Get Stuffed: A Lesson in Account Takeover and What to Do Next

GlobalDots
5 Min read

The threat of having your accounts taken over is no longer something we all read about – it’s a major issue facing us all.

So, we all know the scenario by now. You’re sitting at home and you get a call from a friend, “Hey buddy. There’s some strange emails coming from your account – I think you’ve been hacked”. It happened to my own sister just last week. The usual panic ensued as the mind tried to work out how it happened – what else is compromised and who is to blame?

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

And it’s not just emails; Facebook, Instagram and a plethora of other logins are compromised too. In fact, nearly everywhere you login is a target. So, why is it happening? And what can you do to prevent becoming another statistic? Let’s start from the beginning shall we understand what steps to take.

ATO: why is my account being attacked?

There’s a simple answer to this: money. The less malicious attacks will use your email address book to send spam emails to your contacts or to send viral marketing posts on Instagram or Facebook. The more malicious attacks are digging around for your address, credit card numbers and any other PII (personally identifiable information). Once they have this information it’s easy to imagine how credit card fraud can occur. There are other reasons for attacks too. For example, if you collect supermarket loyalty points that can be spent or transferred online, hackers take over your account and steal the points (these are heavily targeted by the way).

Account takeover (ATO), as this process is officially known, is effectively an online version of identity theft. Perpetrators illegitimately gain access to your online e-commerce or financial accounts commonly through the use of bots. Successful ATOs often result in multiple fraudulent e-commerce transactions and unapproved shopping orders carried out from the breached accounts of the victim(s).

How am I being targeted?

Try to think of any user leak story you have heard or read about on the web. The biggest to date being Facebook leaking nearly half a billion phone numbers and the Marriott Hotel’s guest list. If you want to scare yourself you can see an informatic of leaks to date – if you really want to scare yourself you can check if your email address was involved in these leaks.

Every time one of these leaks happens they go on sale across the dark web, where the bad guys create enormous databases of email addresses and known passwords. These lists are then used to target every login box, for every site, everywhere. So if you; re-use a password on multiple sites, that’s connected to the same email address (i.e. everyone), then you’re in serious trouble (i.e. everyone).

How do I not become a statistic?

A reporter once said, “Passwords are like underwear. You should change them often (okay, maybe not every day). Don’t share them. Don’t leave them out for others to see (no sticky notes!). Oh, and they should be sexy. Wait, sorry, I mean they should be mysterious. In other words, make your password a total mystery to others.” If you make one step towards better security, follow that advice. It means you’ll only get hacked in one place if there is a breach.

Worryingly, people are using their simple passwords across multiple accounts (with some reports saying up to 92 per cent of online users doing so). I highly recommend a browser add-on to help you remember all of your passwords – it’s called LastPass and it’s free to use (no more sticky notes!).

What additional steps can I take?

The next VERY BIG step you can take is to activate Multi Factor Authentication (MFA) on your accounts. What is MFA? Well, you’ve already used it lots of times, I guarantee it. MFA is that extra step as part of a login or interaction with a website. It’s most notably now routinely used by online banking platforms.

Think of that extra PIN you enter or the text message that gets sent to you with a confirmation code – this is MFA. It’s little known, but a lot of websites (Amazon, eBay, Gmail etc.) have this feature and you can activate it today. If you activate MFA you will reduce your chance of an account takeover to nearly zero – this is a must.

Why aren’t companies doing more to protect us?

You might be thinking ‘if ATO attempts can be brought to nearly zero with MFA, then why aren’t all companies enforcing this?’. MFA is fast becoming a requirement for customer applications, but it can add friction to the customer experience. Some customers see it as an unnecessary headache and others will see it as a welcome security protocol.

Ultimately though, the short answer (once again) as to why companies choose to swerve MFA, is money. Amazon et al are very aware that if they add additional steps to login it creates purchasing ‘friction’. One click purchasing will be impacted and customers might not go through with that impulse buy, which in turn affects profits. Unfortunately, no company will put your safety first when they have their focus on your bank account – as bad as that sounds it’s true.

Is there a solution to this?

This is where governments need to step in and mandate MFA logins on any website that stores any Personally Identifiable Information (PII) or Payment Card Information (PCI). With a mandate from the government, MFA could be easily and effectively rolled out across the internet, and account takeovers would dramatically decrease overnight. Interestingly, the U.S. government, as part of their CyberSecurity National Action Plan, mandated the use of MultiFactor Authentication (MFA) for all their Federal government websites in September of last year.

What next?

The threat of having your accounts taken over is no longer something we all read about – it’s a major issue and one we need to all take individual responsibility for. It’s time to change all those passwords, make them unique and activate MFA on your main accounts. In time I believe – and hope – the government will lead from the front and take action to ensure we’re all better protected.

If you have any questions, contact us today to help you out with your performance and security needs.

*This article originally appeared in ITProPortal on March 25, 2020.

Latest Articles

Project FOCUS: A New Age of FinOps Visibility

It’s easy for managers and team leaders to get caught up in the cultural scrum of FinOps. Hobbling many FinOps projects, however, is a lack of on-the-ground support for the DevOps teams that are having to drive this widespread change – this is how all too many FinOps projects become abandoned on the meeting room […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024
Optimize Your Cloud Spend with a FinOps Maturity Assessment

Achieving FinOps is a tall order: it demands a degree of organizational self-awareness that some companies are constantly battling for. Consider the predicament that many teams find themselves in: while their cloud environments may contain a number of small things that could be optimized, there are no single glaring mistakes that are consuming massive quantities […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024
Terraform Best Practices Checklist

Enhance your Terraform skills with 13 proven techniques curated by our DevOps experts. Gain insights on module optimization, state file management, advanced version control, and many more key topics.   Reduce your AWS costs by over 50% Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already […]

Developer AXE-WEB
27th March, 2024
Efficient Cluster Management

Developers and DevOps teams, it’s time to make Kubernetes simple, efficient, and easy to manage. Download our comprehensive guide to efficient cluster management to learn how to turn Kubernetes into a well-oiled machine. This guide offers: Reduce your AWS costs by over 50% Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, […]

Developer AXE-WEB
27th March, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential