Account takeover (ATO) attacks result in billions of dollars of fraud and damage to brand reputation each year. These are the costs and risks associated with ATO.
Let’s start by defining ATO. Account takeover is a form of online identity theft in which a cybercriminal illegally gains access to a victim’s account, such as a bank account or e-commerce account. The victims account will be of value to the hacker because it either holds funds or access to products, services or other stored value of some kind; as is the case with loyalty accounts for specific companies. Once the cybercriminal has gained access to the account, they will drain funds, use loyalty points, or use the credit and debit card information to commit an act of online fraud.
Cybercriminals will use various techniques to gain illegal access to the victim’s account, the most common of which are credential stuffing and credential cracking. Credential stuffing is an automated web injection attack where hackers use credential information sourced from data breaches to gain access to the victim’s other accounts. Credential cracking is another term for a brute force attack in which hackers will use dictionary lists or common usernames and passwords to guess their way into an account.
ATO attacks have emerged as a substantial threat to online users and pose a significant risk to the reputation of companies affected by them. Motivated by the potential for profit, cybercriminals have intensified ATO attacks, resulting in a marked increase in associated risks. A revealing report by NuData Security corroborates this growing trend, showing a substantial rise in the utilization of valid credentials for attacks—escalating from 1.9% in 2020 to 9.9% in 2021.
During the first half of 2022, the occurrence of ATOs experienced a dramatic surge of 131% compared to the same timeframe the previous year. This spike led to significant financial repercussions, with consumers incurring $8.8 billion in fraud costs in 2022—a 44% increase from the preceding year, according to the Federal Trade Commission. This erodes the trust of customers, and frequently, it is the companies holding those accounts that bear the responsibility of covering the costs. Looking forward, Juniper Research anticipates global losses from online payment fraud to surpass $362 billion between 2023 and 2028, including a staggering projected loss of $91 billion in 2028 alone.
Data from Sift further illustrates the gravity of the situation, revealing a substantial increase in ATO attacks in Q2 2023, marked by an 800% rise against Fintech and nearly 500% against the Food & Beverage sectors. This equates to a 354% year-over-year increase across Sift’s global network. Moreover, the ForgeRock 2023 Identity Breach Report disclosed a 233% increase in U.S. breaches exposing credentials compared to 2021. It also highlighted the increased cost of exposed healthcare records to $675 per record, demonstrating that the cost of ATO is increasing alongside its frequency
While cyber fraudsters traditionally targeted bank accounts, they are broadening their scope to target a range of online accounts such as e-commerce accounts, social media accounts, shop loyalty schemes, cryptocurrency wallets, and email accounts.
The e-commerce industry is witnessing substantial growth, with online retailers exploring and penetrating new markets. According to Insider Intelligence, 20.8% of retail purchases are expected to be online in 2023, and this figure is anticipated to rise to 24% by 2026. The global e-commerce growth rate for 2023 is forecast at 8.9%, with global e-commerce sales worldwide reaching a staggering $5.8 trillion. Experts predict a sustained growth trajectory, projecting a 9.4% growth rate in global e-commerce sales in 2024, according to Oberlo.
These new consumers represent a lucrative new market for cybercriminals and it is not just the influx of newcomers that is fueling cybercriminals but also changes in consumer behavior. More consumers are turning to alternative payment methods such as Venmo, Zelle, Apple Pay, Google Pay and PayPal shifting the focus away from bank accounts as the sole way of paying for things online. Retailers are also expanding how consumers can pay for their products by allowing purchases through mobile payment apps. Losses from ATO and fraud cost businesses across all industries, and all across the world, billions of dollars per year.
While cybercriminals traditionally target bank accounts, they are broadening their scope to target a range of online accounts such as e-commerce accounts, social media accounts, shop loyalty schemes, cryptocurrency wallets, and email accounts. E-commerce, in particular, is witnessing a significant surge in fraudulent activities, with $48 billion expected to be lost to fraud in 2023, according to Forbes.
Another way cybercriminals are expanding the threat is by the device. Mobile phones and their applications have become prime targets for account takeover. The number of reported mobile phone account takeover incidents, including SIM swap attacks, saw a significant increase of 78% between 2019 and 2020, according to a 2021 report by the Federal Trade Commission. This surge can be attributed to the fact that a staggering 91% of people make online purchases using their smartphones. Consequently, mobile commerce sales are projected to reach $710 billion by 2025, making this platform even more appealing to cybercriminals. The technological lag in security tools that protect users through web browsers but do not function as effectively on mobile apps further exacerbates this vulnerability.”
Having more online accounts means having more usernames and passwords to remember which will encourage some consumers to repeat their credentials across different accounts. This is highly risky but surprisingly common. Despite the evident risks, password security remains a significant challenge. The LastPass 2021 Password Security Report and the 2022 Psychology of Passwords report indicate a disconnect between user awareness and action. While 92% of users recognize the risks of reusing passwords, the majority continue to do so. Gen Z, although confident in password management, exhibits poor password hygiene, often using a single password or its variations. The reports also revealed a general overconfidence, with 89% acknowledging the risk of using similar passwords, but only 12% using different passwords for various accounts.
As the results from these reports show, users will reuse passwords even without understanding the risk, but why? Most likely because they haven’t been stung by this practice since they haven’t noticed their accounts have been compromised. However, they probably have been stung by their own forgetfulness which can be an inconvenience when they have to reset their login details. This leads users to weigh the risks and they often decide it’s easier to reuse passwords despite the cost being so high if their credentials are exposed.
When it comes to passwords, organizations such as NIST recommend that if your password has appeared on a list of exposed credentials, you should change your password on any accounts you have used it on and cease using that password. Taking action can greatly reduce the risk of you falling victim to a credential stuffing attack.
Password screening is the process of testing the strength of your password. Many cybersecurity companies offer this service, for example, https://www.enzoic.com/password-check/ checks if passwords are weak. Sites like this can also tell you how long it would take to crack your password in a brute force attack. If your password can be cracked in a matter of hours by a brute force attack then you should strongly consider changing your password immediately. A lot of online tools will now tell you how strong your password is (usually using a scale of easy to hard) and suggest ways to improve the strength, but password screening services go a step further for businesses, non-profits, and government agencies.
For businesses, non-profits and government agencies, the stakes are a lot higher. They could have thousands of user accounts vulnerable to account takeover and fraud due to the password reuse issue listed above.
Credential screening for online accounts can help prevent account takeover. Credential screening is the process of seamlessly screening usernames and passwords to identify if they have been compromised. These systems compare users’ credentials to large databases of leaked credentials in order to find a match and alert the user to their exposed credentials. This adds a strong layer of security to users’ accounts and also highlights the risk of password reuse. The check is performed at login, password reset, and account setup.
Unlike other authentication tools, credential screening only impacts the users who have exposed credentials, the rest of your users are completely unencumbered. This solution can also be used on all devices, not just websites. In any place where an organization collects a username and password combination, a credential screening solution can be added. For more information about compromised credential screening, visit www.enzoic.com.