For cyber criminals, account takeover attacks (ATO) are a very effective way to attack online businesses with customer contact. These forms of attack are scalable and promise criminals a high financial return. A recent study by the research company Aberdeen on behalf of Nevis Security AG, which specialises in secure login solutions, shows that the consequences of successful account takeovers have reached frightening proportions. The financial damage goes far beyond pure business costs and thus becomes an existential risk for affected companies.
The main causes of successful account takeovers are that people today use countless online accounts and the way they manage the credentials required for them. For example, the average user has up to 130 digital accounts, each requiring a password. With this number, it is not surprising that users spend an average of twelve days of their lives searching for the right usernames and passwords.
“The resulting frustration of users leads to further security problems, because they want to make things as easy as possible,” explains Stephan Schweizer, CEO of Nevis: “The most popular passwords are still “abc123”, “password” and the number combination “123456”. In addition, most passwords have less than the recommended minimum length of ten characters and more than half of users use the same password for multiple accounts.”
Cybercriminals benefit from this lax approach to passwords. It makes it easier for them to break into and take over digital customer accounts. Nevis has identified the five most successful attack methods that can lead to account takeover in the worst case scenario:
1. phishing and social engineering: at over 17 per cent, this is the fourth most common type of attack. The hackers exploit the user’s trust in the supposed sender. They no longer rely solely on e-mails and text messages to obtain account data, but are increasingly manipulating users via telephone calls.
2. brute force attacks: With more than 18 percent frequency, this attack method is in third place. For this, the cybercriminals use tools with which they can automatically try out access data. This type of attack is promising because they often do not use such complicated and variable passwords as security experts recommend.
3. keylogger attacks: In this method, criminals use hardware or software to track keystrokes. In this way, letter and number combinations can be recorded and login data reconstructed.
4. man-in-the-middle attack: In this type of attack, a middleman interposes himself between the transmission of two communication networks and can thus bypass the encryptions. The attacker then has access to various data, for example username and password.
Credential stuffing: The cybercriminals use access data that has become public after a data breach or was bought on the dark web. They then use bots to launch mass login attempts to other online services. Since users often use the same access data for several accounts, the chances are good that the attackers will succeed in taking over another account. Credential stuffing attacks often go undetected because a “legitimate” customer logs in during the account takeover.
The consequences of a successful account takeover are far-reaching: fraudulent purchases, the theft of services or even the registration of new accounts by criminal users, for example for credit applications, are among them.
“To reduce the risks during login and thus in terms of account takeover, passwords must be minimised as weak points. Biometric verification methods contribute not only to a secure but also to a frictionless customer experience. Instead of the eternal cat and mouse game with cyber criminals, it is important that companies increasingly rely on passwordless authentication,” Schweizer concludes.