A Better Way to Prevent Account Takeover and Other Credential-Based Attacks

Beyond Identity Blog

Account takeover is no joke. Between the huge financial burden that incurs, the hours spent trying to diagnose the point of access, or the loss in trust from employees and customers, this kind of attack scenario is a nightmare for organizations. 

Account takeover specifically refers to a tactic where a malicious threat actor obtains access to an online account. These takeovers can happen to any sort of consumer or work account, not just emails; everything from online banking apps and social media accounts to mission-critical business systems can be breached with account takeover. Once that access is obtained, the adversary can use that account for all kinds of devious activities: from stealing intellectual property to conducting fraudulent transactions.

Adversaries use multiple tactics to take over accounts, such as purchasing and reusing leaked usernames and passwords, credential stuffing (trying numerous weak or often used passwords), or even using a touch of social engineering tactics, like a phishing email, to gain access to credentials. Regardless of the tactic, the adversary is using, your organization can suffer greatly from account takeover attacks.

Some costs are hard to calculate, like the cost of  IP theft or the reputational damage and the related revenue or stock price impact. Others are relatively easy to calculate, like the cost of refunding a fraudulent transaction for a customer. But the financial damage also includes other real costs, such as investigating the breach, complying with reporting regulations, supplying customers with credit monitoring services and litigating, or payouts associated with lawsuits. 

The success rate on these types of attacks can be quite high, but that’s not all there is to worry about. Account takeover, also known as ATO, is alarmingly common—in fact, in the last year alone, ATO fraud rates have skyrocketed 282%, and in 2017, ATO fraud losses accounted for $3.3 billion! Even worse, the reputation of your organization or individuals within it can suffer greatly from ATO. 

In 2020, Twitter suffered from an ATO attack where the accounts of dozens of high-profile users were breached and used for cryptocurrency schemes, and the backlash was shown in a 4% fall in their stock almost immediately. Looking at these figures can be scary, but we’re here to help.

The Old Way of Stopping Account Takeover Attacks

Credential stuffing is one of the more common ways to attempt an ATO attack. Credential stuffing occurs when the malicious actor trying to access the account tries a variety of password and email combinations, typically purchased from a dark web forum, or otherwise illegally obtained.

These attacks can be done by hand, but are most often executed via software tools at a very high volume. Traditional ways of stopping credential stuffing attacks might include adjustments to any login pages, limiting the number of login attempts that a user makes, or adding a CAPTCHA test to stop an automated attack in its tracks. But many programs can now bypass this mitigation strategy.

In addition to adding “the human element” to a login page, malicious actors executing an account takeover can now bypass traditional multi-factor or two-factor authentication with relative ease. Traditional MFA/2FA that still relies on passwords and other weak factors does not provide the safety or security required to stop ATO—if adversaries already have access to your information and accounts, verifying your identity with an additional email address or answering a security question means nothing. For high value targets, adversaries can deploy sophisticated phishing schemes that intercept and then reuse one time passwords.

Your employees are your greatest asset, but can also be your greatest liability. Successful phishing attempts and compromised accounts can absolutely wreak havoc on an organization. Employees are often trained to use longer and stronger passwords and to change them frequently, but this conventional wisdom is outdated. For example, the software used in a phishing attack doesn’t care how “secure” your password is. Whether it’s 4 characters or 400 characters and includes special symbols, the phishing software is happy to steal it and deliver it to the attacker. The most recent advice is to use a long “passphrase” so it’s easy to remember—again, the phishing software doesn’t care.

There are also many preventative tools you can install in your systems to help prevent ATO, but many of these tools are inefficient. For example, if you notice credential stuffing behavior from a specific IP address, you can block that listing, but an IP address can easily be manually altered, and the credential stuffing can continue. 

The Best Way of Stopping Account Takeover

Now that we’ve discussed the old, outdated methods of stopping account takeover, let's look at the new ways and how they can better secure your applications and data. 

The most vulnerable element of your entire organization are your login credentials. In fact, according to the 2020 Verizon Data Breach Investigations Report, over 80% of breaches resulting from hacking involve brute force or the use of lost or stolen credentials. If you are still using passwords to verify identity, your entire organization could easily fall prey to an ATO attack. 

As Ant Allan, VP Research at Gartner, recently noted when discussing the myth of strong passwords, “While it is important to highlight the weaknesses of passwords, any message that you can make passwords ‘strong’ is egregiously misleading. Given today’s enhanced threat landscape, relying on passwords alone is imprudent, even reckless. Adding an extra factor, such as a token, to enable multi-factor authentication (MFA) is a minimum good practice, but the top practice is to move to passwordless authentication. In short, the only strong password is no password.”

Moving to passwordless authentication eliminates all password-based attacks

Attackers can’t breach password protected sites and apps, or steal passwords to login, because they simply don’t exist. Passwordless authentication stops account takeover attacks because it protects against login credentials being stolen or leaked and then reused by the bad guys. This eliminates credential stuffing, credential cracking, social engineering, and phishing attacks. It also eliminates ransomware attacks that are a result of RDP brute force tactics

Passwordless solutions that employ multiple secure factors are ideal. These solutions eliminate passwords and provide strong multi-factor authentication. Not only do they not rely on passwords, but the best solutions don’t rely on any weak factors at all (e.g., other knowledge factors and one time passwords/codes). 

Passwordless solutions that employ multiple secure factors are ideal. These solutions eliminate passwords and provide strong multi-factor authentication. Not only do they not rely on passwords, but the best solutions don’t rely on any weak factors at all (e.g., other knowledge factors and one time passwords/codes). 

Users will love no longer having to create or constantly rotate passwords, and they won’t have to deal with lockouts. The best passwordless solutions also make the login experience a breeze—with no second device or temporary code required.

If you want to learn how you can eliminate the root cause of all account takeover attacks, Beyond Identity can help. Book a free demo with us now