Customer account takeovers (ATOs) rarely make headlines, but we are all familiar with the tactic fraudsters use to invade customer accounts. They simply log in! It’s quick, easy and profitable.
This same method of using guessed or stolen passwords kicked off several large-scale supply chain and critical infrastructure attacks that dominated the news in 2021. JBS, Colonial Pipeline, Solarwinds and two U.S. water treatment plants all used employee credentials to take over accounts and inflict extensive damage. The most infamous password: Solarwinds123.
Point being: every hacker knows it’s easier to walk through the front door than to find holes in your cyber defenses. With the correct username and password, they slip past “security” (a traditional login), appearing to be a legitimate user.
In this article, we’ll take a deep look at customer account takeovers, the types of attacks hackers use to steal credentials and why ATOs are on the rise. Once you have the full picture, I’ll explain how eliminating passwords completely is your best defense. Removing all passwords begins with the FIDO2 protocol, but it doesn’t end there.
What’s a typical account takeover?
Every year there are millions of ATOs that never enter the spotlight because they impact fewer customers. Companies will quietly notify individual account takeover victims with assurances like, “Only a few accounts were compromised.” It might not be comforting, but it may stop customers from running to the press…?
The reality is, a single account takeover can hurt your company and customers financially. If criminals access an account linked to a credit card number, what’s to stop them from an online shopping spree? Afterwards, attackers can try to use the same credentials on other sites or sell them on the dark web. More than 65% of us reuse the same password for many accounts, and hackers know it.
How ATOs hit TurboTax customers
Attackers recently targeted Intuit’s TurboTax platform in a series of account takeovers that reused stolen credentials. Intuit notified customers in June that attackers, “….may have obtained information… such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions).” The crown jewels.
Within days, Intuit stated the extent of the breach was overblown in the media, and in terms of numbers, it was a fair defense. Companies must play damage control to protect their brand and regain trust. But TurboTax customers expressed alarm that hackers can use that data to steal their identities, open credit cards, run up bills and ruin their credit. It’s important for companies to address customer concerns. If they fumble the ball, they could lose customers for life.
Customer account takeover statistics
According to Aite Group, account takeover attacks, across all industries, cost more than $16 billion in losses — a 300% jump in 2020. A key factor is that most ATOs are fueled by bots. PerimeterX, a bot protection vendor, reports that 75-85% of all login attempts in the second half of 2020 were account takeover attempts.
Security provider Imperva also blames bot-powered attacks, citing its mitigation of an ATO that attempted 700,000 logins per hour. On the flip side, hackers use automation to launch “low and slow” ATO attacks at a typical login pace, spaced weeks apart to avoid detection. VeriClouds, a credential recovery service, claims many companies are victims of account takeovers and have no idea.
Account takeover threats
Before you decide how to prevent account takeovers, it helps to understand the tactics hackers use to steal credentials and invade customer accounts.
- Credential cracking:
A common brute force tactic is called credential cracking. When done online, hackers test thousands of popular passwords and usernames to break into accounts. They develop scripts to churn through credential combinations until they crack a customer login.
Brute force attacks enlist botnets (networks of malware-infected, hijacked PCs) to perform high-volume, rapid attacks. This enables them to take over the maximum number of accounts before being detected. Account lockouts, triggered after too many failed logins, offer some protection, but hackers just move on to the next account.
When performed offline, hackers use stolen credential data that includes password hashes (essentially encrypted passwords). They then use software to “crack the passwords,” that determine the clear-text passwords. For weak passwords, this takes just a few seconds. Stronger passwords take more time, while some complex passwords are virtually uncrackable. Once the passwords are determined, the attacker uses them to log in. The advantage of this approach is that it avoids lockouts and the password cracking itself is undetectable because it’s performed offline.
- Password spraying:
A type of brute force attack, password spraying uses only one set of common credentials against many different customer accounts. Hackers choose this approach to avoid lockouts that occur when hitting each account multiple times. Much like brute force, password spraying uses bots to strike quickly and make it difficult to find the real attacker.
