Preventing Corporate Account Takeover (CATO)

SDO Marketing Staff | January 14, 2019

Businesses of all types and sizes present attractive targets for today’s cybercriminals. This is due to the simple fact that user accounts attached to organizations tend to give access to more assets than private ones.

As the sophistication of cyber criminals has increased, the threat of the Corporate Account Takeover (CATO) has grown in tandem. For years, incidents of CATO have, with hundreds of millions of dollars in losses annually.

What is a Corporate Account Takeover?

Corporate Account Takeover is a type of business identity theft where cyber thieves gain control of key company accounts, usually those of senior officials, that grant them special privileges to manipulate company data and/or assets.

CATO attacks are executed by stealing employee passwords and other valid credentials.

Cyber thieves tend to target employees through phishing, impersonation via social media messaging and phone calls, or other forms of social engineering. A successful CATO attack gives thieves the ability to manipulate account details and settings, gather information on the user’s activity, even initiate fraudulent wire and ACH transactions to accounts controlled by the criminals.

A Growing Trend

Patterns of cyber incidents over the recent period are pretty conclusive: the danger of CATO attacks is an evolving one. Over the past years, major enterprises across several industries have left open vulnerabilities to account takeover.

A landmark case of a CATO attack occurred in back in 2011, when the Maine-based firm Patco Construction sued Ocean Bank for negligent security practices. According to the claim, Ocean’s lax authentication protocols allowed attackers to obtain login credentials of senior Patco employees. This, in turn, granted them authorization to transfer over half a million dollars from Patco’s accounts.

Almost four years after the Patco – Ocean lawsuit, the case of the BancorpSouth fraud erupted in the news. BancorpSouth’s corporate client Choice Escrow and Land Title (LLC) had $440,000 stolen from their accounts after hackers obtained the login data of Choice’s executives. In this case, a federal court placed the blame on the fraud victim, stating that Choice had not done enough to secure its own authentication details.

Despite years of instances of corporate account hijacking, the world of IT is still largely exposed to the threat of CATO. Last month, Indian researchers discovered a series of vulnerabilities in multiple Microsoft applications, including Office 365 and Outlook. The flaws allowed hackers to trick accounts into forwarding them authentication details. As analysts at TechCrunch put it “Anyone’s Office account […] could have been easily accessed by a malicious attacker, and it would have been near-impossible to discern from a legitimate user.”

Facing the Root Cause

With the threat of Corporate Account Takeover still looming over businesses, it’s important to identify what the root of this danger is.

CATO attacks are made possible by the industry’s reliance on password-based authentication. This is true due to one simple fact: passwords present a digital ‘key’ that cybercriminals are able to steal. Administrators can demand all the security procedures they want. At the end of the day, when authentication is based on something that users need to remember and store, eventually the human error will lead to this information being compromised.  As long as passwords are in the game, they will be prone to theft by hackers.

On Prevention

Solving the CATO problem with traditional authentication solutions has proven to be ineffective–not to mention expensive and burdensome for companies.

Security features designed to bolster passwords, such as SMS as well as a wide range of other multifactor methods, have been overcome by cybercriminals in the recent period.

Perhaps the most detrimental issue with existing solutions to CATO is the user experience (UX) factor. Even if additional security policies worked in a foolproof way, they take a major toll on streamlining employee access to company systems. Security tokens, for instance, require users to carry additional devices with them at all times, devices that are very costly to replace if lost or left at home. Even password policies requiring specific lengths and character combinations create a tremendous burden for employees in remembering their login credentials. This leads to either more negligent security practices (users writing passwords on exposed hard-copy notes for instance) or increasing the burden on company IT to address password-reset demands and other help desk requests.

Fixing the Lock by Throwing Away the Key

The modern solution for protecting against CATO must have several elements to it.

First, it must be password-free, so there are no credentials hackers can extract from users. The platform should be resistant to Man-in-the-Middle Attack techniques, preventing hackers from intercepting data from users in mid-session. It should be simple to use, granting employees with seamless access to company networks without the burdens of additional login procedures. Lastly, the authentication should not require any additional devices.

Introducing Secret Double Octopus, the only authentication platform on the market that offers mathematically unbreakable authentication, that is completely password-free, and operates via users’ personal mobile devices.

Secret Double Octopus delivers the very highest in authentication security, while providing the exceptional user experience and scalability.