Digital accounts are everywhere. The rapid uptake of cloud technologies combined with mobile-driven consumer habits has fundamentally altered the storage and transmission of data online. As noted by analyst firm Juniper Research, 1.2 billion users worldwide already leverage digital bank accounts. By 2020, that number will reach 2 billion. Add e-commerce accounts, social networks, consumer web portals and the evolution of digital-first government services, and it’s no surprise that cybercriminals are very interested in subverting user control and claiming accounts for themselves. It’s called “account takeover” and it’s on the rise. Here’s what you need to know.
Understanding Attacks
Hackers are committed to grabbing user accounts. Consider: According to business and technology website PYMNTS, account takeover increased 45 percent in the second quarter of 2017. Sure, this was bolstered by the massive Equifax hack, but that’s a symptom, not the underlying cause: Account takeovers are gaining speed and sophistication as more users leverage digital accounts, but fewer implement solid security hygiene.
How do end users keep accounts safe? First, learn more about the likely routes favored by hackers to access your information, including:
- Horizontal Hacks — It works like this: Hackers discover the username and password for one of your accounts. Then, they leverage this information to hack other accounts that all use the same login details. In many cases, users don’t know they’ve been compromised until it’s too late.
- Brute Force Break-Ins — Here, hackers spam account login pages with set after set of usernames and passwords. This is especially successful if webpages or apps don’t have a limitation on the number of access attempts within a certain time frame. Hackers are also helped by the fact that many users still pick common, easy-to-guess passwords such as “password” or “123456.”
- Phishing — This attack relies on social engineering. Users receive an email warning them to immediately change their password or download an update. Entering account information to the attacker-controlled site will result in credential theft. Clicking on the link or downloading the file leads to malware infection and potential account compromise.
- Security Subversion — Apps and sites that use poor encryption (or none at all) are easy targets for hackers looking to intercept account data, analyze it and then use it to gain access.
- Middle Men — The coffee shop or airport Wi–Fi network may not be what it appears. By setting up dummy networks with familiar names in high-traffic areas, hackers can convince users to connect, then control all web traffic and collect login details.
Safety in Numbers
Sounds scary, right? It can be — hacked accounts can have serious downstream consequences if attackers create new dummy accounts or gain access to personal information such as credit card details, Social Security numbers or tax information. Yet it’s not all bad news: Implementing a combination of solid security measures can help stem the tide of account takeover:
- Two-Factor Authentication — Attackers depend on the username/password combination to gain access. By leveraging two-factor authentication, for instance by requiring users to provide a one-time passcode, it’s possible to improve account security.
- HTTPS — HTTPS connections are encrypted by default, making it that much harder for hackers to steal relevant data and gain access via man-in-the-middle attacks. Wherever possible, opt for HTTPS over HTTP. To help make easier, you can use EFF’s HTTPS Everywhere extension.
- Wi-Fi Security — Avoid potentially insecure networks and disable “auto join” features on mobile devices. Use a virtual private network (VPN) for any public Wi-Fi connections.
- Threat Intelligence — While good hygiene goes a long way, advanced security solutions are also critical to reduce account takeover. Find a provider that uses advanced threat detection to discover if your account is under attack from botnets or if incoming emails are phishing efforts.
- Hybrid Protection — Applications also need to do their part. Emerging hybrid solutions — which combine the utility of web application firewalls (WAFs) and RASP security protocols — detect suspicious events in runtime, empowering real-time response. If you are subscribing to a service for your business, asking your SaaS provider how they secure your data against account takeover is a necessity.
Account takeover is on the rise. Combat both common and evolving threats with the right combination of solid security hygiene and advanced, intelligent solutions.
Author bio: Boris Chen is Vice President of Engineering and Co-Founder of tCell. He has over 20 years of industry experience building high-performance web infrastructure and data technology. Before co-founding tCell, Chen spent five years at Splunk as VP of Engineering, from startup through IPO, where he helped drive Splunk’s petabyte-scale deployments and integration with Hadoop. Prior to joining Splunk, Chen was Director of Engineering at LucidEra, an early “Business Intelligence as a Service” innovator. At BEA Systems, where he was part of the original WebLogic acquisition, he led engineering teams working on the JRockit Java Virtual Machine, EAI and message bus products. Chen holds a B.S. in EECS from the University of California, Berkeley.