How many of you have used the same password for more than one account? Do you use the same pin code for your online banking as you do your Netflix account? While this may be convenient, it puts you at great risk of identity fraud from an account takeover account.
Did you know that 24 million households in the United States have experienced account takeovers? An attack like this results in a loss of almost $12,000 on average. The last thing we want is for you to be part of this statistic. That is why we have put together this helpful guide on account takeovers.
What is Account Takeover?
Account takeover is a type of fraud or identity theft, whereby a malicious third party is able to successfully gain access to a person’s account credentials. A cybercriminal will pose as a genuine user so that they can use stolen information to get access to other accounts within an organization, steal sensitive data or financial information, send out phishing emails, and change account details.
How an Account Takeover Attack is Performed
There are typically four lifecycles:
- Credential acquisition – The initial step involves getting ahold of the account names and passwords of a target. There are a number of different methods of acquiring them. Moreover, as a consequence of huge data breaches and leaks, there are billions of data credentials currently being traded on the dark web.
- Credential testing – No matter how the attacker managed to get hold of the username and password combinations in question, the next likely step is to test them. Testing can be done automatically or manually by using bots.
- Action – At this point, the logins will have either worked or been unsuccessful. If they worked, the hacker is now able to manipulate the accounts that have been seized. For example, money could be withdrawn from a bank account. The action taken here depends on the type of account and the nature and reason for the attack.
- Consecutive attacks – A lot of people use the same password again and again for different accounts. In fact, 53 percent of people have admitted they do this. If you do this, it puts you in harm’s way because it means that once the hacker has access to one account, he or she likely has access to many others.
How to Prevent Account Takeover
Now that you know what account takeover is, it is imperative to take steps to prevent it. Here are seven ways you can do so:
1. Use modern bot mitigation software
Businesses are trying to respond to bot attacks with various methods that have proven to be unsatisfactory. A prime example of this is CAPTCHA. This involves different puzzles that require users to prove they are human. Basically, the user needs to jump through hoops, which can be very frustrating.
For instance, in CAPTCHA, users must interpret an image that has numbers and letters mashed together. Another common example is when you are presented with nine squares, each containing different images, and you have to select all of the ‘boats’ or ‘traffic lights’.
However, Gartner has revealed that these methods are repeatedly being beaten by cloud-based analysis tools and attacker bots. So, not only are you frustrating the user but you can’t be sure that you are going to beat the bot either!
Such prevention methods have damaging effects on businesses, causing a 50 percent abandonment rate by users, particularly those shopping on their smartphones. Therefore, for every two customers that have to complete the CAPTCHA, one will leave and not complete their purchase. This is why you need to use a modern solution that will force the bot to do the work.
2. Watch for indicators of API misuse
APIs are vital today in terms of connecting and integrating various web services together. They are basically the internet’s glue! For instance, a merchant could utilize an API for connecting its online store to the payment processor so credit card transactions can be cleared.
While they are highly useful tools for developers and businesses, bad scots can misappropriate them in an account takeover scenario.
By utilizing an automated attack bot, threat actors could attempt to break through the security controls of the API using random combinations of stolen passwords and usernames. This is one of the reasons why monitoring websites for API misuse is critical, as it will probably incorporate a sizable number of failed login attempts within a short timeframe.
3. Use fraud management filters
If you have an e-commerce website, it makes sense to use fraud management filters. There are two main options here:
- Threshold filters – You can set maximums and minimums for legitimate purchases. For example, if all of the items you sell are more than $20, this sort of filter would automatically flag a purchase made for $1.
- Velocity filters – You can stop threat actors from testing card numbers against your merchant account by declining suspicious transactions automatically based on a number of parameters in a set timeframe.
4. Monitor your online presence with Google Alerts
Set up Google Alerts so you have a better understanding of your online presence. You can turn on automatic notifications, alerting you whenever Google indexes a website that mentions the name of your company, including dummy websites pretending to be you.
5. Use advanced fraud detection software
In addition to the tips that we have provided so far, it is also important to make sure that you use fraud detection software.
There are plenty of different solutions to select from, so you need to make sure you choose with care. The SEON fraud detection software is a good choice.
There are plenty of great features that you can expect, including complete data enrichment based on phone number, IP address, or email address, as well as a way of checking 40+ online networks and social media accounts relating to user information. In-depth device fingerprinting is also available.
You can also expect full control over risk rules. You can even use a powerful machine learning engine, which will give you powerful suggestions based on historical company data.
6. Monitor for accounts being accessed from IP addresses in different countries
Customers tend to use the same IP address and computer when accessing their accounts. As IP addresses are connected with specific locations, they can be used for monitoring whether a user has logged in from an unexpected location.
The IP addresses of active site users can also be matched to the usual IP address of the account holder. For instance, if an account holder typically based in California is accessing the website from an IP address in Nigeria, there is likely to be one of two scenarios. The first is that they have gone away on a vacation. The second is that an account takeover is happening.
Another sign of an account takeover is when there are a number of unique account logins from a new location within a short space of time. For example, if 15 different accounts are accessed from a new country, we can assume that the customers in question have not all taken a trip to the same country at the same time.
7. Educate yourself on account takeovers
There are a number of different ways an account can be compromised. Below, we will provide some insight into some of the popular methods hackers use to steal account credentials:
1. Credential stuffing
This is a cyber attack whereby account details (specifically username and password pairs) are stolen. These sorts of attacks are automated via large-scale login requests, which are directed at a web application.
2. SIM card swapping
SIM swapping is a legit service that phone companies provide whereby a user will switch phone and the new device they receive is not compatible with the SIM card. Fraudsters are manipulating this process, transferring the phone number of the victim to a new SIM card. Once they have done this, they can get in touch with the mobile phone carrier, convincing the call center to port the mobile phone to an illegal phone number
This is a form of cybercrime that tends to be characterized by email span. Email is still the most targeted online service, with the greatest potential for identity theft. Malicious people could pose as your bank and ask for you to change your account passwords as part of a security protocol, hoping that you will fall straight into their trap so that they can steal your information or infect your device.
4. Online hacking
Online hackers use keyloggers and other forms of malware to track the keyboard input of data so they can steal it.
Final words on account takeover
So there you have it: seven tips on spotting and preventing account takeover. This is something all businesses, no matter how big or small, need to concern themselves with today.
You need to make a dedicated effort to ensure that you effectively monitor for the possibility of account takeover while using modern software so that you can put the right measures in place to keep your business protected.