IT professionals have listed account takeover as one of the top cybersecurity concerns today — a problem that is claimed to be even more alarming than credit card payment frauds.
Account takeovers can lead to many worst-case scenarios for organizations and users of their services.
Threat actors can gain levels of access that allows them to steal and leak sensitive data. Stolen credentials and information such as social security numbers can result in identity fraud.
Also, they can obtain an even deeper level of access that leads them to important corporate intelligence.
Once they’re in, hackers might lock everyone out of the system, tweak information they find to their advantage, monitor the victim, or demand ransom for decrypting data.
Companies that don’t regain access have to rebuild the entire infrastructure from scratch and lose millions while doing so.
How to put a stop to possible misuse of credentials?
The best time to stop an account takeover is to do so before it occurs. What can businesses do about account takeover prevention today?
The attacker might try to gain access to a personal account by using social engineering techniques such as phishing, use the credentials that have already been leaked, or try to attack the network with malicious bots.
Therefore, account takeover prevention should take all of these pathways into consideration.
Focus on minimizing the chances of human error and exploitation as well as setting up strong cybersecurity defenses that can detect malicious bots on time.
Introduce Employee Training
Cybersecurity specialist and cryptographer Bruce Schneier said: “Amateurs hack systems, professionals hack people.”
Therefore, the easiest place to start is by creating employee awareness of common threats that are likely to result in an account takeover.
Basic cybersecurity training on standard hacking techniques can help your employees to avoid likely scams such as phishing and teach them to strengthen their passwords.
They’re going to be less likely to click a dangerous link in an email, download malicious attachments, or send money to scammers who are pretending to be trusted organizations or even managers in the company.
For example, with the start of the pandemic, there has been a growing number of medical fraud cases. Victims would get emails with the new guidelines that, once downloaded, would transfer malware onto the computer.
Another common example is a fraudulent email from the bank requesting personal information or transfers.
Cyberattacks that target people are more effective because they exploit the trust people have in authority figures. Employees might not think twice when getting the request to send their credentials to their boss — especially during very busy working hours.
Not all cyberattacks are going to include the same generic phishing emails though. Scammers might learn whatever they can about their victims on social media and contact them using that same data against them. It is a very common strategy, and often one that works very well.
A lot of the time, individuals forget the information they have shared online over the years.
That’s why it’s important to protect people hackers might exploit to get into the organization.
Training should also be seen in the context of developing a cyber culture that creates trust in employees and forms a safe space where they can report suspicious activity or possibly stolen credentials.
Eliminate Weak Passwords (the Weakest Part of the Infrastructure)
Even though most people know that they should regularly change their passwords to stronger ones and avoid reusing them across multiple accounts, many still reuse their weak credentials.
Threat actors exploit this vulnerability because they’re aware that if they get a single password out of an individual, they probably have access to multiple accounts.
Passwords and emails from previous breaches could be waiting to be used on hacking forums and data dumps. If an employee is using the same credentials to sign in for multiple applications, hackers can use the same data to get into every service.
Passwords that aren’t unique can also be easily cracked.
According to Statista, for passwords with up to 9 characters that contain only lowercase letters, it would take less than two minutes to crack.
To compare, for a password that has 11 characters, one uppercase letter, number, and a symbol — it would take 400 years.
Having a strong password is a simple fix for stronger security, but it can be difficult to implement in practice.
What can companies do to eliminate weak passwords from their infrastructure?
Some solutions companies can use is to:
- Suggest the use of a password manager — as it requires the user to remember only one password
- Demand strong passwords during registration
Add Software That Recognizes Unauthorized Access
While advising customers and employees on the best cyber practices can help reduce the number of hacking attempts and account takeovers, companies have the greater responsibility to defend the network from breaches.
Most attacks that are directed at the company are going to be automated and use malicious bots.
Tools that block attempts at unauthorized access also use bots, but to detect unwanted activity.
Layered protection from account takeover includes:
- Having the protection software that can block unauthorized access to the account by identifying attempts at malicious logins
- Overview of the websites and applications that have been impacted by account takeover — including data of the exact hacking methods and affected users
- Technology that warns the victim that there has been an attempt at getting into their account
Where to Begin with Fraud Prevention?
The majority of fraud prevention is about dealing with the underlying causes that lead to it — such as preventing hacking techniques such as phishing and human mistakes such as weak passwords.
An account takeover is prevented by adding the software that can block and mitigate such attempts, strict protocols for logging into the systems, and additional cybersecurity training.
It has to be taken into consideration that not all users are tech-savvy, many still use the same weak password across multiple channels, and without basic training, they might not know how to recognize common phishing attacks.
Ultimately, any solution to this growing issue is about protecting people who use the system and trust companies with their sensitive data.