Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
    • Enzoic for Active Directory Documentation
  • Company
    • About Us
    • Careers
  • Blog
  • Contact Us
  • Free Trial
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic Exposure Alerts
    • NIST Password Screening
  • FAQ
  • Resources
    • Submit a Support Ticket
    • Security Overview
    • API Documentation
    • Enzoic for Active Directory Documentation
  • Company
    • About Us
    • Careers
  • Blog
  • Contact Us
  • Free Trial

The Costs and Risks of Account Takeover

Account takeover (ATO) attacks result in billions of dollars of fraud and damage to brand reputation each year. These are the costs and risks associated with ATO.

Defining ATO

Let’s start by defining ATO. Account takeover is a form of online identity theft in which a cybercriminal illegally gains access to a victims account, such as a bank account or e-commerce account. The victims account will be of value to the hacker because it either holds funds or access to products, services or other stored value of some kind; as is the case with loyalty accounts for specific companies. Once the cybercriminal has gained access to the account, they will drain funds, use loyalty points, or use the credit and debit card information to commit an act of online fraud.

Cybercriminals will use various techniques to gain illegal access to the victim’s account, the most common of which are credential stuffing and credential cracking. Credential stuffing is an automated web injection attack where hackers use credential information sourced from data breaches to gain access to the victim’s other accounts. Credential cracking is another term for a brute force attack in which hackers will use dictionary lists or common usernames and passwords to guess their way into an account.

ATO Risks by The Numbers

ATO attacks are a major threat to online consumers and the reputation of companies whose consumers suffer from them. To understand why cybercriminals are increasing their efforts on account takeovers, you only have to look at how lucrative they are.

  • A 2018 NuData Security report found that 40% of all account access attempts online are high risk, meaning they are targeting access to financial data or something of value.
  • From 2016 to 2017, losses from Account Takeover rose 122%. In 2018, it increased by 164%.
  • The cost of these attacks tripled from 2016 to 2017, reaching an estimated $5.1 billion in the United States alone.   
  • According to Juniper Research, losses from fraudulent online transactions are expected to reach $25.6 billion by 2020. 

Cybercriminals Exploring New ATO Horizons

While cyber fraudsters traditionally targeted bank accounts, they are broadening their scope to target a range of online accounts such as e-commerce accounts, social media accounts, shop loyalty schemes, cryptocurrency wallets, and email accounts.

The e-commerce industry is growing at a rapid rate as online retailers tap into new markets in Asia and South America, and consumers enjoy the convenience of online shopping. According to German online statistics portal, Statista, e-commerce revenue in India is expected to grow to 62.3 billion U.S. Dollars in 2023, and more than double its current volume by 2022. When an online market grows, the attention cybercriminals put into exploiting it also grows.  Large retail companies like Walmart and Amazon are also attempting to tap into the growing e-commerce markets in India, South Korea, Turkey, and Brazil and capture a new consumer base. In May 2018 Walmart acquired a 77% stake in Flipkart, India’s largest online retailer, for $16 billion following two years of talks with the company.

These new consumers represent a lucrative new market for cybercriminals and it is not just the influx of newcomers that is fueling cybercriminals but also changes in consumer behavior. More consumers are turning to alternative payment methods such as Venmo, Zelle, and PayPal shifting the focus away from bank accounts as the sole way of paying for things online. Retailers are also expanding how consumers can pay for their products by allowing purchases through mobile payment apps.  Losses from ATO and fraud cost businesses across all industries, and all across the world, billions of dollars per year.

Another way cybercriminals are expanding the threat is by device. Mobile and mobile apps are becoming a prime target for account takeover.  In Rippleshot’s State of Card Fraud 2018 report they predicted that mobile phones would become an increasingly vulnerable target and the latest research appears to indicate the same. Javelin’s 2019 Identity Fraud Study also indicated that mobile phone account takeovers are on the rise, accounting for 679,000 incidents in 2018, up around 45% from 2017.  One of the reasons for this increase in mobile is technology lag.  While there is an increase in tools designed to protect users through a web browser, many of those same tools do not work on mobile apps.

Largest ATO Risk: Exposed Passwords

Having more online accounts means having more usernames and passwords to remember which will encourage some consumers to repeat their credentials across different accounts. This is highly risky but surprisingly common. According to darkreading.com 59% of survey respondents said they reuse passwords despite 91% of them saying they understand the risks associated. The main reason cited for reusing passwords was fear of forgetfulness.

