Skip to main content

Get stuffed: a lesson in account takeover and what to do next

(Image credit: Image source: Shutterstock/alexskopje)

So, we all know the scenario by now. You’re sitting at home and you get a call from a friend, “Hey buddy. There’s some strange emails coming from your account - I think you’ve been hacked”. It happened to my own sister just last week. The usual panic ensued as the mind tried to work out how it happened - what else is compromised and who is to blame? And it’s not just emails; Facebook, Instagram and a plethora of other logins are compromised too. In fact, nearly everywhere you login is a target. So, why is it happening? And what can you do to prevent becoming another statistic? Let’s start from the beginning shall we understand what steps to take.

ATO: why is my account being attacked?

There’s a simple answer to this: money. The less malicious attacks will use your email address book to send spam emails to your contacts or to send viral marketing posts on Instagram or Facebook. The more malicious attacks are digging around for your address, credit card numbers and any other PII (personally identifiable information). Once they have this information it's easy to imagine how credit card fraud can occur. There are other reasons for attacks too. For example, if you collect supermarket loyalty points that can be spent or transferred online, hackers take over your account and steal the points (these are heavily targeted by the way).

Account takeover (ATO), as this process is officially known, is effectively an online version of identity theft. Perpetrators illegitimately gain access to your online e-commerce or financial accounts commonly through the use of bots. Successful ATOs often result in multiple fraudulent e-commerce transactions and unapproved shopping orders carried out from the breached accounts of the victim(s).

How am I being targeted?

Try to think of any user leak story you have heard or read about on the web. The biggest to date being Facebook leaking nearly half a billion phone numbers and the Marriott Hotel’s guest list. If you want to scare yourself you can see an informatic of leaks to date - if you really want to scare yourself you can check if your email address was involved in these leaks. Every time one of these leaks happens they go on sale across the dark web, where the bad guys create enormous databases of email addresses and known passwords. These lists are then used to target every login box, for every site, everywhere. So if you; re-use a password on multiple sites, that’s connected to the same email address (i.e. everyone), then you’re in serious trouble (i.e. everyone).

How do I not become a statistic?

A reporter once said, “Passwords are like underwear. You should change them often (okay, maybe not every day). Don’t share them. Don’t leave them out for others to see (no sticky notes!). Oh, and they should be sexy. Wait, sorry, I mean they should be mysterious. In other words, make your password a total mystery to others.” If you make one step towards better security, follow that advice. It means you’ll only get hacked in one place if there is a breach. Worryingly, people are using their simple passwords across multiple accounts (with some reports saying up to 92 per cent of online users doing so). I highly recommend a browser add-on to help you remember all of your passwords - it’s called LastPass and it’s free to use (no more sticky notes!).

What additional steps can I take?

The next VERY BIG step you can take is to activate Multi Factor Authentication (MFA) on your accounts. What is MFA? Well, you’ve already used it lots of times, I guarantee it. MFA is that extra step as part of a login or interaction with a website. It’s most notably now routinely used by online banking platforms. Think of that extra PIN you enter or the text message that gets sent to you with a confirmation code - this is MFA. It’s little known, but a lot of websites (Amazon, eBay, Gmail etc.) have this feature and you can activate it today. If you activate MFA you will reduce your chance of an account takeover to nearly zero - this is a must.

Why aren’t companies doing more to protect us?

You might be thinking ‘if ATO attempts can be brought to nearly zero with MFA, then why aren’t all companies enforcing this?’. MFA is fast becoming a requirement for customer applications, but it can add friction to the customer experience. Some customers see it as an unnecessary headache and others will see it as a welcome security protocol. Ultimately though, the short answer (once again) as to why companies choose to swerve MFA, is money. Amazon et al are very aware that if they add additional steps to login it creates purchasing ‘friction’. One click purchasing will be impacted and customers might not go through with that impulse buy, which in turn affects profits. Unfortunately, no company will put your safety first when they have their focus on your bank account - as bad as that sounds it’s true.

Is there a solution to this?

This is where governments need to step in and mandate MFA logins on any website that stores any Personally Identifiable Information (PII) or Payment Card Information (PCI). With a mandate from the government, MFA could be easily and effectively rolled out across the internet, and account takeovers would dramatically decrease overnight. Interestingly, the U.S. government, as part of their CyberSecurity National Action Plan, mandated the use of MultiFactor Authentication (MFA) for all their Federal government websites in September of last year.

What next?

The threat of having your accounts taken over is no longer something we all read about - it’s a major issue and one we need to all take individual responsibility for. It’s time to change all those passwords, make them unique and activate MFA on your main accounts. In time I believe - and hope - the government will lead from the front and take action to ensure we’re all better protected.

Steven Puddephatt, Technical Architect, GlobalDots