Account takeover attacks hijack users̵
Retail under attack
A 2020 report from Akamai, the content delivery network and cybersecurity provider, claims that Account Take Over (ATO) attacks in the retail industry have increased by more than 40 percent. They say 60 percent of login data attacks in the past 24 months have targeted retail, hospitality and travel companies. By a huge margin – an astonishing 90 percent of these attacks – the retail industry is hardest hit by this cyber offensive.
These numbers are in line with findings from Ravelin, a fraud prediction and detection company with strong retail interests. Ravelin released a report in 2020 focusing on online merchants and ecommerce. The report found that 45 percent of online retailers are more likely to see ATO attacks and that this type of fraud is now their biggest fraud risk.
The global pandemic COVID-19 has played a role in this unwanted attention from cyber criminals. The periods of staying at home and working from home led to an increase in online purchases. It was the only way you could buy most items, especially anything categorized as non-critical. For some consumers it was their first foray into online shopping. Established online shoppers made a higher number of purchases, often from suppliers they had not previously used. In 2020 there were even record levels of online trading.
RELATED: Identity Theft – Why Businesses Are Under Attack
Victims of their own success
More than 50 percent of respondents in Ravelin’s report experienced a positive or very positive impact on sales because of the pandemic. More customers and more users is of course a good thing, but there will be some additional baggage. First-time users plunging a toe into ecommerce and long-standing users with lots of accounts to juggle tend to use weak passwords.
Weak passwords are easily cracked by increasingly intelligent brute-force attack software. These packages are no longer limited to going through a long list of dictionary words and trying them out as passwords one by one. They can combine words with numbers and dates, and they understand all common number and letter substitutions.
They can also use the breached password lists from other sites. If a password you use is in that list – whether it comes from one of your accounts or from someone else’s account who happened to use the same password – the credential filling software can log in as if it were you.
Credentials can also be collected through phishing attacks or other social engineering-based methods, which new users are more likely to accept as genuine and fall for it. So the more users you have, the more likely some of them are to fall victim to a phishing attack.
How compromised accounts monetize
Cyber criminals rarely do what they do for fun. Like all criminals, they try to take advantage of their activities. They have to make money from the attacks to make money from them. A compromised account offers them many options. A compromised business account can be used to initiate phishing campaigns, find out private or sensitive business information, or use the associated business email account to commit various types of fraud.
A compromised user account on a shopping platform is very different, but there are still many ways the threat actor can generate a profit.
- Sales of login data: They can sell the details of the leaked account on the Dark Web. They will sell it as one verified accountThis means that they have proof, usually a screenshot, showing that they were able to log into that account with the credentials they are selling.
- Place fraudulent orders: They can place orders for goods using stored credit card information, loyalty points, or using lines of credit that may have been extended to that account.
- Sell personal data: They can extract all the information from the user profile – address, contact details, and payment card details – and sell that pack of information on the Dark Web.
- Use stolen card information: By linking stolen credit card information to a compromised account, the cyber criminal can use the card for purchases under the disguise of the real user’s account.
- Clone the account: A threat actor can delete the compromised account and create a new account using the data extracted from the original. This gives them full control over the new account. The new account will have a different User ID and Account ID, making it difficult for the real user and retailer technical support to find and block the cloned account.
If the threat actor is going to make fraudulent purchases, he will likely change the password to lock out the real user. This prevents them from seeing exactly what’s going on in their account and requires an often lengthy verification process with the retailer’s tech support to reset the password.
If the threat actors are going to sell the account credentials or the user’s personal information, they will not place orders or make changes to the account information. They don’t want to warn the user that their account has been hacked.
Sometimes the criminals only change the delivery address and the telephone number of the contact person. This is because they don’t want the goods to go to the real account owner’s address and because the cell phone number is often given to the delivery person. The driver will use it to ask for directions if he cannot find the address and the shop system will send text messages to the phone while the order is being progressed through the system.
What Retailers Can Do
These steps will help protect you from ATO attacks.
- List account types: Always start by quantifying what you need to protect. The whole account types that you provide must be identified and categorized. The risks associated with the different account types can vary from account to account. Plans and responses that can reduce the risk must be made. Record the departments and teams and other stakeholders invested in the different account types.
- Identify possible indicators of an attack: This requires collaborative thinking on the part of stakeholders and may require additional training for technical personnel. For example, many login attempts to an account can indicate that the account is being targeted. The user may have forgotten their password, but it could be a real attack. Depending on the type of account and the identified risk associated with a compromised account of that type, the appropriate response must be performed. That can be as simple as locking the account and contacting the account owner.
- Set limits for login attempts: Limit the number of failed login attempts that can be made before the account is locked and a warning is issued.
- Use technical solutions: Consider systems such as Intrusion Detection Systems that can automate attack indicator detection, take corrective action, and send alerts to your security or fraud team.
- Two-factor authentication: Two-factor authentication (2FA) is a robust way to secure accounts. It requires the user know their ID and password and to to have another item in their possession, usually an authentication app on their smartphone. Two-factor authentication should be used where possible.
- Educate users: Create and send informational emails to users. Cover topics such as current threats, the latest fraud trends, and what action to take if they believe their account has been compromised or under attack. You can also use these service emails to try to avoid this cyber friction—The pushback you get when a security enhancement changes a workflow or introduces an extra step. For example two-factor authentication. You need to plan how you will promote the new security requirement so that it is understood and adopted by your user base. If the users don’t embrace and use it, you might as well not provide it.
- Install fraud prevention software: Software protections are available that can identify suspicious behavioral patterns and lock accounts before an attacker can inflict damage.
Don’t forget the basics. Annual security audits, policy reviews and walk-throughs, incident plan rehearsals, penetration testing and staff training should continue.