Account Takeover (ATO) attacks are a very serious cybersecurity threat affecting both individual users and businesses. According to the Security.Org research, 22 percent of U.S adults, more than 20 million, have experienced account takeovers at least once.
After all, online accounts are now an integral part of so many people’s daily lives, and with more and more people actively using the internet, more and more online accounts containing confidential and valuable information will be targeted by cybercriminals.
Below, we will discuss how to prevent account takeover by considering various technologies and methods available, as well as the key challenges of detecting and preventing various forms of account takeover attacks.
What Is an Account Takeover Attack
An Account Takeover or ATO attack is a form of cyberattack where a hacker or cybercriminal gains unauthorized access to a user account and seizes control over it. For example, a hacker may gain access to your Instagram account, change the password and login email, and now you no longer have access to the account.
The cybercriminal can then also gain access to the confidential and valuable information stored within the account. For example, it’s common for accounts on eCommerce websites to contain the user’s credit card details.
Alternatively, the hacker can use the account and/or the information within the account to launch various other forms of attacks, including but not limited to:
- Sending out emails and messages to the account’s contacts to attempt phishing attacks
- Commit financial and payment fraud
- Use the account’s privilege to navigate to other services
How Criminals Attempt Account Takeover Attacks
Cybercriminals and hackers can actually use various different methods and techniques to perform account takeover attacks, but they all target the same vulnerabilities:
- There are many people who are using generic and weak passwords
- Even if the password is already strong/complex enough, many people use a single password for all their different accounts
To target these vulnerabilities, there are five most common methods deployed by cybercriminals:
Credential cracking
Also called “brute force” attack, is a type of ATO attack that uses automated bots to “guess” or “crack” the password of a user account by trying all possible combinations. For example, if it’s a 4-digit numeric PIN, then the brute force bot will first attempt “0000”, then “0001”, “0002”, up to “9999” or when the right combination is found.
Credential stuffing
Credential stuffing is, in principle, similar to brute force/credential cracking attack, but in this case the cybercriminal has already possessed a leaked or stolen working credential. Credential stuffing attacks also use automated bots to attempt this stolen credential on various other websites and online services. Credential stuffing attacks exploit the vulnerability that we tend to use the same passwords for all our different accounts.
Man-in-the-middle
A man-in-the-middle attack happens when a communication between two devices or systems is intercepted by the attacker (the man in the middle). A man-in-the-middle attack can happen in various forms of online communication from email, text messages, and social media conversations.
Phishing
Another common form of ATO attacks is phishing, in which an attacker impersonates other individuals or organizations that the target victim is familiar with. For example, an attacker may send an email pretending to be Instagram, and send a link to a website that resembles Instagram’s login page. If the victim is tricked and inputted the login credential in this fake page, then the account is now compromised.
Social engineering
Another common form of account takeover attack is social engineering, where attackers will perform social research on a target victim (that can take a significant amount of time), for instance by stalking the victim’s social media conversations, and in some cases may involve physical stalking. The attacker will look for information like names of family members, address, birthday, and others that might assist in guessing a password.
How To Prevent Account Takeover: Effective Techniques and Methods
As discussed, cybercriminals can use various techniques and methods to launch account takeover attacks, and thus to effectively prevent account takeover, we’ll need to implement layered security measures:
Ensuring Strong and Unique Passwords
As discussed, account takeover happens because users tend to use weak/generic and non-unique passwords as their account credentials.
A strong password should be:
- At least 8 to 10 characters long (the more characters, the better, but it will be harder to remember)
- Does not include generic information (name, birthday, birth month, family member’s name, etc.)
- Does not include sequential characters (abc) and/or sequential numbers (123)
- Uses a mixture of both uppercase and lowercase letters
- Usage of at least one special character/symbol
Also, we can only use one password for one account.
For businesses and website/service owners, it’s important to implement a governing system and/or technology in place to prevent generic and reused passwords.
2-Factor Authentication
According to Microsoft, 2-factor authentication (2FA) or Multi-Factor Authentication (MFA) is very effective in preventing various password-related attacks, but very few services actually have it.
2-factor authentication is essentially asking for a second piece of information besides the password before a user can access an account, making it very effective in stopping credential stuffing and brute force attacks.
Block Bot Traffic
Since various forms of account takeover attacks utilize bots, we can effectively prevent these attacks by detecting and managing this bot traffic. AI-based, automated botnet detection solution can effectively stop bot-based ATO attacks without requiring any human intervention.
Conclusion
While preventing account takeover attacks can be challenging, by using the right technology and techniques we can effectively stop cybercriminals from stealing confidential data via account takeover attacks.