Cybercriminals have a new favorite weapon in their quest to allude regulators, law enforcement and corporate security departments: account takeovers.
Recent research reveals account takeovers have risen by 300 percent over the past year, with losses topping $5 billion. What’s more, these attacks can often have far-reaching and long-term implications for those affected. Victims paid an average of $290 out of pocket in 2017, and spent approximately 15 hours resolving takeover-related fraud.
There’s good reason why cybercriminals are turning to the technique, according to Dave Endler, co-founder and president of security and fraud prevention solutions provider SpyCloud. In a recent interview with PYMNTS, he noted that account takeovers are often easier to pull off compared to other cyberattacks, causing more fraudsters to use the technique. These attacks are also more difficult for security forces to detect and stop.
“It’s much more straightforward for a criminal to compromise someone’s payment account that could be linked to a credit card than for them to try to steal or gain access to use that credit card,” Endler said, adding that the tools that make these attacks possible are “accessible to people who don’t necessarily have a lot of technical acumen.”
The Rise Of Account Takeovers
One of the main reasons cybercriminals have embraced account takeovers is the wide array of information the attacks provide, usually including all the data and credentials they would need to misrepresent a consumer.
Making matters easier for fraudsters — and more complex for those fighting to stop them — is the fact that cybercriminals can purchase account credentials via the black market, Endler explained. That means anyone can use account takeovers to commit fraud. After all, companies often verify their users through data like home addresses, IP addresses or answers to security verification questions.
Recent breaches at big name companies have only made the problem worse, he added. Even if a payment service hasn’t experienced a breach that exposed users’ personal information, those at social networking or online shopping platforms can reveal usernames, email addresses and passwords consumers use with more than one platform.
“The level of sophistication required to compromise someone’s online account is very low, especially in the wake of all these mega-breaches coming out,” Endler said. “It creates and exacerbates this collateral damage. Even if PayPal has not experienced these types of breaches, a breach — say, to LinkedIn— could cause the security of PayPal’s users to be compromised if they’re using those same passwords. That’s account takeover 101.”
Of course, that same black market also drives the value of these stolen accounts.
“Many times, criminals will, at scale, be able to compromise a multitude of accounts in different verticals,” he added. “Not just payments, but banking accounts and technology accounts that might have some sort of virtual points associated with them. So, [that includes] the hospitality industry or anything like Starbucks or Netflix or Hulu — anything where an account offers some sort of value to someone, whether financial value to criminals or resell value of the account on some other market.”
Keeping Consumer Accounts Secure
A cyberattack that exploits a low barrier of entry could seem like an unstoppable enemy, but Endler said there are steps consumers and companies can take to better protect themselves against account takeovers. Companies can decrease or eliminate passwords for user authentication, for example, because passwords are one of the biggest ways criminals are breaking into organizations today. Consumers can take steps to better guard themselves, too, like following the rule of one account per password to protect their accounts.
“If everyone used a separate password on every single site, and used password managers and two-factor authentication, that would set a very high bar,” Endler said. “But, the reality is not [many] people are doing that. I’d gather it’s in the 10 percent range, if that.”
The same is true of security questions and answers, which consumers often reuse time and time again. SpyCloud recently partnered with Credit Karma to offer a solution that can eliminate security questions with answers that have been exposed in a security breach.
Endler recommends that banks, FinTech companies and other platform providers work to determine which users’ accounts have been exposed elsewhere on the web. This can help companies proactively reset users’ account details and prompt them to step up their security settings going forward. It’s important for companies to act quickly once a breach of either their own systems or of those used by their customers is discovered. After all, account details remain vulnerable forever once they’re exposed.
“Being able to take proactive action against these accounts and prevent a criminal from even getting access in the first place is key,” Endler said. “The LinkedIn breach form 2012? Those passwords are freely available for download and have all been unencrypted — and [they] are still relevant to this day. People’s cat’s names, their significant others’ [names], their children’s names — [those] don’t change very often. All those continue, to this day, to lead to compromises of online accounts.”
Those long-term impacts mean that stopping account takeover is a tall order, but it’s a task that’s crucial to tackle, he added. After all, the allure will only become more lucrative to fraudsters as consumers spend more time and money online.
About the Tracker™
The Smarter Payments Tracker™, powered by FIS, is a bimonthly report that looks at how payment systems are evolving to become faster, transmit data, offer interoperability between systems, and improve the payer and payee experience.