What is account takeover?
Account takeover (ATO) happens when a malicious threat actor gains control of a legitimate user account and starts leveraging that user’s rights and privileges, typically for nefarious purposes. The target for fraud might be an e-mail, online banking or trading account, or a social media presence—anything the attacker can use to steal or manipulate data, transfer funds, open other accounts, or access intellectual property (IP).
Corporate Account Takeover (CATO) attacks specifically target businesses (case in point, the famous Solar Winds breach) but ATO’s overall charter is expanding to include worthwhile consumer accounts that are often protected by fewer controls. In either case, once an identity becomes compromised, the attacker can impersonate or exercise the role-based authorizations granted legitimate customers or partners, IT or HR representatives, and company leaders.
The initial access for ATO usually involves leaked or stolen—but still legitimate—working passwords. This often delays detection even by enterprise-class monitoring tools. Because the login itself typically raises no flags, activity goes undetected long enough for the attacker to wreak havoc.
How big a problem is account takeover?
Big. ATO ranks among the fastest-growing cyber risks to financial services organizations and among the most concerning forms of fraud according to research by SCmedia. Another report, Javelin Research’s annual “Identity Fraud Study: The Virtual Battleground” found that account takeover increased by 90% to an estimated $11.4B in 2021 compared with 2020.
IT’s new number one concern?
Last but not least, a 2022 report titled, “Cyberthreat Defense Report” published by the CyberEdge research group showed account takeover had joined malware as one of the top two most pervasive and expanding threats. Having surveyed 1,200 security professionals worldwide, the firm concludes:
“Among cyberthreats, ransomware and account takeover (ATO) attacks are poised to overtake malware as the #1 concern. Malware is still perceived as the most important threat, but account takeover and credential abuse attacks moved up from fourth place last year to number two.”
What makes ATO so dangerous?
As noted above, ATO lets attackers do untold damage — and tie the hands of users and defenders — in a very short time. Along with transferring funds via ACH or international wire, their actions might include granting privileges, opening new accounts to fund criminal activity, and approving applications. This can lead to significant losses for institutions that fail to sufficiently vet applicants’ identity and information provided.
How account takeover works
Many successful exploits begin with social engineering and phishing campaigns aimed at mobile phones. Attackers find ways to install malware such as key-logging software on desktop and mobile devices to capture credentials directly.
However it starts, once they gain access, intruders quickly change account information, often resetting passwords and MFA setting, to lock the real owner and legitimate administrators out. This is similar to what happens in modern SIM swapping attacks, another form of identify fraud.
What can be done to stop account takeover?
Stopping the initial access phase of the attack is essential. The first recommendation for preventing any attack that involves social engineering is always to invest in more, better, and continuous user education. Most of us know but don’t always heed warnings about the dangers of opening attachments.
Next, educate your workforce to understand that even opening suspicious emails can expose a computer and in turn the entire network to malware threats. Coach employees on ways to validate unexpected calls or emails asking for credentials and privileged information. For example, when requests to enter credentials or rotate or reset passwords don’t feel right, it makes sense to call and doublecheck their veracity with IT directly before complying.
From a cyber hygiene perspective, companies can also block access to unnecessary or high-risk websites based on users’ roles and related needs.
Stop password reuse
While putting a finer point on user education, IT can prevent the persistent, disastrous reuse of passwords. Despite endless warnings about the risks, research shows 70% of users still do this far too often.
Scan for leaked and stolen credentials
Buying and selling working credentials has become a massive pay-to-play industry. Attack surface management (ASM) tools and other techniques can be used to scan dark web channels for data from or about your company. IT can also require credentials to be rotated frequently to ensure stolen credentials don’t stay current for long.
Frequent resets do annoy users, though, along with too many steps to complete authentication, so identity and authorization management (IAM) leaders must strike the delicate balance between user experience (UX) and stronger security.
Up-level identity verification – don’t let them get a foothold in the first place!
ATO’s greatest advantage is moving fast. Defenders’ greatest advantage is keeping perpetrators of fraud from gaining access in the first place.
Start by fully leveraging user settings to prevent employees from logging in as admins and subsequently downloading dangerous malware. Then, do everything in your power to prove users are who they say they are—without driving them crazy.
How to adopt strong authentication to stop account takeover
Let’s be clear: any form of multi-factor authentication (MFA) makes for stronger identity verification and ATO prevention than not using MFA at all. In other words, relying on passwords alone.
That said, removing the user password from the login process makes authentication exponentially stronger. That’s a good thing because criminals keep getting better at circumventing or targeting password-based MFA.
Passwordless MFA takes “what users know” out of the login sequence
The majority of MFA solutions still use passwords as the first factor or mode of verifying identity. Yet with or without MFA, passwords and credentials represent the most common originating point for security breaches.
The problem? All passwords are rooted in something users know.
While it’s implied that no one else should know these secrets, it’s far too easy to guess, steal, or trick users into unwittingly revealing what they know to the wrong people. Despite users and IT wasting endless cycles rotating and making passwords harder for robots to guess, what people know simply isn’t secure.
Passwordless MFA replaces user passwords with some combination of “what users have,” like hardware tokens or authentication apps on the right devices, and “what users are,” verifiable through biometrics such as voice, fingerprint, iris, or facial recognition readers installed on devices for authentication that’s far stronger and harder-to-intercept.
The more adaptive the better
Even passwordless MFA can be made stronger and more popular by giving both users and IT flexibility to define “next steps” and parameters. For example, a more adaptive MFA solution allows IT to automatically limit unusual behavior and the number of unsuccessful login attempts before freezing an account.
Giving users control over when and how they get contacted also helps. Most prefer easy one-step push notifications that do not require juggling devices or retyping OTPs. Making MFA less “fatiguing” for users also saves companies money since users log into multiple accounts, applications, and devices all day long.
Phishing-resistant MFA breaks the chain
The right adaptive passwordless MFA approach stops phishing, a growing concern for complying with industry standards and lowering cyber liability insurance premiums. To make the company truly phishing-resistant — because it takes just one set of working credentials for attackers to gain initial access – the MFA solution works for every enterprise use case (Windows, Mac, Linux, custom, and legacy apps).
And just authentication shouldn’t overwhelm users with too many steps, nor should it burden IT with having to rearchitect applications and identity directories to work without passwords. SDO’s Octopus solution works with passwords behind the scenes to transfer management of identity secrets to the realm of IT.
Octopus works with but does not require end-to-end support for FIDO or PKI in order to relieve users of the password burden and culpability in phishing, ATO, or CATO.