Account takeover is the most serious identity problem the industry is facing when it comes to user security. It has been with us since the early days of online services and is only getting worse. So what exactly happens once an account is hacked? An account or credentials that are breached leads to an increased chance that the attacker will be able to breach more accounts belonging to the user due to email-based account ids and reused passwords. Examples of a security breach include unauthorized access, use or changes of systems, software or data. It could also lead to compromised user accounts.
The ways accounts are being hijacked haven’t changed much over recent years although the technologies and the level of sophistication used by attackers has improved dramatically.
These are the top 5 ways in which user accounts are being compromised:
This is perhaps the oldest way of stealing account credentials and personal information. The technologies around phishing have evolved and allow attackers to create websites that are nearly identical to the real websites users are accustomed to. Another key contributor to these attacks is the volume and frequency of legitimate alerts. Attackers mimic these alerts using email or texts with embedded links to sites that attempt to capture account credentials and other confidential information. Once the user clicks the button or link they risk becoming the next victim.
This is another attack vector that has been with us since the early days of the internet and has become more sophisticated over time. Malware is capable of capturing traffic, including any credentials that are being used by the user to log into accounts. Malware is also capable of injecting pages into existing sessions between users and websites and ask the user for information that may be used by attackers to reset the account or to open new accounts on behalf of the user. Malware is also capable of injecting “commands” into existing sessions between the user and the website, such as changing contact details for the user and ordering services on behalf of the user.
Another attack vector with increasing popularity is social engineering. While malware is probably the most technically-advanced attack vector, social engineering is easy enough that nearly anyone can do it. All you need are good social skills to be really effective in social engineering. An example for social engineering is calling the victim and pretending to be from the bank or a law enforcement agency and then convincing the victim to perform actions in their accounts. A common social engineering attack against banking users is to convince them to transfer money to a different account in order to “protect” their money from attackers. However, we’ve seen very successful social engineering attacks against corporate users as well. One of the most concerning developments in social engineering is deepfake technologies where attackers can fake the voice and even the face of executives to perform high-value, high-risk actions such as sending credentials, sensitive files, and making large money transfers.
Stolen credentials from previous data breaches have created a new opportunity where attackers try to use them with other accounts that belong to the same user. The assumption is that users are using the same password across many accounts and therefore credentials that were stolen from provider A might be used with provider B and C as well. All the attackers need to do is try. This attack vector is gaining popularity due to the fact that people regularly reuse passwords and there is a never-ending source of stolen credentials from new data breaches nearly every day.
In this type of event, the attacker calls into a contact center and pretends to be the victim. The goal is to gain access to the account by resetting it completely, or to change some element of the account that would allow the attacker to then later take it over. They claim they forgot the password or are locked out of the account and use many different techniques to sway the agent to let them gain access. Common techniques include the noises of crying children in the background to invoke empathy, being aggressive and threatening to the agents, and providing personal details from data gleaned from social networking sites. Once the agent caves, the users’ credentials are breached and the attacker has successfully pulled off the attack.