Recent Posts

Recent Blog Posts

The PhishLabs Blog

4 reasons why authentication isn’t enough to stop account takeover

Posted by Lindsey Havens on Nov 12, '14

fingerprint-blackandwhiteThe prevalence of account takeover (ATO) attacks continues to grow with losses reported in the billions each year. Recent observations indicate an increase in community banks and credit unions being targeted with account takeover attacks. Cyber criminals have managed to circumvent most authentication tactics - even the more advanced techniques. Once authentication has been circumvented, all the financial institution can hope to do is minimize the number of successful fraudulent transactions.

Why is authentication not enough?

You can’t put too much faith in authentication methods for four main reasons:

  1. Basic authentication is trivial to bypass.
  2. Advanced authentication is too expensive to roll out to the majority of accounts.
  3. Cybercriminals continue to evolve techniques to circumvent security controls.
  4. Ultimately, if your customers can get to their accounts online, so can cybercriminals.

Weakness in authentication techniques

Let’s discuss vulnerabilities associated with these four reasons. Basic authentication – let’s face it, customers notoriously pick easy passwords, they reuse passwords, and often write them down or divulge them to third parties. Phishing and vishing scams have been effective methods for bypassing basic authentication. This is primarily because the infrastructure for these scams is easily accessible in the underground market and they are relatively easy to deploy.   

Some larger banks have implemented advanced authentication techniques but this requires a significant financial investment in addition to softer costs, such as employee training and customer education. Also, requiring advanced authentication is often negatively viewed by customers because it involves extra steps to gain access to an account. Even when employing multi-factor authentication, criminals are still sometimes able to overtake accounts – for instance, using mobile malware designed to intercept SMS verification codes.

As financial institutions attempt to strengthen security, cybercriminals evolve their tools to get into accounts and steal funds. Some recently observed trending tactics in phishing have better enabled criminals to steal login credentials and additional information used to takeover accounts. Malware continues to evolve with enhancements that allow criminals to collect additional personal information through advanced webinjects while evading detection. Account takeover attacks will only continue to rise as miscreants find new ways to circumvent security parameters.  

At the end of the day, if your customers or credit union members can get into their accounts, so can the bad guys. Community banks and credit unions must not be naïve in thinking that criminals will not target their bank or credit union just because they are smaller.  As larger entities invest more in cyber security, fraudsters will be looking for easier targets. With the increased availability of free, highly effective banking Trojans such as ZeuS, many cybercriminals have increased targeting of smaller institutions rather than leaving money on the table. After all, they never know who will wind up infected with their malware.

Once authentication has failed and criminals have access to accounts, financial institutions must act quickly because the most lucrative time for exploitation is within the first 48 hours of the attack. 

Stay tuned for a future blog post discussing strategic initiatives and tactics to help prevent account takeover attacks. Please join us on November 18th for a live webinar on Account Takeover Fraud Prevention

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all