of LinkedIn users have weak passwords, and the other 65% can be cracked easily
- 40% of organizations still store admin passwords in word documents
- 26% of IT pros admit sharing passwords in insecure ways
The following chart shows how long it takes to crack a LinkedIn password using a brute force attack via standard cracking software:
It’s scary to know that many passwords can be cracked easily, even if they’re highly complex. Apart from preying on insecure passwords, Account takeover hackers use many tactics such as malware, phishing attacks, and leveraging vulnerabilities in applications.
Typically, when a massive data breach like the ones at Yahoo and LinkedIn occur, it is followed by a wave of Account takeover attacks that happen periodically for a long time. This happens as fraudsters sell the valid credentials on the darknet for pennies per record, but which adds up to a large sum because of the sheer volume of data that a typical breach contains.
Hackers make the most of every stolen record by finding as many possible websites it can be used on. For example, if they find a Yahoo email ID and password, they’d use the same combination, or a similar combination on other popular websites like Amazon, or Dropbox. From here, they may find even more data like credit card information, and banking details. The chain is never ending, as one link leads to another.
But for hackers, gleaning this precious data is like finding a needle in the haystack. It takes thousands of attempts to find which websites the credentials can be used on. They can’t do this manually. However, cyber criminals have become extremely tech savvy, to the point, they use technology that rivals some of the most technologically advanced firms. For example, they use bots, a kind of scripted software, to test the credentials at massive scale.
They are aware that too many failed login attempts will result in a lockdown, and even worse, notify the user that their account is compromised. They avoid using the same IP for repeat logins. Instead, they leverage millions of IP addresses to fire off bot-driven login attempts at numerous websites using the compromised user credentials. At the end of a week, they’d have a list of successful logins for various websites, which they can now sell or manipulate as they wish.
The harsh reality is that in any online business where users have accounts there is a risk of those accounts being taken over, or of course accounts created for the purpose of fraud. Businesses need a way to monitor what is happening, to spot unusual behaviour and flag or prevent the compromised account being used for fraud. This has been very difficult to do but new techniques are emerging to help.
Fraudsters have most certainly gained the upper hand in exploiting account takeover to date. Endless supplies of credentials matched with poor consumer-level security means that this type of fraud is not going away anytime soon. Fortunately machine learning, link analysis and anomaly-detection techniques added to user education are redressing the balance. It remains the duty of the sensible merchant however to make sure that they are investing in these techniques and technologies to keep their customer, their reputation and their bottom line safe.