What is Account Security?
Consumers need a digital account to access any online service - shopping, banking, entertainment, socializing, and so forth. This means digital accounts are now at the center of all digital interaction. Attackers know this too, and look to abuse these digital accounts to exploit business networks for monetary gains. They use bots to execute credential stuffing attacks in order to match thousands of username-password combinations which then fuel account takeover attacks. Attackers also use stolen consumer details and often combine them with fake elements to create synthetic identities that are then used to create fake new accounts. These compromised and fake digital accounts are used for several types of downstream fraud.
To prevent attackers from abusing users’ digital accounts, it is essential to protect the sanctity of these accounts. Account security is about keeping these digital accounts safe from attacks and from being compromised.
Account Security is Critical to Business Growth
With the scale of cyberattacks rising steadily, it is now a matter of ‘when’ and not ‘if’ a business will be the next target. attackers are using every tactic to circumvent authentication measures. They leverage bots and automated scripts to scale up the attacks in no time and with the least possible costs. Advanced bots that can mimic human behavior fairly accurately are readily available - some of them come accompanied with support services. For more nuanced human responses, fAttackers hire human click farms that provide services at low costs. All these activities can disrupt business operations and user experience.
Fraud is costly for businesses. Not only do affected companies incur direct financial losses remediating the attacks, they lose time, effort, and money trying to restore user accounts, reset passwords, and pacifying irate customers. They also incur covert operational costs such as increased number of calls to contact centers, increased burden on compliance and legal teams, and more manual reviews and implementation of more security protocols.
Another long-term impact due to attacks against accounts is irreparable harm to brand experience, as discontent customers switch over to competing businesses and voice their complaints on social media. Large enough breaches can even lead to negative PR and news stories. Furthermore, a successful attack makes a business vulnerable to repeat attacks. It is estimated that globally businesses spend nearly $3.86 million in data breaches due to inadequate account security, which is likely to climb up to $10.5 trillion annually by 2025.
In such a backdrop, account security becomes critical for business growth because it impacts long-term customer retention and repeat business. A focus on fraud prevention in an account security strategy can help digital businesses ward off attacks where they originate and enable consumers to continue with their digital journeys free from the fear of online abuse.
How do fraudsters target accounts?
Digital accounts are a goldmine for attackers as they can exploit them in multiple ways to make money. Some of the common ways attackers target user accounts are as explained below:
- Credential stuffing: This refers to an attack where attackers use bots to constantly try out different username-password combinations at scale, until a match is found. Years of data breaches have made consumer information easily accessible. They leverage this data for automated credential stuffing attacks that play a key role in carrying out account takeover (ATO) attacks. To achieve scale at the least possible costs,they often use automated scripts or human click farms when more nuanced human interaction is needed. However, for high-value accounts, they may even carry out the attacks themselves.
- Password spraying: In a password spraying attack fraudsters try to match one password - usually the default password - across multiple usernames before trying out another password. These attacks are more common where systems allow single-sign on or on cloud-based applications that use federated authentication protocols.
- Account takeover: Attackers use stolen credentials to hack into genuine user accounts. Once a user account is compromised, attackers not only drain it off of the assets contained therein but also use it as a launchpad for several types of fraud and online abuse. Account takeover attacks are increasing in popularity due to availability of large volumes of consumer data. Furthermore, the modus operandi for an account takeover attack remains the same across industries - identify valid, stolen credentials, and use them to access an account.
- New account registration: Faudsters create multiple fake accounts using stolen or synthetic credentials for a number of fraudulent activities. Depending on the target industry, new account registrations can be monetized in several ways. For instance, fake accounts on gaming platforms are used to pocket new user bonuses, send phishing messages to other users, and collect in-game assets.
Common Challenges with Traditional Authentication Measures
Today, many businesses rely on digital identity intelligence to harness insights and distinguish between genuine and fraudulent activity. Using data-driven decision engines, they look for clear signals of ‘trust’ or ‘mistrust’. However, mass manipulation of digital identities and evolving consumer behavior has caused signals to increasingly fall into a gray area. Businesses are therefore in a catch 22 situation. Using heavy-handed authentication can degrade user experience, while leniency can allow attackers to succeed in their attacks.
Machine learning driven data-analysis is great in theory, but is rife with challenges, as it requires large volumes of data to train the algorithms, which is a rather tedious and time-consuming activity.