To put it bluntly, 2018 was a bad year for data security. Major consumer-facing corporations like Marriott and Facebook experienced some of the largest data breaches in history, exposing the data of millions of consumers. In total, 2018 saw an overall increase in compromised company records of 133% YoY, with an average of 291 records stolen every second.
But as bad as this all sounds, things could get much worse in the coming years if organizations fail to take steps to protect their customers from up-and-coming threat vectors, such as account takeover fraud. In this post, I will break down how account takeovers occur, why you should take action to prevent them, and three levels of security you can employ to prevent them—without bogging down your users’ experience.
What is account takeover fraud?
Account takeover fraud is a form of identity theft wherein a malicious third party accesses a victim’s account. By posing as the real account owner, fraudsters can change account details, make purchases, withdraw funds, and even leverage the stolen information to access other accounts.
How do account takeovers happen?
Account takeovers can be executed in a number of ways.
One of the chief concerns stemming from massive corporate data breaches like the ones mentioned above is the downstream impact they can have upon users. It’s not uncommon for account credentials to be leaked in these breaches, and to then become available for purchase on the dark web. Malicious actors are able to buy this data, then use sophisticated botnets or credential stuffing to test the stolen credentials at scale across every website and mobile app imaginable.
All of that said, it’s important to note that major breaches like those of Marriott or Facebook don’t have to occur in order for your customers to be vulnerable to account takeovers. Phishing attacks, password spray attacks, and session hijacking attacks are alternative techniques that hackers can use to gain illegal access to a victim’s account.
What is the impact of account takeovers?
After gaining access, criminals are free to commit all manner of fraud to drain user accounts of value, from unauthorized bank transfers to illicit purchases. Obviously not good.
According to a recent study from Javelin Study & Research, the number of account takeover incidents that took place in 2017 was 3X that of 2016. Victims paid an average of $290 out-of-pocket, and spent an average of 16 hours to resolve each instance. In total, this accumulated in a cost of $5.1 billion to consumers (a 120% increase from 2016), and more than 62.2 million hours of lost productivity in 2017.
Who is at risk of account takeovers?
In short, everyone.
Historically, financial organizations have been the most common targets for fraudsters looking to steal banking and credit card information. But as increased security measures like credit card chips and dynamic CVV have been put in place to protect financial organizations, attacks have expanded to adjacent industries like retail and e-commerce.
The reality is that every company that has a user account or membership system is at risk. All it takes for bad actors to wreak havoc is to tie personally identifiable information (PII) to account information.
So what can be done about it?
Defense against the Dark Arts
Here are 3 levels of security you can employ to protect your customers without inhibiting their user experience.
Level 1: Passwordless Authentication
Let’s start at the extreme end of usability. The first security practice to explore is eliminating passwords completely, and sticking to alternative authentication methods. Solutions like Apple Touch ID, Face ID, Windows Hello, or card readers allow users to access their app accounts password-free. Admins have the ability to make this the de-facto authentication method for their users through custom policies, drastically mitigating the risk of threats like password spray attacks and credential stuffing and actually making the login experience more user-friendly.
As an added bonus, eliminating passwords means cutting back on password resets — a chore that all users (especially those on mobile) will be glad to be rid of.
Level 2: Adaptive MFA
Going passwordless sounds great, but we understand that sometimes it just isn’t an option. In those cases, the next level of security you can implement with minimal impact on usability is Adaptive MFA.
Adaptive MFA monitors a wide range of login behavior variables such as device, geography, time of day, IP address, and more in order to assign a risk score to each individual login attempt. If the risk score of a login attempt is low (for example, if a familiar device tries to log in at a normal time from a previously established location), then the user can gain access without being prompted for additional factors. Painless.
But if the risk score is high, such as when an unrecognized device attempts to login from an unusual location at 4:00 AM, the account is prompted with a secondary factor like a one-time password (OTP).
The beauty of this method is that it strikes a great balance between security and usability. In everyday instances, users can access their apps with minimal friction. But in the event that a user’s credentials are stolen, those login details are no longer enough for a bad actor to execute an account takeover.
Level 3: Robust Multi-Factor Authentication Policies
If you aren’t satisfied with Adaptive MFA’s ability to calculate risk based on login factors, you can take things a step further by implementing your own custom requirements for when MFA is necessary.
For example, you may want users to authenticate via a specific method, at specific times. One common practice is to require users to authenticate via an OTP for their first login of the day, or after a certain duration of app inactivity. For applications that contain financial data (or similarly sensitive data), you may want to go so far as to require MFA for every login attempt.
These robust MFA policies may add a bit more friction for the user, but in many instances, they’re well worth it. Layer this method on top of Adaptive MFA for extra-strong protection against all sorts of malicious activity—including account takeovers.
As the impact of threats like account takeovers expand, striking the right balance between security and usability is critical. For further details around how you can keep your customers’ data secure from these types of threats without bogging down their user experience, check out our Adaptive MFA page.