5 Ways to Defeat Account Takeover
In our previous post, “5 Top Ways User Accounts are Breached”, we outlined the top ways user accounts are being breached. In this week’s post we’ll discuss 5 ways to combat these tactics.
The easiest way of taking over an account is by stealing the victim’s password using phishing, malware, or social engineering techniques. Many services will still allow you to get into the user’s account simply with just a password. Some may apply basic multi-factor authentication using one-time codes sent over SMS or email. However, attackers have proven that using SIM-swaps or man-in-the-middle attacks they’re capable of easily stealing SMS and email one-time passcodes (OTPs). Even through social engineering attackers have been able to convince victims to forward an OTP code under the right circumstances. Getting rid of passwords requires a set of readily-available solutions working together to register, authenticate, and service users across various types of devices and passwordless technologies.
If an attacker is able to get hold of a user’s credentials, one of the first things they attempt to do is log into a victim’s account from a new device. A new device such as a mobile phone or a laptop is one that the real user hasn’t used before. Any login attempts from new devices need to be carefully monitored for account takeover indicators. In order to do this you need to track all devices at the user level and be able to flag unrecognized ones. New device registration should follow strict authentication and validation controls using a combination of detailed device characteristics and strong user authentication before any device is bound to a user and trusted.
Detect Anomalies in User Behaviors
Most users follow typical behavioral patterns with their accounts. This includes the activities they perform, the times in which they log in, the way they browse, and more. By keeping track of these behaviors you can identify events and anomalies that might require stronger controls and stronger authentication. Behavioral threat detection is also very important when users register new devices as attackers will attempt to quickly take anomalous actions like resetting email addresses and mobile phone numbers once they are in the account.
A mobile phone is an easy-to-use, readily-available device that many users now prefer to use to access their online accounts instead of a desktop or laptop. Mobile devices can provide better security and use the latest in authentication technologies like fingerprint and facial recognition, closing many of the gaps that attackers can exploit. However, traditional web-based applications aren’t going away as there are many applications that require larger screens, keyboards and mice. Additionally, many organizations haven’t completely migrated applications, offering only partial or limited functionality on mobile devices. In these situations the mobile can be used alongside the web application for security and authentication using technologies such as push notifications, Bluetooth, and near-field communication (NFC). The mobile device can even be used to provide near-instantaneous authentication when a user calls into the contact center.
Deploy Agile Policies
Attackers typically look for the weakest points in your IT infrastructure. They will learn every one of your services and then thoroughly inspect them for any weakness. Registration, authentication, and authorization processes are usually an easy target given the patchwork of solutions deployed in most organizations. If they find even the smallest of entry points attackers will use off-the-shelf or custom tools to automate attacks at scale. Should this happen, you need systems that can quickly repair the gaps in your processes then deploy them instantly instead of remaining vulnerable until the development team addresses then releases a patch.