Protecting organizations against account takeovers (ATOs) is challenging – and seems to be becoming more demanding with time as cyber threats continue to evolve. In this article, Tom Wesselman, CTO at TeleSign, provides businesses with the knowledge they need to ensure they are better armored.
Today’s unfortunate reality is that all systems are hackable, and account takeovers (ATOs) are an ever-present risk for web and mobile app customers and businesses. An ATO may take many forms but simply stated, it’s when information about a customer is used to circumvent identity checks to takeover – or steal – an account. Besides the immediate damages of fraud, identity theft, and monetary loss, reputational damage to your product and company is also a risk. Once a customer loses confidence in your ability to protect them, they may leave and never return.Â
Combatting ATOs is challenging – and only becoming more onerous as time goes on. Fueling these challenges is an increase in what seems like daily data breaches, social engineering, phishing, and brute-force attacks. ATOs don’t even require technical knowledge or ability – just personal information to help the attackers answer security questions and access vulnerable accounts. When that happens, you and your customers can fall victim to fake reviews, fake charges, lost account balances, spam, and worse.Â
See More: Don’t Let Account Takeover Attacks Put Your Company at Risk
Ensuring Account IntegrityÂ
Organizations often use one-time-passcodes (OTPs) to help prevent ATO, but fraudsters have quickly adapted–as they always do–and use SIM swaps or email takeovers to intercept OTPs. Adding additional factors beyond a single OTP can improve security. However, that also adds extra steps and friction to the customer experience.Â
The best defense against relentless attacks ensures and maintains account integrity with a layered security posture tailored to your ecosystem.Â
When you require users to enter log-in or registration credentials to enter your ecosystems, it is the beginning of a trusted relationship. That comes with the responsibility to protect those accounts and earn –and maintain– your customers’ trust.Â
Ultimately, you want to make life easy for real accounts to focus your security efforts on the bad actors. For example, you may require a one-time password to sign into a bank account. But to withdraw $20,000, you need additional steps to verify identity—perhaps a face scan or a better risk score based on data you’ve collected on that user. By implementing a layered trust model that monitors changes, assesses risk, and challenges high-risk and high-value interactions, you can help make ATOs more challenging and less profitable.Â
You can’t protect against knowledge-based attacks, but here is where risk scoring based on a variety of user attributes can help identify bad actors. With a digital identity risk score, you’ll know when to challenge the correct username/password, or “What was the name of your first pet†answer. In the case of using SMS OTPs, you can mitigate the risk of an intercepted passcode by a SIM swap attack by checking the phone number porting history and rejecting recently ported numbers.
The Need for Balanced, Layered Solutions
Fraudsters try various tactics to commit their crimes, which means your defense must be layered, adaptive, and scalable while simultaneously providing a low-friction experience for your customers.Â
You can drive customers away by factoring them relentlessly with one-size-fits-all verification methods. At the same time, challenging high-value transactions or interactions like password resets or bank or account balance transfers both protects your customers and reassures them of your security. To balance these needs, invisible risk scoring can help you identify when to challenge, the times to accept the authentications, and the times to require further checks.
See More: What Is Password Management? Definition, Components and Best Practices
Trust Matters
Establishing and maintaining a trusted relationship with your customers is dependent on protecting and defending them throughout the customer journey. When determining your defense, it’s essential to remember that there is no silver bullet to prevent fraud. The solutions must be tailored to your ecosystem in a layered approach that provides threat protection across all levels, processes and systems.Â
Trust is also crucial for customers, and 85Opens a new window percent have reported that they would avoid using a brand if they lost confidence in it. As cybercriminals adapt their attack methods, you need to be prepared and equipped to provide a secure experience constantly.Â
Companies need to find the right tools to support their in-house or outsourced cybersecurity analysis. Cyberattack vectors are constantly evolving, and ATO has been and will continue to be an issue. Businesses need to focus on helping strangers become trusted customers and preventing bad actors from breaking that trust.Â
What security tools would help businesses outrun cybercriminals? Share your thoughts on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear your ideas!
MORE ON CYBER THREATS:Â