The Damage to Your Brand Through an Account Takeover
Brick and mortar stores no longer dominate the shopping landscape. Instead, technology has made it easier to shop online. Shoppers mostly shop with dedicated accounts. But this convenience has come at a price. Since the shopper used their credentials on sign-up, the accounts are a doorway to an account takeover. Similar references include account theft, hacking, or breach. Thieves don’t need your checkbook or credit card anymore. They simply need your credentials.
Meaning of Account Hacking
This is the fraudulent takeover of an account. It’s typically linked to an eCommerce or financial service platform. An unauthorized third party gains the logins required to access that account.
From there, the fraudster is able to change the delivery address for products. The fraudster can also order shipments to be charged to other people’s accounts. This is either carried out by human agents or software bots.
There are a number of ways that this account hacking can happen.
-
Credential Cracking
This is when bots are used to gain entry into an account using legitimate login details. This can be done using guessing strategies for the password or brute force. It’s usually characterized by an increase in invalid login attempts by the user.
Credential cracking is done using a list of common passwords, guesswork, or brute force attempts. The merchant can notice this method the easiest, due to the numerous failed login attempts.
-
The Breach, Credential Stuffing, and Financial Transaction
This is a three-part account theft. It takes advantage of users who use the same password for multiple platforms. The hacker will breach one website to get the usernames and passwords of multiple sites: “The Breach”.
Hackers then use these on other websites to find which logins work: “Credential Stuffing”. The hackers will often sell these details to other criminals. As opposed to doing the takeover themselves. This sale is the actual “financial transaction”.
How Account Fraud can Harm Your Brand
Merchants are at particular risk when it comes to an account takeover. With a faceless hacker, their customer can resort to blaming the merchant site. This loss of trust is very damaging to the reputation of a brand.
Also, stolen business credentials can be sold to competitors. This is a nightmare for any business owner who has worked hard to build up their brand. Compromised trade secrets can cause irreparable damage.
The two-fold problem faced by merchants
Account breaches allow others to run up bills on behalf of customers. This is not the fault of the customer or the merchant. However, it is still difficult for a merchant to investigate a fraud event. Also, there are instances where the fraud is actually committed by a customer trying to get a freebie.
This produces a two-fold problem for the merchant.
- The frustrating process of ‘investigating’ their customer, at risk of annoying them. The worst result is that the customer leaves a scathing review.
- By not investigating fraud claims, customers could get something for nothing. The merchant is left with paying the bill.
In either of these scenarios, the merchant’s bottom line is at risk. The merchant either increases prices or makes security painfully cumbersome to deal with.
Brand Identity for Financial Services
With financial services, the security of its platforms is vital. This industry prides itself on handling money securely! Account hacking can really reap havoc for online financial services platforms. Compared to other industries, the public relations fallout can be devastating. In particular, consumers expect a higher standard of protection from an account takeover from banks.
The Long Run
The issue of account hacking can extend into the future. It isn’t a short term problem. Once your business has become a target, it is more likely that it will be targeted again. Fraudsters are aware that certain platforms are a haven for their ill intentions. You may be in for persistent attacks into the future.
- As an eCommerce or financial services brand, if an account breach is suspected you must increase security for the platform.
- For customers affected by this fraud, great care should be taken to overhaul passwords for all sites that are being used.
How To Protect Against Account Theft
If you have simple passwords, these can be easily guessed. In turn, this introduces exploitable weaknesses. Unfortunately, many users use the same passwords across multiple platforms. A recent report revealed that the majority of account takeover breaches were due to compromised passwords. However, the fault for the hack will almost always fall at the merchant’s feet. Quite often account theft is due to account holder laziness, so this must be managed by the platform.
Here are just a few ways to achieve this.
- Two Factor Authentication
Passwords have been around for ages. They’ve existed since the birth of internet security. Two-factor authentication introduces an additional layer of questioning. This is unique to the individual user. It’s an effective way to prove their identity. This usually comes in the form of a personal question, such as:
- What is your mother’s maiden name?
- What was the name of your first pet?
- What was the first street you lived on?
Users can even set their own questions to heighten the security of two-factor authentication.
2. Password Strength Settings
You can adjust the settings on your passwords to require additional characters. It’s advised to incorporate letters, numbers, capital letters, and symbols. This makes it harder for account theft to occur through guesswork. The settings can pop up as a soft recommendation, or as an absolute requirement. Avoid using easily guessed passwords like your name, pet, country of birth, and so on. It doesn’t matter how cute or sentimental it sounds. The focus is to pre-empt the worst thing happening.
3. Authenticator Apps
Both Microsoft and Google have authenticator apps. With these platforms, users need to enter a unique code provided through the app on their device. This is linked through their account before they are able to log in. Codes are reset every minute and make it almost impossible for a fraudster to get around.
4. Sandboxing dubious accounts
If an account has been compromised, systems should be put in place to deter future attacks. If you sandbox fishy accounts you can track, trace, and prevent further malicious activity.
5. The Use of Robust WAF configurations
You can identify and mitigate attacks with a web application firewall (WAF). You can identify stolen credentials with targeted policies that detect signs of brute force hacking, or botnet probing.
6. Placing login attempt limits
You can limit the number of login attempts that can be made on secure accounts. This way you curtail the chances of a cybercriminal getting the password right. In fact, this method has a high success rate against bot spamming. Bot spamming typically originates from different IP addresses.
7. Using AI detection
WAFs are not always great at identifying more sophisticated cyber account attacks. Thankfully, you can leverage recent developments in AI technology to identify complex hacks and detect suspicious activity.
Concluding Remarks
Internet security is not a new concept. It began with a simple password. Unfortunately, this meant the password was the first line of defense to be attacked. This presents a problem for both users and merchants alike. It has also given rise to finger-pointing in either direction.
Thankfully, the advent of technology means account hacking can be curtailed. Although, this may require increased security to slightly inconvenient levels for a brand. It may also mean that a user is inconvenienced for the greater good. In either event, the sacrifice is worthwhile to protect both finances and reputation.
Tagged: Account Takeover, account takeover attack, account takeover examples, account takeover hackerone, account takeover medium, account takeover owasp, account takeover vulnerability, account takeover wikipedia