Account takeover tactics vary. A cybercriminal can gain access to the victim’s account via:
- Phishing — where they imitate someone the person trusts to get them to reveal their credentials or make the person visit information-stealing sites
- Brute force attack — where they use trial and error to guess a person’s password
- Malware — where they infect a device with the program that sends credentials right back to them
- Stealing or buying your password and username on hacking forums and data dumps
Once the cybercriminal logs in and enters the system, they can use the data to steal one’s identity, make fraudulent transactions, or exploit it to get deeper into the network of a business.
What are some account takeover prevention steps you can take as an individual or an organization to prevent illicit access to your accounts?
#1 Practice Basic Cyber Hygiene
What any individual can do straight off the bat is set up a strong password. Weak passwords have been the vulnerable point of security for decades. The majority of successful hacks happen because of easily guessable passwords.
For example, the latest 23andMe breach in which the threat actor stole the data of 7 million users, occurred because users relied on weak and reused credentials.
Weak, easy-to-guess passwords are those that:
- Are repeated across multiple accounts
- Contain personal information (e.g. birthdays or names)
- Don’t feature long and complex strings of characters
After you set up a strong password, add two-factor authentication to your accounts. The more layers the hacker has to get through, the stronger your account protection is.
On a corporate level, cyber hygiene is all about managing security to strengthen it in the weakest places.
That could mean ensuring that the system is patched up, setting a limited number of login attempts, and making sure that no one gains illicit access to the system.
Another part of it is educating employees on the best security practices — such as setting up two-factor authentication and changing passwords every six months.
#2 Beware of Social Engineering Schemes
Social engineering methods such as shoulder surfing or phishing can lead to account takeovers.
With shoulder surfing, a hacker watches you log into your account when you use the device in public and write down your credentials.
Most phishing scams are email-based, however.
Hackers send emails that are seemingly from trusted websites, your bank, or even your boss. They mimic an entity with authority or someone you trust to get you to take urgent action.
In 2022, eight out of ten emails that workers in the public sector received were credential phishing scams.
Bad actors might imitate your boss to make you send your credentials. Other times, they will send you an infected link that leads you to a seemingly trusted site. After you log in via that link, they capture your username and password.
Email filters can identify emails that contain malicious programs (malware) or common phrases that hackers have used in the past.
However many spam emails will bypass email filters and reach your inbox — leaving you to spot the scam before you hand over criminals your credentials.
#3 Have Tools to Block Automated Account Fraud Attempts
These days, bad actors rely on bots and information from the data dumps to gain unauthorized access to your accounts.
They can use a password leaked from another data breach to try and guess login information on unrelated services. That kind of brute force attack often works because users reuse their passwords for multiple unrelated accounts.
Therefore, businesses need more advanced solutions to catch such automated attempts early. Tools that are capable of:
- Identifying malicious attempts at login on time
- Pinpointing which method is the hacker using
- Letting you know which parts of the system are compromised
Account takeover prevention solutions are usually also automated to catch up with criminal activity in real time. They rely on machine learning and AI to provide accurate reports on potential unauthorized access based on the context of your business.
#4 Implement The Zero Trust Framework
But what if an account takeover has already happened? The most you can do then is to spot that activity early and prevent the threat actor from gaining deeper access to your infrastructure.
Zero trust is the methodology that assumes that even someone who has the right credentials might be a cyber-criminal. They could have stolen credentials or guessed them with a brute-force attack.
This might mean having role-based access that restricts access to users based on what they require to do their tasks.
While zero trust isn’t a product you can buy, you can invest in security tools that follow the “trust but verify principle”. It can minimize the hacker’s impact if it already gains access to your network. They spot the anomalies in behavior that reveal the user isn’t genuine.
Who Is Responsible For Account Takeover Prevention?
Most users believe that account protection is the company’s responsibility. Legally speaking, businesses are not as well-protected as individuals.
Organizations do have a greater responsibility to protect their users. They offer them services and when users log in to them or share their personal data, they assume that the company will keep them safe.
However, cybersecurity has always been a shared responsibility.
Poor security practices on the user’s end (such as reusing weak passwords) can form a gap in security even for companies with otherwise robust security.
As a user, you can learn the common signs of phishing, set up strong passwords, and turn on two-factor authentication.
As a company, you need more.
Besides investing in phishing awareness training and educating employees on security basics, you need to have the right security solutions. Those that can detect and mitigate the increasing number of threats to your infrastructure.
Have account takeover prevention solutions in place. Then, continually manage and improve security posture to prevent major incidents.