End users are faced with a barrage of security risks when it comes to protecting their digital services from Account Takeover. The first step to mitigating these risks is understanding what they are. Below is some further insight into a handful of the most common ways accounts are being compromised and what the enterprise can do to address the threats created by these security challenges:
SMS SS7 Hacking
Many banking and secure websites have opted for SMS based two-factor authentication (2FA) in the form of a one-time passcode (OTP). This form of authentication is very convenient for end users as it doesn’t require the download of any third party authenticator app (Ex. Authy, Google Authenticator). Although this technology provides a convenient user experience, it can also pose significant risks.
The protocol responsible for handling communication from one mobile network to another (referred to as SS7) can be hacked. This allows third-party fraudsters to monitor phone calls or text messages. As a result, SMS based OTP’s can be intercepted and used in combination with stolen credentials to provide unauthorized access to customer accounts. Click here to learn more.
Social engineering refers to mapping intimate personal details or behaviours from someones web presence for the purpose of constructing a synthetic digital footprint and fraudulently assuming their identity.
By combing a users Linkedin, Instagram or Facebook feed to determine purchasing habits, recent travel information, or their relationships (personal / business) fraudsters can circumvent security questions for online banking or when calling a customer contact centre to initiate a sim swap attack.
Social Engineering is proving to be a reliable method of fraud for carrying out Business Email Compromise (BEC) Attacks which has seen global losses total 12 billion amidst a 126% increase from December 2016 - May 2018.
Sim Swap Attacks
A sim swap attacks occur when a fraudster uses the information they have gathered about an individual sourced through a data breach or social engineering to scam mobile providers into activating a new SIM card and sending it to the unauthorized party.
Since SMS based authentication is tied to a users mobile number, this allows a fraudster to bypass this form of step-up user authentication. To make matters worse, once in possession of the users' mobile number an impersonator can harvest more information about an individual by tricking their contacts into providing details related to sensitive financial, personal or account information further compromising existing accounts or wreaking havoc on new accounts. In the past couple of months, Sim Swap attacks have been increasing in frequency, in the UK: City of London Police's ActionFraud division has seen a 63% rise in Sim Swap related fraud as of January 2019.
The average user relies on up to 92 password protected accounts to access their digital services across their email, personal banking, social media and even government services. The sheer volume of accounts a user has to manage makes it difficult to maintain credentials that are both secure and unique. As a result, password reuse has become a significant problem. Approximately 52% of users leverage the same password or very similar ones across all of their connected accounts.
With the number of stolen credentials continuing to grow (up to 2.3 billion last year alone) hackers exploit data breaches and use stolen passwords through a systematic approach.
Since most services will lock a single account after a few invalid password attempts, hackers will often look to attack many accounts over a longer period of time. Many web services do not employ sophisticated enough pattern-matching needed to detect an attacker who is slowly trying login attempts across thousands of accounts (with each attempt coming to a unique IP through the use of botnets), it becomes very challenging to detect these sort of attacks.
Policing this becomes difficult: if you enhance security to detect password failed login attempts, you also risk locking out your users who have simply forgotten a complex password you required them to set up in the first place.
If we operate under the assumption that most attackers already have the keys to the kingdom, it becomes critical that the utmost scrutiny is taken when securing customer accounts and preventing against account takeover.
Although these forms of fraud pose challenges to enterprise security personnel, there are many new technologies that can prevent against these sorts of attacks. The most effective way to prevent against fraud is taking a multi-layered approach to security. This means securing inside out: this can involve using monitoring tools to better-understanding user patterns and habits from within their accounts, but also understanding anomalies as they occur on the perimeter. As we have seen from some of the above examples, perimeter security will only be as effective as its ability to stand up against the most sophisticated of attacks.
A Case for Mobile Biometrics
Using a secure biometric platform can allow you to integrate a variety of biometrics to enhance customer security while maintaining an appropriate threshold of convenience.
Since an individual's biometric details can’t be replicated or stolen, securely provisioned on-device biometric authentication provides a worthy opponent for the mentioned fraud vectors. Biometrics cannot be intercepted, cracked, compromised or guessed by observing someone's digital interactions.
The added benefit is that since biometric authentication provides certainty of identity, it can also satisfy compliance-driven requirements across financial services and healthcare related to PSD2, HIPAA and GDPR.