Is account takeover taking over the fraud landscape?

In May 2024, more than 500 million Ticketmaster customers were victims of a data breach attributed to hacking group ShinyHunters. Live Nation Entertainment, Ticketmaster’s parent company, confirmed the breach in a filing with the U.S. Securities and Exchange Commission (SEC) and reported that it had identified unauthorized activity within a third-party cloud database that contained company data.

ShinyHunters says it obtained 1.3 terabytes of Ticketmaster’s sensitive customer data, including credit card numbers and ticket sales. The group reportedly breached Ticketmaster’s cloud data because it had compromised the credentials of an employee of Snowflake, Ticketmaster’s cloud account. With the employee’s credentials, the cyberfraudsters created session tokens and accessed customer data. (See “Ticketmaster’s Encore: How ‘ShinyHunters’ Hacked the Show,” by Rodman Ramezanian, Skyhigh Security, July 11, 2024; “Ticketmaster Confirms Data Breach. Here’s What to Know.”, by Sopan Deb, The New York Times, May 31, 2024; and “U.S. SEC Form 8-K, 001-32601,” May 20, 2024.)

The compromise of a person’s passwords and other credentials is indicative of account takeover (ATO) — the appropriation of someone else’s sensitive financial records and their access credentials. ATOs have been on the rise in recent years, and account holders at websites such as Microsoft, AT&T, Home Chef and Chatbooks have all been victims. ATO fraud increased 81% from 2019 to 2022, according to recent TransUnion data. (See “TransUnion 2023 State of Omnichannel Fraud Report,” TransUnion.) IBM’s Cost of a Data Breach report shows that breaches involving stolen credentials cost organizations an average $4.81 million per breach. (See “Cost of a Data Breach Report 2024,” IBM.) Given the growing threat posed by ATOs, organizations and customers must do more to protect the passwords that allow access to sensitive information.

ATO methods and targets

Fraudsters have plenty of ways to breach private access, including:

• Session hijacking: taking control of someone’s online activity by stealing or guessing the information that websites use to recognize and verify active user sessions.
• Phishing: scamming people into giving away sensitive information or installing malware.
• Smishing: using text messages to persuade people to share personal information.
• Vishing: using phone calls or voice messages to convince people to share sensitive information.
• Social engineering: manipulating, influencing or deceiving a victim to gain control over a computer system or to steal personal and financial information.
• SIM card swapping: manipulating a victim’s phone carrier into transferring their phone number to a SIM card in the cyber criminal’s possession.

Weak security and ineffective or inefficient controls can’t withstand tenacious, acute attacks. Along with the methods cited above, criminals use a variety of brute-force attack methods, including credential cracking, which guesses at login information and attempts to enter an account through the sheer power of numerous tries. Credential stuffing is another tactic that entails trying to access an account via any and all user information gained from previous attacks or acquired in other nefarious ways. When bad actors do gain access, they quickly modify controls that should’ve barred their admittance and use them against the account owner.

According to data from Security.org, 53% of ATOs targeted social media. However, 21% of breaches included business accounts, demonstrating that personal accounts aren’t the only objective. Unfortunately, 70% of ATO victims reported using their hacked account’s passwords across multiple sites, resulting in 53% experiencing a takeover of numerous accounts. (See “Account Takeover Incidents are Rising: How to Protect Yourself in 2024,” by Brett Cruz, Security.org, Nov. 14, 2024.)

Unique passwords

Most people relieve the burden of remembering a specialized password for every account by creating a few different combinations of special words or numbers they can use together. However, keeping it simple isn’t safe. The convenience factor of reused passwords compromises users and their accounts. Once breached, the attacker then has access to that one account and all accounts that use the same or similar passwords.

Forbes Advisor found that at least 78% of people reuse the same password across multiple accounts. Additionally, 14% of people will share passwords among their personal and business accounts, endangering their organizations when their personal account is compromised. The same survey found that more than 75% of respondents had their personal information stolen. Repeated passwords make the theft of personal information that much more possible. (See “America’s Password Habits: 46% Report Having their Password Stolen Over the Last Year,” by Katherine Haan, June 3, 2024.)

Password sharing

Sharing passwords with friends or family members can increase the vulnerability of the account, and sharing any parts of that password with other online accounts increases the likelihood of a breach. Relationships change over time, and someone who was once trusted with access to an account can become untrustworthy while continuing to know valuable login information.

Simply stated, don’t share passwords. However, if you must share, allow for as long as needed but discontinue the password as soon as possible — don’t forget about the shared access. Furthermore, a shared password shouldn’t mimic a password for any other account.

Password complexity

Complexity is often overlooked in password creation. It’s easiest to remember various mixtures of keywords, dates and numbers rather than have a complicated, unique identifier for each account. It might even be tempting to use a simple word, prioritizing convenience over safety.

