By Boris Chen, tCell
Account takeover (ATO) is quickly becoming a go-to vector for malicious actors. Recent data indicates that 44 percent of companies have been victimized by account takeover attacks, and targeted attacks originating from hacked accounts outpaced all other email vectors in 2017.
The result? Companies must both detect and remediate this threat ASAP to keep user and corporate data safe. Let’s break down the most common types of ATO and the best ways to prevent hackers from gaining account access.
Typical takeovers
Malicious actors are looking for the easiest way to compromise email, bank or credit card accounts. Once they’ve gained control, priorities shift to maximizing profit — this runs the gamut from stealing and selling personal data to making fraudulent purchases on credit cards, transferring funds out of bank accounts or using accounts as part of a large “botnet” to infect other devices.
Popular account takeover methods include:
- Credit card theft: If attackers can compromise credit card data, they can make fraudulent purchases both in-store and online, since few retail locations ask for identification and many e-commerce shops support “card not present” transactions that allow hackers to simply enter credit card data without providing any other proof of identity. Card fraud can happen either online or at the point of sale (POS).
In POS thefts, criminals compromise card readers (or their software) to grab customer credit data, while online attacks look for vendors who don’t properly encrypt or handle credit data, leaving it open for compromise.
- Credential stuffing: The faster, the better: Cybercriminals recognize that many users leverage the same username and password over multiple accounts, and often use common passwords (such as “123456”) or logins (such as “Admin”) to gain access. Credential stuffing attacks make use of automation to quickly try combination after combination of usernames and passwords to discover what works.
- Dictionary attacks: As noted above, users often repeat old passwords or use passwords that are easy to guess but have minimal security value. By running through the “dictionary” of common passwords, hackers can quickly discover if account owners haven’t followed the advice to update and improve their passwords in the wake of recent data breaches.
- Phishing: Social engineering remains a reliable way for attackers to gain account control. By sending users what appear to be legitimate emails from banks, credit card companies or the federal government — and including dire warnings that users must “ACT NOW” — it’s possible for hackers to trick account holders into clicking on malicious links or downloading malware.
- Session hijacking: If social media, email and financial services don’t properly encrypt the transmission of data, it’s possible for attackers to hijack “sessions” — any interaction with a website or service — and take full control of user accounts. This lets hackers assume user identities, remove users from the session and change passwords to gain complete control.
Staying safe
There are two broad categories of defense when it comes to defeating ATO attacks: Solid security hygiene and advanced security tools.
First up, critical hygiene tips.
Start by skipping public WiFi — hotspots such as those in coffee shops and airports are ideal for hackers to launch “man in the middle” attacks or convince users to access seemingly legitimate networks that are nothing more than dummy connections designed to steal data.
Another good idea: Don’t reuse passwords across multiple accounts, and opt for two-factor authentication. This requires users to supply something they have (such as a one-time SMS code or USB key) along with something they know (such as their password and username) to gain access. Virtual private networks (VPNs) provide additional protection by obfuscating origin IP address along with any browsing behavior or data transmission.
Despite best efforts by employees and the implementation of solid security hygiene practices, hackers recognize the value in compromised accounts and attempt to find other access points. As a result, companies must also employ advanced protection strategies to maximize defense. Consider:
- Per-user and per-IP login counts: Implementing security solutions that collect this data lets companies drill down and discover the telltale signs of ATO such as “geo-hopping” login attempts, session tokens used in another browser shortly after the first session is closed and sudden ramp-ups in the number of login attempts, especially from the same IP address.
- Application-level analysis: As credit card issuers roll out EMV chip cards and companies get better at detecting typical attack vectors, ATOs are now leveraging applications themselves to compromise accounts. As a result, you need tools that can detect popular threat vectors such as cross-site scripting, actively block suspicious IPs, quickly identify compromised users and alert IT staff that accounts are under attack.
Account takeover is frustrating for organizations and lucrative for hackers, especially since users may not recognize or report the signs of ATO. With attacks on the rise, companies can improve their defensive position by implementing basic security hygiene paired with app-connected solutions that help automatically detect and remediate account takeover attempts.
Boris Chen is Vice President of Engineering and co-founder of tCell. He has more than 20 years of industry experience building high-performance web infrastructure and data technology. Before co-founding tCell, Chen spent five years at Splunk as VP of Engineering, from startup through IPO, where he helped drive Splunk’s petabyte-scale deployments and integration with Hadoop. Prior to joining Splunk, Chen was Director of Engineering at LucidEra, an early “Business Intelligence as a Service” innovator. At BEA Systems, where he was part of the original WebLogic acquisition, he led engineering teams working on the JRockit Java Virtual Machine, EAI and message bus products. Chen holds a B.S. in EECS from the University of California, Berkeley.