Numerous reports online indicate that Account Takeover Attacks (ATOs) skyrocketed 300% during the pandemic, with no sign of this trend abating. ATO attacks are on the rise because they require a low level of sophistication, and they remain a profitable tool in the cybercriminal’s arsenal. CISOs and business leaders need to think differently about how to protect their organizations and assets in this increasingly dynamic cyber threat environment.
A recent Aberdeen Group report found that 84% of financial institutions experienced ATO-type attacks in the past year, and it can cost up to 8.3% of their annual revenue. In a report by Juniper Research, online payment fraud will cost eCommerce merchants over $52 billion by 2025. This trend tracks with Microsoft’s recent report that the adoption of MFA remains low, the increase in ‘Zelle Fraud’ and ultimately the prevalence of weak and compromised credentials.
ATO attacks are a huge reputational risk for businesses in the finance industry, but that pales in comparison when customers lose their entire life savings.
Why ATO Attacks Are Successful
ATO attacks depend on credentials recovered from the dark web and public breach data to be successful, and often their use goes unnoticed by businesses. The Identity Theft Resource Center’s 2021 Data Breach Report indicates that 2021 was a record year, with breaches up 68% from the previous year. Such breaches result in vast amounts of personally identifiable information (PII), payment card numbers, and usernames and passwords being available on the internet.
In addition, cybercriminals know that consumers reuse the same password for multiple accounts on the internet. According to one Google survey, upwards of 52% of respondents indicated that they reuse the same passwords. From a hacker’s standpoint, reused credentials mean that passwords that work on one website have a likelihood of working on others, leading to a successful account takeover.
Another reason that ATO attacks are so effective is that hackers launch them in stealth mode. Like the Beastie Boys song of the same name, fraudsters use bots to carry out their attacks ‘slow and low’ often flying under the radar without being detected. Often these attacks are performed through proxy services distributed across the globe that obscure the attacker’s location. These attacks are automated, making them easy to scale, while difficult to detect.
Even when the success of ATO attacks is in the low single digits, they are conducted on a global scale which makes them pervasive and dangerous to businesses. Single-digit success rates of very large numbers are still a very large number, which means that ATO attacks are profitable and will not disappear anytime soon.
Automated Credential Verification Mitigates Automated ATO Attacks
Stopping such attacks requires the ability to distinguish real users from cybercriminals. The ability to detect and block the use of leaked and reused credentials can be transformational for most organizations.
There is no shortage of solutions on the market that can help protect organizations from ATO attacks, but we at VeriClouds believe that effective solutions must include the following:
Credential threat intelligence: free breach notification services (like haveibeenpwned) are an inadequate and outdated model for credential security. It is a problem that they are ill-equipped to try to solve. The ability to not only detect—but verify—whether passwords are stolen or compromised is the killer feature of any service in this space today.
Integrated with IAM systems: threat intelligence is only useful when it is used. IAM systems must have the ability to check against credential threat intelligence during the password reset process to align with NIST’s 2021 password guidelines. When Steve Jobs said “creativity is just connecting things” he wasn’t thinking about credential threat intelligence or stopping preventable breaches, but we believe that connecting intelligence to authentication and password management systems is no longer optional.
Automated detection and mitigation: automation is table stakes when it comes to detective and corrective controls for any organization that takes privacy and cyber security risk seriously. Business and security leaders have a moral and fiduciary responsibility to protect their business interests; automating identity threat intelligence enables organizations to be proactive with cyber protections during the normal course of business.
To increase the efficiency and effectiveness of protective measures, organizations are maturing their cybersecurity and IAM programs by implementing Zero Trust-based controls. Breach notification happens after a data breach and harm has occurred. By integrating credential-centric threat intelligence during the runtime of IAM controls, organizations can be proactive by automating the detection and remediation of credential-based attacks.
The Bottom Line
Traditional security techniques like MFA and firewalls are not working. Hackers have well-funded operations, are innovative, and use whatever tools they need to be profitable. Hackers were not discouraged or deterred by COVID. In fact, the trends toward remote working have turned into an opportunity for cybercriminals, leaving businesses more vulnerable to cyber security risks.
CISOs in general—and financial services firms in particular—need to adopt solutions that can detect and mitigate the use of leaked and reused credentials used by the hackers and bots out there. Organizations may not have the credential security model they would like, but that should not stop them from trying to improve on what they have.
That’s why VeriClouds created CredVerify, our API backed by a repository of more than 24 billion records with privacy baked into the design to make it the safest way on the planet to check if your users’ credentials are pwned or not.
Schedule a call with VeriClouds today!