The Costs and Risks of Account Takeover
The Costs and Risks of Account Takeover

by Enzoic on June 20, 2019

Account takeover (ATO) attacks result in billions of dollars of fraud and damage to brand reputation each year. These are the costs and risks associated with ATO.

Defining ATO

Let’s start by defining ATO. Account takeover is a form of online identity theft in which a cybercriminal illegally gains access to a victims account, such as a bank account or e-commerce account. The victims account will be of value to the hacker because it either holds funds or access to products, services or other stored value of some kind; as is the case with loyalty accounts for specific companies. Once the cybercriminal has gained access to the account, they will drain funds, use loyalty points, or use the credit and debit card information to commit an act of online fraud.

Cybercriminals will use various techniques to gain illegal access to the victim’s account, the most common of which are credential stuffing and credential cracking. Credential stuffing is an automated web injection attack where hackers use credential information sourced from data breaches to gain access to the victim’s other accounts. Credential cracking is another term for a brute force attack in which hackers will use dictionary lists or common usernames and passwords to guess their way into an account.

ATO Risks by The Numbers

ATO attacks are a major threat to online consumers and the reputation of companies whose consumers suffer from them. To understand why cybercriminals are increasing their efforts on account takeovers, you only have to look at how lucrative they are.

A 2018 NuData Security report found that 40% of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value.
From 2016 to 2017, losses from Account Takeover rose 122%. In 2018, it increased by 164%.
The cost of these attacks tripled from 2016 to 2017, reaching an estimated $5.1 billion in the United States alone.
According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020.

Cybercriminals Exploring New ATO Horizons

While cyber fraudsters traditionally targeted bank
accounts, they are broadening their scope to target a range of online accounts
such as e-commerce accounts, social media accounts, shop loyalty schemes,
cryptocurrency wallets, and email accounts.

The e-commerce industry is growing at a rapid rate as online retailers tap into new markets in Asia and South America, and consumers enjoy the convenience of online shopping. According to German online statistics portal, Statista, e-commerce revenue in India is expected to grow to 62.3 billion U.S. Dollars in 2023, and more than double its current volume by 2022. When an online market grows, the attention cybercriminals put into exploiting it also grows. Large retail companies like Walmart and Amazon are also attempting to tap into the growing e-commerce markets in India, South Korea, Turkey, and Brazil and capture a new consumer base. In May 2018 Walmart acquired a 77% stake in Flipkart, India’s largest online retailer, for $16 billion following two years of talks with the company.

These new consumers represent a lucrative new market for
cybercriminals and it is not just the influx of newcomers that is fueling
cybercriminals but also changes in consumer behavior. More consumers are
turning to alternative payment methods such as Venmo, Zelle, and PayPal
shifting the focus away from bank accounts as the sole way of paying for things
online. Retailers are also expanding how consumers can pay for their products
by allowing purchases through mobile payment apps. Losses from ATO and fraud cost businesses
across all industries, and all across the world, billions of dollars per year.

Another way cybercriminals are expanding the threat is by device. Mobile and mobile apps are becoming a prime target for account takeover. In Rippleshot’s State of Card Fraud 2018 report they predicted that mobile phones would become an increasingly vulnerable target and the latest research appears to indicate the same. Javelin’s 2019 Identity Fraud Study also indicated that mobile phone account takeovers are on the rise, accounting for 679,000 incidents in 2018, up around 45% from 2017. One of the reasons for this increase in mobile is technology lag. While there is an increase in tools designed to protect users through a web browser, many of those same tools do not work on mobile apps.

Largest ATO Risk: Exposed Passwords

Having more online accounts means having more usernames
and passwords to remember which will encourage some consumers to repeat their
credentials across different accounts. This is highly risky but surprisingly
common. According to darkreading.com 59% of survey respondents said they reuse
passwords despite 91% of them saying they understand the risks associated. The
main reason cited for reusing passwords was fear of forgetfulness.

As the results from the darkreading.com survey show, users will reuse passwords even understanding the risk, but why? Most likely because they haven’t been stung by this practice since they haven’t noticed their accounts have been compromised. However, they probably have been stung by their own forgetfulness which can be an inconvenience when they have to reset their login details. This leads users to weigh the risks and they often decide it’s easier to reuse passwords despite the cost being so high if their credentials are exposed.

What can be done about ATO Risks?

Concerned users can use websites like https://www.avast.com/hackcheck/ to
see if your password has been leaked online. The Avast website will tell you
what company the data breach was associated with and offer advice on next
steps. When it comes to passwords, they recommend that if your password has
appeared on a list of exposed credentials, you should change your password on
any accounts you have used it and cease using that password. Taking action can
greatly reduce the risk of you falling victim to a credential stuffing attack.

Password screening is the process of testing the strength
of your password. Many cybersecurity companies offer this service, for example,
https://check.passwordping.com to check if their passwords are weak. Sites like this can
also tell you how long it would take to crack your password in a brute force
attack. If your password can be cracked in a matter of hours by a brute force
attack then you should strongly consider changing your password
immediately. A lot of online tools will
now tell you how strong your password is (usually using a scale of easy to
hard) and suggest ways to improve the strength, but password screening services
go a step further for businesses, non-profits and government agencies.

Credential
Screening

For businesses, non-profits and government agencies, the
stakes are a lot higher. They could have
thousands of user accounts vulnerable to account takeover and fraud due to the
password reuse issue listed above.

Credential screening for online accounts can help prevent account takeover. Credential screening is the process of seamlessly screening usernames and passwords to identify if they have been compromised. These systems compare users’ credentials to large databases of leaked credentials in order to find a match and alert the user to their exposed credentials. This adds a strong layer of security to users’ accounts and also highlights the risk in password reuse. The check is performed at login, password reset or account set up.

Unlike other authentication tools, credential screening only impacts they users who have exposed credentials, the rest of your users are completely unencumbered. This solution can also be used on all devices, not just one websites. Any place where an organization collects a user name and password combination, a credential screening solution can be added. For more information about compromised credential screening, visit www.enzoic.com

The post The Costs and Risks of Account Takeover appeared first on Enzoic.