Consumers are increasingly targeted by cybercriminals who use various techniques of Account Takeover (ATO) attacks. These attacks threaten the security of their online accounts and personal data.
Consumers understand this too. According to Experian’s 2021 Global Identity and Fraud Report[1]55% of consumers say security is the most important aspect of their online experience.
At the same time, account takeovers pose a major threat to this security. The same report states, “We are already seeing an increase in account takeover attacks, which involve fraudsters using compromised usernames and passwords to commandeer consumer accounts.
The 5 methods of ATO attacks
What do cybercriminals do to compromise consumer accounts and what can you do to prevent them? Here are five of the most common methods of ATO Compromise.
Brute force attacks
Brute force attacks are “guess and verify” attacks that exploit weak passwords. These attacks can be performed either online by attempting to log into an authentication portal, or offline by testing potential passwords against password hashes (obfuscated versions of passwords) exposed during a data breach. Weak passwords can be cracked in seconds, while long, random passwords are virtually unbreakable. After cracking a password, the attacker can log into a user’s account.
Credential stuffing
This tactic exploits our bad habit of reusing the same passwords for multiple accounts. In fact, reports indicate that hackers have targeted TurboTax with credential stuffing.[2]. In most cases, criminals start with large dumps of credential data that they have stolen from another site or purchased from the dark web. They then use bots to test them on many different sites and apps.
Phishing and smishing
We are all familiar with phishing, and yet many of us are still tricked by deceptive emails that lure us to well-spoofed sites. Once you logged in, the attackers stole your credentials. Spear phishing is very similar but targets specific individuals. Smishing simply replaces fraudulent phishing emails with SMS.
Man-in-the-middle attacks (MITM)
There are many forms of these attacks, but all use a method of tricking a user into authenticating themselves to a spoofed site or providing a password to a criminal over the phone or text message. The criminal then uses this information to log in as a user to the real site. Sophisticated criminals can use MITM to overcome many forms of multi-factor authentication, such as SMS one-time passwords.
SIM card exchange
Attackers can transfer a target’s phone number to a SIM card by convincing the service provider that they own the account. Once they gain control of a phone number, they use weak SMS authentication to perform password resets on accounts by intercepting SMS one-time passwords or magic links.
Indeed, the US Federal Bureau of Investigation recently warned[3] that SIM card swapping attacks are increasing dramatically. This is what happened to Apple engineer Rob Ross who lost nearly a million dollars when hackers took over his number[4] and accessed his cryptocurrency account.
Passwordless authentication eliminates ATO threats
ATO attacks have been a threat for years and several solutions have been proposed. In the old days, multi-factor authentication (MFA) the use of OTPs was considered best practice. However, this can be overcome using the MITM and SIM swapping attacks. What do we have to do?
The US government recently issued guidelines on the subject. In the January 26 memorandum on “Moving the US Government Toward Zero Trust Cybersecurity Principles[5]“The AMF will generally protect against certain common methods of unauthorized account access, such as guessing weak passwords or reusing passwords obtained as a result,” says Shalanda Young, Acting Director of OMB. of a data breach. However, many approaches to multi-factor authentication fail to protect against sophisticated phishing attacks… Fortunately, there are phishing-resistant MFA approaches that can defend against these attacks. The federal government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium’s (W3C) open “web authentication” standard, another effective approach, is supported today by nearly all major consumer devices and a growing number of popular cloud services.
Consumers face the same types of ATO threats as government agencies. Therefore, the security mechanisms used to protect consumer accounts from these threats must be as strong as those mandated by the government. PIV, which relies on physical smart cards, is not a viable option for consumer accounts.
On the other hand, The W3C web authentication standard, also known as WebAuthn, ideal for consumer accounts. WebAuthn enables passwordless biometric authentication that leverages consumer devices such as mobile phones. WebAuthn is part of a standard set of protocols called Fast online identity[6]or FIDO. Most modern mobile phones support FIDO today, as well as an increasing number of tablets, laptops and desktop computers. FIDO is mainstream, enabling wide adoption in consumer-centric use cases (i.e. consumer identity and access management, or CIAM).
More importantly, FIDO-based passwordless authentication, when done correctly, is impervious to all of the threat vectors discussed above. There are no credentials for phishing, and devices only authenticate to trusted sites where they previously registered and authenticated. It is only as strong as the public key cryptography on which it is based.
Moreover, this form of authentication is easier to use than passwords, especially when these passwords are supplemented with additional factors such as one-time passwords, tokens or authentication schemes. push. FIDO and WebAuthn represent one of those rare cases where your users can benefit from better security and a smoother customer experience (CX).
There are challenges with FIDO authentication for consumers. Not everyone uses a FIDO-enabled device. Some users are not comfortable with using biometric authentication for their devices or with using these devices to support authentication to online services. However, these scenarios are easily resolved with the right passwordless CIAM solution.
We have a large global retail client implementing Transmit Security’s passwordless digital identity solution using FIDO authentication and fallback options that avoid reusable passwords. Fallback options include magic links and one-time SMS passwords. It may be tempting to dismiss such an approach because not all customers will use FIDO and WebAuthn as their primary authentication method. However, given the alternative – reusable passwords with all their insecurities and customer friction – a mixed model of FIDO authentication and non-FIDO fallback options is ideal for better security and user experience. .
The time has come for passwordless client authentication. Research Shows Consumers Trust Biometric Authentication[7]. FIDO-based passwordless authentication is more secure and easier to use, and most consumers carry a device capable of running it.
To learn more about passwordless client authentication, read our complete guide.
[1] Source
[2] Source
[3] Source
[4] Source
[5] Source
[6] Source
[7] Source