- Phishing and smishing:
We’re all familiar with phishing, and yet we’re still tricked by deceptive emails that lure us to well-spoofed sites. Once you log in, attackers have stolen your credentials. Based on a survey by Ivanti, 74% of companies fell victim to phishing in 2020.
Smishing simply replaces fraudulent phishing emails with SMS texts. Research by Aberdeen shows smishing scams are gaining traction, as attackers are enjoying a higher success rate on mobile devices.
- Social engineering and research:
Professional hackers spend time researching on social media and websites to find information like the target’s address, phone number or names of family members and pets — anything that will help them guess a password. This also helps with knowledge-based questions. Diligent and focused effort is typical of targeted attacks on consumer accounts, especially in the finance and healthcare sectors where the payoff is high.
- Credential stuffing:
This tactic exploits our bad habit of reusing the same passwords for multiple accounts. In fact, reports say hackers targeted TurboTax with credential stuffing. In most cases, criminals start with large data dumps of credentials they stole from another site or purchased on the dark web. They then use bots to test them across every site and app until they succeed.
- Man-in-the-middle (MITM) attacks:
You’ve likely been warned not to use free public WiFi or hotspots. The lack of a password is your first clue that a hacker is sitting a few tables away sipping on a latte. A ‘man in the middle’ can intercept communication by diverting traffic through his own network. This sets them up to eavesdrop or impersonate the receiving party in an online exchange. The attacker gains full visibility to steal login credentials, transfer data, install malware and play spy games.
- SIM swapping:
Attackers can transfer a target’s phone number to a SIM card by convincing the service provider they are the account owner. Once they have control of a phone number, they use weak SMS authentication to take over the account. This is what happened to Apple engineer Rob Ross who lost nearly $1M when hackers took control of his number and accessed his cryptocurrency account.
Customer account takeover prevention
Hands down, the best way to prevent account takeovers is to eliminate customer passwords — completely. No password means there’s no credential to brute force, phish, guess, stuff, intercept or bypass. By getting rid of passwords, we could avoid 80% of all attacks — the percentage of security breaches linked to credentials.
Biometrics: the alternative to passwords
There are several ways to authenticate users without having to use passwords. Most of us are familiar with security keys that IT administrators use to access workstations and privileged accounts. The problem is hardware tokens are costly to provision, lack scalability and can be lost. They were designed for the workforce, not consumers.
We now have better ways to verify customers and employees with biometric authentication. Fingerprint and facial recognition are both highly secure because they confirm the user’s identity based on unique physical attributes. Millions of people already use this to unlock their devices, and they prefer its ease of use. You can solve the problem of weak security and poor experiences with one solution.
How FIDO2 prevents account takeovers
Biometric authentication that’s FIDO2-certified uses public key cryptography (PKI) to prevent account takeovers. For starters, each device that’s registered to an account is assigned a unique set of cryptographic keys (a public key and a private key).
“With FIDO, the biometrics and the private key never leave the end user’s device,” explains Transmit Security VP of Product Niv Goldenberg. “The biometric is used to locally authenticate the user on the device. The private key then signs the challenge and passes it back to the [authentication] server. The only thing that’s passed is the signed challenge.”
This means the biometrics and the private key are never “in flight” and cannot be intercepted by threats like man-in-the-middle attacks. FIDO2 also ensures there’s no central database of biometric identifiers for hackers to target. Goldenberg says, “Even if someone breaks into the server, they cannot impersonate users because the private keys and biometrics are not there. They’re secured on devices.”
Going fully passwordless
Keep in mind, biometric authentication prevents the vast majority of customer account takeover threats by simply getting rid of passwords. This raises a key point. It’s vital to remove customer passwords completely since authentication is only as strong as your weakest link. Passwords cannot be used in your fallback process nor reside in your cache.
This is one of many challenges solved by Transmit Security BindID™️ a cloud-based FIDO2-certified authentication service. You can now secure, simplify and speed customer logins, while providing fluid omnichannel identity experiences. Only BindID eliminates passwords and makes it effortless to integrate passwordless authentication, so you can prevent customer account takeovers and cut related costs sooner than you’d think.