Account takeover (ATO) is a type of fraud that has seen a significant increase in recent years. It occurs when a cyber attacker takes control of a legitimate account to impersonate the owner, with the intention of stealing data, sending malware, or exploiting access for other malicious activities.
Data from Sift, an internet security company, indicates that ATO attacks increased by a staggering 354% year-over-year in the second quarter of 2023 across its global network. Additionally, forecasts suggest that fraud losses could reach several billion dollars by the end of 2023, with more than $635 billion attributed to these attacks.
To understand and counter account takeovers, researchers have delved into the mindset of hackers, who construct complex series of small tactical steps to gain access. They have also developed a new method to detect security vulnerabilities that make people susceptible to this type of fraud.
“The trick of looking over someone’s shoulder to find out their PIN is well known. However, the end game for the attacker is to gain access to the apps, which store a large amount of personal information and can provide access to accounts such as Amazon, Google, X, Apple Pay, and even bank accounts.
â Â Dr Luca Arnaboldi, Associate Professor of Cybersecurity at the University of Birmingham, UK.
The research highlights that most of today’s mobile phones support a complex ecosystem of interconnected operating systems and applications. As connections between online services have increased, so has the potential for hackers to exploit security vulnerabilities, often with serious consequences for the owner.
Traditionally, security vulnerabilities have been analyzed using “account access graphs,†which represent the phone, SIM card, applications and security features that limit access at each stage.
However, these graphs do not adequately model account takeovers, in which an attacker separates a device or application from the account ecosystem, for example by transferring the SIM card to a different phone. With the SIM card in a new phone, the attacker can receive SMS messages and use SMS-based password recovery methods.
Researchers have overcome this limitation by introducing a new approach to modeling how account access changes when devices, SIM cards, or apps are removed from the account ecosystem. Their technique, based on the formal logic traditionally used by mathematicians and philosophers, accurately represents the decisions a hacker faces when having access to a mobile phone and its PIN.
Metro spoke to Dr. Luca Arnaboldi, Associate Professor of Cybersecurity at the University of Birmingham, UK, to find out more.
How does the takeover of an account occur?
Attackers can use several techniques to try to gain control of an account. According to DataDome, these are some of the most common:
Phishing
The attacker tricks potential victims into voluntarily revealing their information using a fake login page, emails posing as someone the victim knows, etc.
Forged credentials
Using stolen or leaked credentials from one website or platform to attempt to access multiple accounts on other websites (with the hope that the victim has reused their login credentials) is credential spoofing, one of the ways more common.
Attack bot by brute force
The attacker deploys malicious bots to conduct a fast, high-volume brute force attack against your website or application. Sophisticated bots can take control of a significant number of accounts before being discovered, and can rotate through thousands or millions of IP addresses.
67%
of ATO victims’ exposed data were used for unauthorized purchases.
Interview
Dr. Luca Arnaboldi Associate Professor of Cybersecurity at the University of Birmingham
Q: How have you managed to “get into the minds” of hackers to counteract account takeover attacks?
– In cybersecurity, a common practice is to use attacker models to reason about threats. You create a capabilities model for what an attacker can and cannot do, and then reason about potential threats to a system using these capabilities. For example, an attacker can read any of your text messages if they have unlocked your phone, but they cannot break the end-to-end encryption; This way you can explore all the possible outcomes of certain scenarios given these options.
Q: Tell us more about the attackers’ behaviors.
– In this work we present the use of “attack tactics†that can be used to create programmatic examples of attacker behaviors to systematically test the security of users against a specific attacker. This allows us to evaluate the security of a user’s accounts or identify potential points of failure systematically and comprehensively.
Q: Which devices are the most and least vulnerable?
– I cannot comment on this, since we have not yet carried out an exhaustive study. It should be noted that security often depends on the user’s security options, and not always on the type of device. This is especially true because these accounts can often be accessed from different devices, such as phones and laptops.
Q: What advice can you give to mobile phone users to avoid becoming victims?
– Much of user security comes down to good security practices. For example, do not duplicate passwords, always look to see if someone is watching you while you type your PIN, etc. Some options that Android phones offer for securing certain apps behind password-protected folders (other than your PIN!) are great practices. But the most important thing is that you keep a record of access to your device.
#counter #account #takeover #attacks