Thursday, May 19, 2022
  • CA/Browser Forum Updates Requirements for Code Signing Certificate Private Keys
  • Seceon aiXDR
  • Security BSides Sofia 2022 – Radostina Kondakova’s And Jordan Popov’s ‘Where And How To implement Security In Software Development’
  • RHEL 9 Release: JumpCloud Offers Same-day Support
  • Securing your SDLC (Software Development Life Cycle)

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Events
    • Upcoming Events
    • Upcoming Webinars
    • On-Demand Events
    • On-Demand Webinars
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • Techstrong Group
    • Container Journal
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About Us

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Security Bloggers Network 

Home » Security Bloggers Network » The Costs and Risks of Account Takeover

SBN

The Costs and Risks of Account Takeover

by Enzoic on June 20, 2019

Account takeover (ATO) attacks result in billions of dollars of fraud and damage to brand reputation each year. These are the costs and risks associated with ATO.

Defining ATO

Let’s start by defining ATO. Account takeover is a form of online identity theft in which a cybercriminal illegally gains access to a victims account, such as a bank account or e-commerce account. The victims account will be of value to the hacker because it either holds funds or access to products, services or other stored value of some kind; as is the case with loyalty accounts for specific companies. Once the cybercriminal has gained access to the account, they will drain funds, use loyalty points, or use the credit and debit card information to commit an act of online fraud.

Cybersecurity Live - Boston

Cybercriminals will use various techniques to gain illegal access to the victim’s account, the most common of which are credential stuffing and credential cracking. Credential stuffing is an automated web injection attack where hackers use credential information sourced from data breaches to gain access to the victim’s other accounts. Credential cracking is another term for a brute force attack in which hackers will use dictionary lists or common usernames and passwords to guess their way into an account.

ATO Risks by The Numbers

ATO attacks are a major threat to online consumers and the reputation of companies whose consumers suffer from them. To understand why cybercriminals are increasing their efforts on account takeovers, you only have to look at how lucrative they are.

  • A 2018 NuData Security report found that 40% of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value.
  • From 2016 to 2017, losses from Account Takeover rose 122%. In 2018, it increased by 164%.
  • The cost of these attacks tripled from 2016 to 2017, reaching an estimated $5.1 billion in the United States alone.   
  • According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020. 

Cybercriminals Exploring New ATO Horizons

While cyber fraudsters traditionally targeted bank
accounts, they are broadening their scope to target a range of online accounts
such as e-commerce accounts, social media accounts, shop loyalty schemes,
cryptocurrency wallets, and email accounts.

The e-commerce industry is growing at a rapid rate as online retailers tap into new markets in Asia and South America, and consumers enjoy the convenience of online shopping. According to German online statistics portal, Statista, e-commerce revenue in India is expected to grow to 62.3 billion U.S. Dollars in 2023, and more than double its current volume by 2022. When an online market grows, the attention cybercriminals put into exploiting it also grows.  Large retail companies like Walmart and Amazon are also attempting to tap into the growing e-commerce markets in India, South Korea, Turkey, and Brazil and capture a new consumer base. In May 2018 Walmart acquired a 77% stake in Flipkart, India’s largest online retailer, for $16 billion following two years of talks with the company.

These new consumers represent a lucrative new market for
cybercriminals and it is not just the influx of newcomers that is fueling
cybercriminals but also changes in consumer behavior. More consumers are
turning to alternative payment methods such as Venmo, Zelle, and PayPal
shifting the focus away from bank accounts as the sole way of paying for things
online. Retailers are also expanding how consumers can pay for their products
by allowing purchases through mobile payment apps.  Losses from ATO and fraud cost businesses
across all industries, and all across the world, billions of dollars per year.

Another way cybercriminals are expanding the threat is by device. Mobile and mobile apps are becoming a prime target for account takeover.  In Rippleshot’s State of Card Fraud 2018 report they predicted that mobile phones would become an increasingly vulnerable target and the latest research appears to indicate the same. Javelin’s 2019 Identity Fraud Study also indicated that mobile phone account takeovers are on the rise, accounting for 679,000 incidents in 2018, up around 45% from 2017.  One of the reasons for this increase in mobile is technology lag.  While there is an increase in tools designed to protect users through a web browser, many of those same tools do not work on mobile apps.

Largest ATO Risk: Exposed Passwords

Having more online accounts means having more usernames
and passwords to remember which will encourage some consumers to repeat their
credentials across different accounts. This is highly risky but surprisingly
common. According to darkreading.com 59% of survey respondents said they reuse
passwords despite 91% of them saying they understand the risks associated. The
main reason cited for reusing passwords was fear of forgetfulness.

As the results from the darkreading.com survey show, users will reuse passwords even understanding the risk, but why? Most likely because they haven’t been stung by this practice since they haven’t noticed their accounts have been compromised. However, they probably have been stung by their own forgetfulness which can be an inconvenience when they have to reset their login details. This leads users to weigh the risks and they often decide it’s easier to reuse passwords despite the cost being so high if their credentials are exposed.

What can be done about ATO Risks?

Concerned users can use websites like https://www.avast.com/hackcheck/ to
see if your password has been leaked online. The Avast website will tell you
what company the data breach was associated with and offer advice on next
steps. When it comes to passwords, they recommend that if your password has
appeared on a list of exposed credentials, you should change your password on
any accounts you have used it and cease using that password. Taking action can
greatly reduce the risk of you falling victim to a credential stuffing attack.