As the results from the darkreading.com survey show, users will reuse passwords even understanding the risk, but why? Most likely because they haven’t been stung by this practice since they haven’t noticed their accounts have been compromised. However, they probably have been stung by their own forgetfulness which can be an inconvenience when they have to reset their login details. This leads users to weigh the risks and they often decide it’s easier to reuse passwords despite the cost being so high if their credentials are exposed.

What can be done about ATO Risks?

Concerned users can use websites like https://www.avast.com/hackcheck/ to see if your password has been leaked online. The Avast website will tell you what company the data breach was associated with and offer advice on next steps. When it comes to passwords, they recommend that if your password has appeared on a list of exposed credentials, you should change your password on any accounts you have used it and cease using that password. Taking action can greatly reduce the risk of you falling victim to a credential stuffing attack.

Password screening is the process of testing the strength of your password. Many cybersecurity companies offer this service, for example, https://check.enzoic.com/ to check if their passwords are weak. Sites like this can also tell you how long it would take to crack your password in a brute force attack. If your password can be cracked in a matter of hours by a brute force attack then you should strongly consider changing your password immediately.  A lot of online tools will now tell you how strong your password is (usually using a scale of easy to hard) and suggest ways to improve the strength, but password screening services go a step further for businesses, non-profits and government agencies.

Credential Screening

For businesses, non-profits and government agencies, the stakes are a lot higher.  They could have thousands of user accounts vulnerable to account takeover and fraud due to the password reuse issue listed above.

Credential screening for online accounts can help prevent account takeover. Credential screening is the process of seamlessly screening usernames and passwords to identify if they have been compromised. These systems compare users’ credentials to large databases of leaked credentials in order to find a match and alert the user to their exposed credentials. This adds a strong layer of security to users’ accounts and also highlights the risk in password reuse.  The check is performed at login, password reset or account set up. 

Unlike other authentication tools, credential screening only impacts they users who have exposed credentials, the rest of your users are completely unencumbered.  This solution can also be used on all devices, not just one websites.  Any place where an organization collects a user name and password combination, a credential screening solution can be added. For more information about compromised credential screening, visit www.enzoic.com

Share this Post

Account TakeoverAccount Takeover CostsAccount Takeover RisksATOcredential screening

Search

Browse blog categories

  • Account Takeover (2)
  • Active Directory (1)
  • all posts (25)
  • breach (3)
  • Continuous Password Protection (1)
  • Credential Screening (2)
  • cybersecurity (12)
  • Edtech (1)
  • Law Firms (1)
  • NIST 800-63b (1)
  • press release (3)
  • Recognition and Awards (1)
  • tips (7)

Recent tweets

Enzoic
19m
Enzoic
@EnzoicSecurity

Eliminating the Periodic Password Reset. NIST 800-63b password guidelines include the guideline to stop forcing periodic password resets for users. Why? Click the link to learn more: zurl.co/bslj #ActiveDirectory #NIST800-63b #PasswordPolicy #PasswordScreening pic.twitter.com/DGIiOhxC4w

Expand reply reply retweet retweet favorite favorite
Enzoic
2h
Enzoic
@EnzoicSecurity

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack — Krebs on Security krebsonsecurity.com/2019/07/q…

Expand reply reply retweet retweet favorite favorite
Enzoic
19 Jul
Enzoic
@EnzoicSecurity

Instagram Account Takeover Vulnerability Earns Hacker $30,000 | SecurityWeek.Com securityweek.com/instagram-ac…

Expand reply reply retweet retweet favorite favorite
Enzoic
19 Jul
Enzoic
@EnzoicSecurity

What Is Credential Dumping? Modern network intrusions thrive on a counterintuitive trick: stealing passwords from computers that hackers have already compromised. zurl.co/YnKp #CredentialDumping #InfoSec

Expand reply reply retweet retweet favorite favorite
Enzoic
18 Jul
Enzoic
@EnzoicSecurity

Slack resets passwords for 1% of its users because of 2015 hack: zurl.co/xxpZ #DetectCompromisedCredentials #PasswordScreening

Expand reply reply retweet retweet favorite favorite

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • Introducing Continuous Password Protection for Active Directory
  • 5 Industries at Risk for Credential Stuffing and ATO
  • Questions To Ask When Considering A Credential Screening Solution
  • Enzoic Identified as a Leading Cyber Security Solution Provider
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2019 | Privacy Policy | Acceptable Use

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website

Pop

test

test

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater.

Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.