Friction Is Not The Answer To Account Takeover

Credential theft, or account takeover fraud, continues to be a pervasive problem damaging consumers and businesses alike. More friction is not the answer users want!

There are many factors contributing to the persistence of these attacks; among them, poor consumer security hygiene, corporate breaches of credential data, and growing economic incentives for attackers to sell compromised accounts in the black market or abuse them on their own. 

This post will explore the current scope of this longstanding credential theft problem, outline some data which explains why it persists and propose an approach to mitigation that can help people and businesses from facing the fallout.

Credential theft statistics

Credential theft has been around as long as online password usage itself, though in the past few years has seen a substantial rise as attackers evolved their methods to exploit gaps in corporate security programs.

In 2020, over 36 billion global corporate records were exposed in data breaches, and in this year (2022) companies like Microsoft, News Corp, Crypto.com, Red Cross, and Block have all announced security compromises of sensitive records. Troy Hunt’s popular haveibeenpwned site shows a total of ~12B credentials across 606 websites have been exposed in a data breach. 

Credentials in these corporate breaches only make up a fraction of compromised records, as attackers have other means of stealing account & password combinations through social engineering scams, email phishing scams, or more complicated techniques like MitM (Man in the middle) attacks or RAT (remote access tools).

A Javelin report shows identity theft losses exploded in 2021 to $24 billion (USD)—a 79% increase since 2020. It also shows the number of adults in the US impacted by identity fraud grew more than 50%, reaching more than 15 million victims, and that account takeover losses increased by 90%.

Despite the prevalence of attacks and various methods scammers have at their disposal to steal credentials, consumer adoption of good security hygiene continues to leave people exposed.

Consumers won’t protect themselves

The common tendency for people to reuse passwords across all their online identities allows attackers to crack accounts for multiple sites after validating a single set of credentials. And while usage of password managers eliminates the need for password memorization and reuse, a majority of people online don’t use them due to distrust or other reasons.

A 2019 Google study on consumer security practices found that only 15% of Americans use a password manager, and only 37% of Americans use two-factor authentication. 

Another study conducted by security.org in 2021 had similar findings; one in five Americans were found to use a password manager, of one-third of Americans involved in a credentials breach, only 10% were using a password manager at the time, and more than two-thirds of Americans currently do not use password managers. 

Improved security with less friction using behavioral data

Given only 1 in 2 consumers adopts multi-factor to protect their accounts, and nearly 90% of internet users do not use password managers, how can organizations counteract what seems to be a growing problem in credential theft without opposing common online behavior?

As the stats above show, the presence of correct credentials is not a reason to trust that the entity using them is the owner of the account. What is more reliable as an authentication mechanism is utilizing a holistic set of inimitable data types, ie behavioral data, to continuously fingerprint a user, inform policy decisions for that user, and keep attackers out of accounts they have credentials for.

By gathering fine-grained behavioral data flags at the onset of the user experience (account opening), fingerprints can be created and compared through the entire user lifecycle to flag any instances of suspected fraud: at subsequent logins or anywhere in-app.

There is also a fundamental difference between creating user fingerprints with desktop behavioral signals (text input patterns, mouse/ trackpad movements, location data) vs. mobile device signals (touch gestures, device orientation, linear accelerometer readings, magnetometer readings).

Using these differences to build fingerprints for a user across all their devices, risk teams can create granular security escalation flows, and move away from blanket MFA policies that oppose consumer preferences. Most importantly, MFA policies built on fine-grained behavioral data are incredibly difficult for an attacker to spoof.

There is clearly room for improvement when it comes to preventing credential theft. Though by using behavioral data as the foundation for establishing a user’s identity across their devices, risk teams can expand their options to apply security friction across their userbase while being cognizant of the average consumer’s desire for online protection and their refusal toward best practices.