Account Takeover Prevention: Bad Habits That Make You More Vulnerable to ATO Fraud

Taking preventative measures against Account Takeover Attacks is a critical step in daily digital life, but we continue to ignore this advice.

No matter the strength and sophistication of your security posture, the “human element” will continue to be the weak point. Whether it is a failure to adhere to password best practices or being tricked into handing over your credentials to a phishing scam, even the most robust security platform cannot remedy human error. When it comes to passwords, the security industry has tried to mitigate the human risk element by introducing tools like Multi-Factor Authentication, which is considered one of the most effective means of combating cyberthreats; yet a staggering 89% of enterprise cloud users do not have MFA enabled! The need for your organization to have an effective account takeover prevention strategy is ever-present, evidenced by the fact this is the leading form of attack used by hackers. According to the 2022 Verizon Data Breach Investigation Report, over 80% of web application attacks are attributed to stolen credentials. Therefore, protecting your organization against exposed credentials and ensuing account takeover (ATO) attacks is critical.

According to a study conducted by Constella Intelligence and Pulse, most employees have had their credentials exposed by threat actors, yet very few are monitoring for breached credentials. This problem is made worse by the fact that the increase in remote work has led to increased attack surfaces and most organizations put too little focus on monitoring the dark web to mitigate risk to their organization.

Password best practices are the most touted tidbits of cybersecurity advice out there–– the password strength meter that boldly judges our choice, security policies that periodically compel us to change our passwords, and even Google Chrome and Apple’s iCloud service that warn us when we’re re-using passwords across different sites. Yet, exploiting compromised and weak passwords continues to grow as the number one attack vector. Taking preventative measures against account takeover attacks is widely understood to be a critical step in daily digital life, but we continue to ignore this advice. Why does this happen?

According to an online security survey conducted by Google, 65% of respondents reuse the same password for some or all their online accounts, while the remaining minority use a unique password for each account. This doesn’t matter if you use an adequately strong password, right? Wrong! The prevalence of data breaches means that most seasoned internet users have some of their data, often including passwords, exposed for malicious actors to exploit. A single password exposure leaves the door wide open for attack–– let’s explore the most common security bad-habits and the methods hackers use to get into your accounts.

Password Reuse: Credential Stuffing

Hackers not only understand the prevalence of password reuse, but they rely on it. A credential stuffing attack often starts with finding one exposed credential pair (an email/username and password). Unfortunately, today this is “entry level” hacking work––with basic search engine skills and a little patience, you can find a list of previously exposed credentials. Since most website logins use your email address as a “username”, hackers leverage this to see which websites they can gain access to using your email address and exposed password. Using scripts to automate the process, a malicious actor can in a matter of minutes check hundreds of websites and services to see if your credentials enable a successful login.

This highlights the importance of using a different password for every login–– doing so would stop a credential stuffing attack dead in its tracks.

Weak Passwords: Password Spraying & Guessing

Making sure you use a different password for every login will prevent the success of a credential stuffing attack, but if your passwords are not sufficiently strong, a password spraying or password guessing attack can be equally damaging. As the names suggest, password spraying and password guessing attacks prey on weak passwords, as weaker passwords are easier to guess using a few common methods. The most rudimentary password guessing technique is brute force: sequentially testing passwords until one works. Think of this like trying to guess a pin number––you know the parameters of the pin: a four-digit code between 0000 and 9999––you’d likely start at 0000 and increment by 1 until you find the pin. Some hackers may accelerate this process in targeted attacks by leveraging personal information about their target, such as birthdays and anniversaries, to front-load their guessing efforts with likely candidates for the password.

While some hackers have success with sequentially guessing passwords, this isn’t exactly the most effective means of password guessing, as it is time consuming, and many sites limit the number of unsuccessful login attempts you can make before locking your account. Other hackers will leverage knowledge of common passwords and known exposed passwords in password spraying attacks. You might be astonished to know that in 2022, the most commonly used password is “123456”––in fact, 5 of the top 10 most common passwords are sequential numbers of varying length. Even if your password is relatively unique and clever, if it has been previously exposed, it is still considered weak since it is a likely candidate to be used in a password spraying or guessing attack.

Lack of Identity Monitoring: Breach Data, Phishing & Botnet Attacks

Even when using strong passwords that are different for every site as part of your account takeover prevention plan, one ATO tactic remains available to hackers: leveraging breached and stolen credentials. As we discussed earlier, most internet users have suffered a data exposure in multiple breaches, many of which include an exposed password. Furthermore, more sophisticated hackers create phishing sites and botnet malware that captures a user’s password to a specific site. The prevalence of breach data, phishing attacks and botnet malware takes the guesswork out of the picture for hackers. They can use knowledge of an exposed password for a specific site to gain quick access to your personal and corporate accounts.

Enrolling in an identity monitoring service is instrumental in identifying where your credentials have been exposed, allowing you to rectify the exposure before a hacker uses the password against you.

The Next Step in Account Takeover Prevention to Protect Yourself and Business

We all know the importance of commonly promoted password best practices, and here we’ve discussed common methods hackers use to gain unauthorized access to your accounts, despite you following these best practices. The unfortunate reality is that the human condition lends to the biggest attack surfaces hackers can use against you in account takeover attacks. Despite knowing that you shouldn’t reuse a password, for example, many users report they still do. Some users will mostly follow security best practices, but falter on occasion. Even those who practice good password hygiene without fail still fall victim to account takeover; but the good news is tools and services exist to keep you one step ahead of hackers.

An identity monitoring service can be instrumental in protecting your personal and work accounts. Even when we do everything right, 3rd parties can be breached, exposing your credentials and personal information. Knowledge of these exposures can help you stay ahead of hackers. On the business forefront, an identity intelligence data provider, like Constella Intelligence, can be leveraged to protect a business’s entire employee base. Integrate Constella’s APIs to check for password exposures at time of login, account creation or password reset, and continuously monitor for new exposures to protect your business from account takeover attacks and ransomware.

Interested in seeing if your company’s credentials are already exposed on the dark web? Check your exposure risk – FREE to find out if your company is vulnerable to an ATO attack.

Keon Ramezani headshot

Keon Ramezani

Sales Engineer