Account takeover (ATO) – it’s the ultimate goal of most fraud attacks, and already causes at least $6.5 billion to $7 billion USD in annual losses across multiple verticals. Clearly, stealing user credentials is a lucrative strategy for cybercriminals, but what else is there to know?
Javelin Strategy and Research reports that the number of fraud victims is ever increasing; between 2013 and 2016, there was a 16% increase in fraud victims just in the US, hitting 15 million victims in their most recent report. These victims come in all shapes and sizes, from individuals to giant companies.
One of the biggest data breaches of 2017 also created a huge amount of potential ATO victims: the Equifax data breach. Equifax made headlines around the world due to the millions of users whose sensitive data was exposed, putting those users at an incredibly high risk of falling victim to ATO. As a result, Equifax lost the trust of its customers, and continues to deal with reputational and financial damage. Gmail, Uber, Deloitte, and many others faced similar repercussions after their own data breaches in 2017.
Why do attacks like these keep happening? A study by IDAgent showed that 63% of all data breaches occurred due to weak passwords, or to access credentials stolen through social engineering schemes or financially-motivated malware. In the case of Deloitte, for example, user accounts were protected by a single factor: username and password. Without a second authentication factor, users were left highly vulnerable if their login credentials were compromised. The Uber data breach occurred in a similar way: hackers gained access to sensitive information using only stolen username and password combinations.
What can organizations do? In order to effectively protect themselves against attacks that lead to ATO, organizations must implement solutions that provide visibility into the entire fraud cycle and encompass the four pillars of next-generation security:
- Information sharing
Let’s break down a typical ATO attack:
- Victims are identified through social networks and social engineering.
- Malware is installed by directing users to download infected files or navigate to fraudulent websites.
- The user attempts to log onto their bank’s transactional website on their infected device.
- The previously installed malware collects the user’s log in credentials and transmits them to the cybercriminals.
- Criminals use the credentials to steal funds or information, or simply sell them on a black market.
Institutions must proactively set automated monitoring systems based on artificial intelligence and machine learning technology in order to stop attacks before they are able to be completed. Monitoring of social networks, phishing campaigns, rogue apps, and malware, complemented by an agile takedown strategy, can help prevent even the launch of an attack. Further, institutions should implement a strong, multi-factor authentication solution that provides additional authentication factors to high risk or sensitive transactions, ensuring that every movement on a transactional channel is safe.
Attacks that end in ATO are, and will continue to be, an all-time favorite for hackers as long as end users are still vulnerable to social engineering and password recycling. This is why the responsibility of fraud protection does not belong to the user; it belongs to the organizations that handle sensitive user information. Institutions must use solutions that proactively monitor for attacks, and that are capable of taking them down immediately when detected, without interfering with user experience. By implementing all of the above strategies, organizations don’t just protect their end-users: they protect themselves from the financial and reputational damage of fraud attacks.
To learn more about how you can protect your organization from ATO and other attacks, take a look at our page on Total Fraud Protection.