Imagine if a doppelganger — an exact double of yourself — stole your life. That terrifying idea is the basis for a short story by Anthony Armstrong, “The Strange Case of Mr. Pelham,” in which a man involved in a car crash recovers — only to discover that he is now being stalked by an apparently identical copy of himself. This double is able to forge his signature on checks, enter the places where the victim lives and works, and more. It’s an unnerving story, which is likely why it has been adapted for TV and movies multiple times — including a version directed by Alfred Hitchcock and one starring former James Bond actor Roger Moore.
But what if this wasn’t as far-fetched a threat as it might sound? While the idea of a real life doppelganger is extremely unlikely, in the digital world this is not only not impossible, it happens every single day.
With more of our lives lived online, for everything from managing finances to shopping to keeping track of health data, the threat of online accounts being taken over by bad actors can have some serious repercussions. It’s a reminder of why account takeover prevention tools are so important.
Attacks are more common than ever
With our growing reliance on the online world, you might expect online accounts to be guarded like missile launch codes. Worryingly, however, account takeovers are easier than ever. There are several reasons for this.
One is the unfortunate (to put it mildly) trend of continued credential reuse. With more accounts than ever to keep track of, many users will recycle the same usernames and passwords across myriads of websites they use — for instance, reusing their Amazon password for their online banking.
Given the challenge of remembering dozens of passwords and usernames, it’s tough to entirely blame users for this — but it nonetheless poses a major security problem. In the event of a data breach, something that is becoming increasingly commonplace, all it takes is for attackers to get hold of user credentials to give them a leg-up on hacking other services that user may have an account with. This type of attack, referred to as a credential stuffing attack, is happening in greater numbers all the time. In 2020, there were an alarming 193 billion credential stuffing attacks around the world — representing a significant increase on the previous year.
Another reason for the increase in account takeovers is also the most obvious (but important) one: That there are more digital transactions attackers can impersonate. In a world where everything from the filing of taxes to banking transactions are carried out over the internet, there’s more opportunity for hackers to cause serious disruption this way. These attacks aren’t just leveled at individuals, either. Companies are frequently the target of attempted account takeover attacks, since this potentially ramps up the amount of damage that can be caused — including the theft of intellectual property and more. These numbers are increasing dramatically as well. For instance, one recent report claimed that account takeovers in the financial services industry increased an astronomical 850 percent between the second quarter (Q2) of 2020 and the second quarter of 2021.
The third reason has to do with the evolving type of attacks that now take place. Many of these involve automation elements, such as bots which can aid with attacks like credential stuffing. As attacks get smarter and easier to perform, the chances of successful account takeover incidents increases.
Protect yourself and your users
The impact of compromised accounts can be broad and far-reaching — from financial fraud and data theft to malware delivery that could aid with attacks like DDoS (Distributed Denial of Service). The threat is particularly serious because, in many cases, attackers may not immediately make clear that an attack has been compromised. While there are certain cases where, for example, attackers may immediately begin posting spam after hacking a social media account, in other scenarios they could use this to establish a backdoor that lets them play a long-term malicious game which could ultimately cause far more damage.
Organizations must do their utmost to protect against account takeover attacks. Fortunately, there are solutions available that can help. Some of this is about best practices, such as never reusing passwords and usernames, and making sure that these are changed immediately following any confirmed data breach. Users should also avail themselves of multi-factor authentication, which means that logins require two or more pieces of information.
Given the risks involved, though, it may be important to go several steps further. Simple automated solutions aren’t always adequate for blocking fraudulent behavior. However, state-of-the-art cyber security solutions are able to see which sites or user accounts are being attacked, the techniques used, and whether credentials are publicly available. They can help to alert customers when attempted account takeovers take place, and block these using methods such as behavioral analytics to root out fraudulent activity. Seeking out experts who can help advise on the availability of these measures is highly recommended.
The threat of account takeovers is only going to become more pronounced. But by taking the right precautions, businesses can protect both themselves and their customers. It’s essential that they do this — for all involved.