Many people think that substituting numbers for letters — leetspeak — increases the complexity of a password; however, using the number “1” for a lowercase “l” or an uppercase “I,” “3” for “e,” “5” for “s,” etc. can be guessed by humans and machines. For example, “B1ng0” isn’t more complicated than “Bingo.” Similarly, adding a letter or number at the beginning or end of a password, such as “Bingo1,” doesn’t add difficulty. The conundrum lies in creating a unique and easy-to-remember password that can’t be guessed or broken. Make it memorable, not obvious.

Meaningful phrases with numbers, symbols, lower and uppercase letters can be used in shortcut or coded method. For example, start with a well-known sentence, such as a quote or lyric. Lifted from the Beastie Boys lyrics, “you gotta fight for your right to party” can be coded to “UGF4UrR2P!”.

Next, tailor a password to the account to make it unique. For instance, applying the above example to Amazon, a bank account and a social media account would give you these combinations:

• “UGF4UrR2P@A”— you gotta fight for your right to party at Amazon.
• “UGF4UrR2$wJPMC” — you gotta fight for your right to bank with JPMorgan Chase.
• “UGF4UrR2_X”— you gotta fight for your right to X (Twitter).

Rules might specify that a formation of eight to 15 lowercase and uppercase letters, numbers and symbols should be used but don’t aim for only one of each. Construct a password with all the characters possible, not just to meet the minimum requisite.

Multifactor authentication (MFA)

For organizations, multifactor (MFA) or two-factor authentication (2FA), which requires more than one form of verification for passwords, must be included in any conversation concerning accounts. MFA acquires its name from the different methods used to prove verification: knowledge, possession or inherence. In other words, a user verifies what they know (PIN or password), have (one-time password or token) or are (biometric scan). These are often time-sensitive, allowing the user only a brief period to apply the correct confirmation.

Some users resist MFA because it’s inconvenient. Additionally, if a service is down, it can add delays in verifying a user’s identity. Nonetheless, a study by Microsoft found that MFA reduces the risk of compromise by 99.22% and by 98.56% in cases of leaked credentials. (See “How effective is multifactor authentication at deterring cyberattacks?,” by Lucas Augusto Meyer, Tom Burt, Sergio Romero, Alex Weinert, Gabriele Bertoli and Juan Lavista Ferres, Microsoft.)

Password managers

Many people, 51% to be precise, rely on memory to keep track of passwords. Password managers provide a better option for storing unique passwords than writing down login information and keeping it near the computer. The secure vault that stores the personal information offers protection, while a master password grants access to the vault and can be used with biometric methods, MFA or other supporting factors. (See “Psychology of Passwords,” LastPass.com, Aug. 24, 2021.)

One of the reasons password managers are considered safe is due to encryption, which scrambles the data into a code that can only be read with a particular key to decode it. The zero-knowledge architecture upon which password managers are often built lends additional safety. With zero-knowledge architecture, the password manager has “zero knowledge” of what it protects. No one else can see any passwords without proper authorization. If the host server is attacked or breached, hackers can’t decipher the data.

However, password managers aren’t foolproof, and they can be hacked. For example, in August 2022, password manager LastPass announced that “an unknown threat actor” accessed LastPass’s cloud-based storage. The company informed customers that their information was still protected because of the encryption it uses. When using LastPass’s recommended default settings, the company claims it would take millions of years to break a customer’s master password using password-cracking technology. (See “12-22-2022: Notice of Security Incident,” by Karim Toubba, LastPast.com, Dec. 22, 2022.)

Stay vigilant

Unfortunately, cyber criminals continuously devise novel methods to get the information they need. One new credential-stealing technique relies on malware called StealC to trap Google Chrome users in kiosk mode. Locking the browser in full screen and disabling the escape keys, kiosk mode displays only a Google account login window. As users struggle to exit, they’re coerced into entering their credentials, which the malware then steals.

Further, a variant of the TrickMo banking Trojan has emerged, masquerading as the Chrome browser on Android. This fake app tricks users into granting permissions to intercept text messages and 2FA codes, further jeopardizing account security. To counter these threats, Microsoft has advised users to try various keyboard shortcuts to exit kiosk mode and to avoid downloading apps from unofficial sources. (See “Hackers Force Chrome Users To Hand Over Google Passwords. Here’s How,” by Davey Winder, Forbes, Sept. 17, 2024.)

Accounts aren’t the only way private information is stolen. Research from Broadband Genie provides insight into internet users’ questionable security habits. Results highlight that 86% of broadband users never change their router’s default admin password. Additionally, 52% of users haven’t modified their router settings at all, and 89% have never updated their router firmware. This lack of cybersecurity awareness increases vulnerability to hackers. To enhance security, experts recommend users perform a factory reset, change default passwords and update firmware. (See “New Critical Password Warning—86% Of All Router Users Need To Act Now,” by Davey Winder, Forbes, Oct. 2, 2024.)

Personal accounts and business accounts are increasingly at risk of ATO. Robust IT security, proper cyber hygiene and good password habits can help in the fight against intrusive attacks. Account security means maintaining passwords, not just setting and forgetting. Fight fraud by making good choices and making strong passwords.

Laura Harris, CFE, is the senior research specialist for the ACFE. Contact her at LHarris@ACFE.com.