Password screening is the process of testing the strength
of your password. Many cybersecurity companies offer this service, for example,
https://check.passwordping.com to check if their passwords are weak. Sites like this can
also tell you how long it would take to crack your password in a brute force
attack. If your password can be cracked in a matter of hours by a brute force
attack then you should strongly consider changing your password
immediately.  A lot of online tools will
now tell you how strong your password is (usually using a scale of easy to
hard) and suggest ways to improve the strength, but password screening services
go a step further for businesses, non-profits and government agencies.

Credential
Screening

For businesses, non-profits and government agencies, the
stakes are a lot higher.  They could have
thousands of user accounts vulnerable to account takeover and fraud due to the
password reuse issue listed above.

Credential screening for online accounts can help prevent account takeover. Credential screening is the process of seamlessly screening usernames and passwords to identify if they have been compromised. These systems compare users’ credentials to large databases of leaked credentials in order to find a match and alert the user to their exposed credentials. This adds a strong layer of security to users’ accounts and also highlights the risk in password reuse.  The check is performed at login, password reset or account set up. 

Unlike other authentication tools, credential screening only impacts they users who have exposed credentials, the rest of your users are completely unencumbered.  This solution can also be used on all devices, not just one websites.  Any place where an organization collects a user name and password combination, a credential screening solution can be added. For more information about compromised credential screening, visit www.enzoic.com

The post The Costs and Risks of Account Takeover appeared first on Enzoic.


Recent Articles By Author
  • CISA: The Risk of MFA Without Improving Password Security
  • It’s W0rld [email protected] [email protected]!
  • Time to Lock Down Identity Management Strategies
More from Enzoic

*** This is a Security Bloggers Network syndicated blog from Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/the-costs-and-risks-of-ato/

June 20, 2019June 20, 2019 Enzoic account takeover, Account Takeover Costs, Account Takeover Risks, ATO, credential screening
  • ← The Legality of Waging War in Cyberspace
  • Who’s Responsible for a Cloud Breach? It Depends →

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Most Read on the Boulevard

How Encryption Helps Restore Cloud Security Integrity
Do You Want Secure Supply Chains? SHOW ME THE MONEY
CISA, Int’l Cybersecurity Bodies Issue Advisory to MSPs
Privacy As Enabling Technology
5 Ways K8s Apps Are Vulnerable to Supply Chain Attacks
X-Cart Skimmer with DOM-based Obfuscation
This Week in Malware—Malicious Rust crate, ‘colors’ typosquats
OWASP® Global AppSec US 2021 Virtual – Ronen Slavin’s ‘Analyzing Google’s SLSA Framework For Securing Software Supply Chains’
Ransomware is Indiscriminatory – Prepare for Everything to Fail
XKCD ‘Crêpe’

Upcoming Webinars

Thu 19

The Hidden Software Supply Chain Risks That Can Ruin Your 2022

May 19 @ 1:00 pm - 2:00 pm
Mon 23

Defending Against Emerging Ransomware Threats

May 23 @ 1:00 pm - 2:00 pm
Thu 26

Challenges and Opportunities for Improving Secure Coding Practices

May 26 @ 3:00 pm - 4:00 pm
Tue 31

Leveraging a Cloud Data Platform to Respond to Cybersecurity Events

May 31 @ 11:00 am - 12:00 pm
Jun 01

The 2022 Guide to API Security

June 1 @ 11:00 am - 12:00 pm
Jun 01

Security From Code to Cloud and Back to Code

June 1 @ 1:00 pm - 2:00 pm
Jun 08

Beyond Unification: How CNAP Should Reduce Cloud Security Risk

June 8 @ 11:00 am - 12:00 pm
Jun 08

When Less Is More: Full Life Cycle Serverless Security

June 8 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

Managing the AppSec Toolstack

Industry Spotlight

Establishing a Root of Trust in Embedded Linux and IoT
Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) Vulnerabilities 

Establishing a Root of Trust in Embedded Linux and IoT

April 18, 2022 Anita Buehrle | Apr 18 Comments Off on Establishing a Root of Trust in Embedded Linux and IoT
Attorney-Client Privilege and Email Privacy
Cybersecurity Data Security Identity & Access Industry Spotlight Network Security Security Boulevard (Original) 

Attorney-Client Privilege and Email Privacy

April 7, 2022 Mark Rasch | Apr 07 Comments Off on Attorney-Client Privilege and Email Privacy
How MSPs can Fill the Cybersecurity Skills Gap
Cybersecurity Endpoint Industry Spotlight Network Security Security Awareness Security Boulevard (Original) 

How MSPs can Fill the Cybersecurity Skills Gap

February 17, 2022 Mike Adler | Feb 17 Comments Off on How MSPs can Fill the Cybersecurity Skills Gap

Top Stories

Strata Identity Proposes Standard to Simplify Identity Management
Cybersecurity Featured Identity & Access News Security Boulevard (Original) Spotlight 

Strata Identity Proposes Standard to Simplify Identity Management

May 18, 2022 Michael Vizard | Yesterday 0
Do You Want Secure Supply Chains? SHOW ME THE MONEY
Analytics & Intelligence Application Security CISO Suite Cloud Security Cyberlaw Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response IoT & ICS Security Malware Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Do You Want Secure Supply Chains? SHOW ME THE MONEY

May 16, 2022 Richi Jennings | 2 days ago 0
OpenSSF Seeks $150M+ to Address Open Source Software Security
Application Security Cybersecurity Featured News Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities 

OpenSSF Seeks $150M+ to Address Open Source Software Security

May 13, 2022 Michael Vizard | May 13 0

Security Humor

XKCD 'Health Data'

XKCD ‘Health Data’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Container Journal
  • DevOps.com
  • Techstrong Research
  • Techstrong TV
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
  • Digital Anarchist
Powered by Techstrong Group
Copyright © 2022 Techstrong Group Inc. All rights reserved.