Account takeovers (ATOs) don’t always make headlines, but a surge in large-scale supply chain and critical infrastructure attacks have grabbed our full attention. Threats targeting JBS, Colonial Pipeline, Solarwinds and two U.S. water treatment plants all started as account takeovers. In each case, hackers used cracked or stolen credentials to take over a valid account.
Granted, not all account takeovers escalate to mass dysfunction and gridlock. But every hacker knows it’s easier to walk through the front door than to find holes in your cyber defenses. With the correct username and password, they slip past “security” (a traditional login), appearing to be a legitimate user.
From the inside, skilled hackers can escalate privileges, probe for vulnerabilities, plant backdoors and encrypt your data. Next thing you know, you get a ransom note. It’s a worst-case scenario that began as a simple ATO.
In this article, we’ll take a deeper look at account takeovers, the tactics hackers use and why ATOs are on the rise. Once you have the full picture, I’ll explain why passwordless authentication based on the FIDO2 protocol is your best defense.
What’s a typical account takeover?
Every year there are millions of ATOs that never enter the spotlight because they impact fewer customers. Companies will quietly notify individual account takeover victims with assurances like, “Only a few accounts were compromised.” It might not be comforting, but it may stop customers from running to the press…?
The reality is, a single account takeover can hurt your company and customers financially. If criminals access an account linked to a credit card number, what’s to stop them from an online shopping spree? Afterwards, attackers can try to use the same credentials on other sites or sell them on the dark web. More than 65% of us reuse the same password for many accounts, and hackers know it.
How ATOs hit TurboTax
Attackers recently targeted Intuit’s TurboTax platform in a series of account takeovers that reused stolen credentials. Intuit notified customers in June that attackers, “….may have obtained information… such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions).” The crown jewels.
Within days, Intuit stated the extent of the breach was overblown in the media, and in terms of numbers, it was a fair defense. Companies must play damage control to protect their brand and regain trust. But TurboTax customers expressed alarm that hackers can use that data to steal their identities, open credit cards, run up bills and ruin their credit. It’s important for companies to address customer concerns. If they fumble the ball, they could lose customers for life.
Account takeover statistics
According to Aite Group, account takeover attacks, across all industries, cost more than $16 billion in losses — a 300% jump in 2020. A key factor is that most ATOs are fueled by bots. PerimeterX, a bot protection vendor, reports that 75-85% of all login attempts in the second half of 2020 were account takeover attempts.
Security provider Imperva also blames bot-powered attacks, citing its mitigation of an ATO that attempted 700,000 logins per hour. On the flip side, hackers use automation to launch “low and slow” ATO attacks at a typical login pace, spaced weeks apart to avoid detection. VeriClouds, a credential recovery service, claims many companies are victims of account takeovers and have no idea.
Account takeover threats
Before you decide how to prevent account takeovers, it helps to understand the tactics hackers use to steal credentials and invade accounts.
- Brute force attacks:
The most common tactic is brute force, also called credential cracking. Hackers test thousands of popular passwords and usernames to break into accounts. They develop scripts to churn through credential combinations until they crack a login.
Brute force attacks enlist botnets (networks of malware-infected, hijacked PCs) to perform high-volume, rapid attacks. This enables them to take over the maximum number of accounts before being detected. Account lockouts, triggered after too many failed logins, offer some protection, but hackers just move on to the next account.
- Password spraying:
A type of brute force attack, password spraying uses only one set of common credentials against many different accounts. Hackers choose this approach to avoid lockouts that occur when hitting each account multiple times. Much like brute force, password spraying uses bots to strike quickly and make it difficult to find the real attacker.
- Phishing, spear phishing & smishing:
We’re all familiar with phishing, and yet we’re still tricked by deceptive emails that lure us to well-spoofed sites. Once you log in, attackers have stolen your credentials. Based on a survey by Ivanti, 74% of companies fell victim to phishing in 2020.
Spear phishing is very similar but targets specific individuals, often C-suite executives. Smishing simply replaces fraudulent phishing emails with SMS texts. Research by Aberdeen shows smishing scams are gaining traction, as attackers are enjoying a higher success rate on mobile devices.
- Social engineering and research:
Professional hackers spend time researching on social media and websites to find information like the target’s address, phone number or names of family members and pets — anything that will help them guess a password. This also helps with knowledge-based questions. Diligent and focused effort is typical of targeted attacks and corporate account takeovers.
- Credential stuffing:
This tactic exploits our bad habit of reusing the same passwords for multiple accounts. In fact, reports say hackers targeted TurboTax with credential stuffing. In most cases, criminals start with large data dumps of credentials they stole from another site or purchased on the dark web. They then use bots to test them across every site and app until they succeed.
- Man-in-the-middle (MITM) attacks:
You’ve likely been warned not to use free public WiFi or hotspots. The lack of a password is your first clue that a hacker is sitting a few tables away sipping on a latte. A ‘man in the middle’ can intercept communication by diverting traffic through his own network. This sets them up to eavesdrop or impersonate the receiving party in an online exchange. The attacker gains full visibility to steal login credentials, transfer data, install malware and play spy games.
- SIM swapping:
Attackers can transfer a target’s phone number to a SIM card by convincing the service provider they are the account owner. Once they have control of a phone number, they use weak SMS authentication to take over the account. This is what happened to Apple engineer Rob Ross who lost nearly $1M when hackers took control of his number and accessed his cryptocurrency account.
Account takeover prevention
Hands down, the best way to prevent account takeovers is to eliminate passwords. No password means there’s no credential to brute force, phish, guess, stuff, intercept or bypass. By getting rid of passwords, we could avoid 80% of all attacks — the percentage of security breaches linked to credentials.
Biometrics: the alternative to passwords
There are several ways to authenticate users without having to use passwords. Most of us are familiar with security keys that IT administrators use to access workstations and privileged accounts. The problem is hardware tokens are costly to provision, lack scalability and can be lost. They were designed for the workforce, not consumers.
We now have better ways to verify customers and employees with biometric authentication. Fingerprint and facial recognition are both highly secure because they confirm the user’s identity based on unique physical attributes. Millions of people already use this to unlock their devices, and they prefer its ease of use. You can solve the problem of weak security and poor experiences with one solution.
How FIDO2 prevents account takeovers
Biometric authentication that’s FIDO2-certified uses public key cryptography to prevent account takeovers. For starters, each device that’s registered to an account is assigned a unique set of cryptographic keys (a public key and a private key).
“With FIDO, the biometrics and the private key never leave the end user’s device,” explains Transmit Security VP of Product Niv Goldenberg. “The biometric is used to locally authenticate the user on the device. The private key then signs the challenge and passes it back to the [authentication] server. The only thing that’s passed is the signed challenge.”
This means the biometrics and the private key are never “in flight” and cannot be intercepted by threats like man-in-the-middle attacks. FIDO2 also ensures there’s no central database of biometric identifiers for hackers to target. Goldenberg says, “Even if someone breaks into the server, they cannot impersonate users because the private keys and biometrics are not there. They’re secured on devices.”
Going fully passwordless
Keep in mind, biometric authentication prevents the vast majority of account takeover threats by simply getting rid of passwords. This raises a key point. It’s vital to remove passwords completely since authentication is only as strong as your weakest link. Passwords cannot be used in your fallback process nor reside in your cache.
This is one of many challenges solved by Transmit Security’s BindIDTM, a FIDO2-certified biometric authentication service. You can now secure, simplify and speed user sign-ins, while providing fluid omnichannel identity experiences. Only BindID makes it effortless to integrate passwordless authentication, so you can prevent account takeovers and cut related costs sooner than you’d think.