What is account takeover?
Account takeover is a type of fraud that happens when a cyber criminal uses a set of compromised credentials (email + password) on an individual to takeover his or her online identity. In most cases of account takeover, the criminal uses the known credential to impersonate the individual to purchase goods from e commerce stores, wire money out of banks and online payment gateways, request money from friends and family, hijack crypto currency accounts, and in severe cases, obtain lines of credit.
If you’re reading this article, chances are someone hacked your accounts and gave you a very bad day or week, depending on the severity. The truth is, account takeover happens every second of every day on the internet, and you are not alone. I personally dealt with account takeover in May 2017 due to a lack of security at my mobile provider, T-mobile.T-mobile had a giant hole in their security which exposed a lot of records about their users and numerous customers including myself were severely impacted. It is now January 2018, and I am still dealing with the fallout of the breach in my personal life and my own business.
Why is account takeover on the rise?
As more people join new apps, websites, and services online – account takeover is increasingly becoming an exponential problem. So much of a problem, that several states as well as Congress have recently introduced legislation that fines businesses for waiting long periods of time to disclose known data breaches to the public. It took Uber a full year to disclose a breach of 57 million user credentials and during this time Uber’s customers repeatedly saw charges on their credit cards for rides in Europe and Russia.
So what do data breaches have to do with account takeover? Data breaches and exposed credentials are the primary cause of the exponential growth of account takeover. Cyber criminals essentially play the numbers game with account takeover. It is mathematically proven to be faster and more effective (time and money) for a cyber criminal to take a very large list of exposed credentials and drop them into software that can process 100,000 credentials per hour / per website rather than trying to hack 100,000 computers individually. To boil it down, account takeover costs a few hundred dollars to purchase these lists and only takes hours to implement the attack.
In 2017, exposed credentials from data breaches led to over $16 billion in damages in identity theft and account takeover fraud. A good majority of those damages affected working class people. Over the past 5 years, 100’s of major US corporations have been breached with combined total of over 3 billion records being exposed. This cyber security epidemic leaves consumers exposed to fraud and puts long term business profitability at risk.
What can I do to protect myself against account takeover fraud?
Do not use recycle passwords and use a password keeper:
Reuse of passwords and bad password hygiene is another base tenant of why account takeover is so prevelant. People tend to use the same 5 passwords repeatedly and hackers know this. Your best bet is to use 1Password, Dashlane, or Lastpass. Generate new, strong passwords for every account and keep them in the password manager. Never reuse passwords.
Do not use SMS for 2 Factor authentication:
Use a pre-paid phone that is not attached to your real name for any service that uses SMS for 2FA by default. This is surprisingly a very large number of services and you can be easily targeted.
Protect online accounts where money can be transferred:
Use a pseudononymous email that does not have your name in the personal info for any financial accounts including: your online banking, Paypal, Stripe, Braintree, and Coinbase or digital exchanges. I use Fastmail for this and its only $80 for 3 years. That email should not be used anywhere else on the web when signing up for accounts, this is just used for financial accounts. Use MFA with U2F for backing up this account. Use strong U2F yubi keys — https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/
Remove connected financial accounts from digital asset exchanges:
Remove your PayPal and bank accounts from any digital asset exchange or only connect them when you need to transfer assets. If you get hacked and the attackers get into your digital asset account with this configuration, they will drain all your assets. Since digital asset exchanges are not FDIC insured and there is no recourse with Bitcoin, ETH, Litecoin — you will lose everything.
Use U2F and Authentication apps where possible:
Multi-factor authentication is really your best bet to protect online accounts, however, if the attackers gain access to your mobile device they could wipe your authenticator app from your device. Also — not every online account provider offers these services.
Remove any personal information from social media:
Do not use your real name on Twitter, Facebook, or any social media. Remove your phone number, personal email, websites or businesses you’re involved with, and vanity URLs from these services. Set your privacy settings on Linkedin to the highest level and remove them from public searches. Remove your “awesome” selfies and anything that could physically identify you on the web (hackers and criminals will photoshop your pics and make ID’s with your name). Replace profile pics with pics of your mountains, cityscapes, etc. (Your friends still know who you are.)
Remove yourself, emails, and phones from business websites (or opt out):
Get your personal info off the internet.
Google yourself and scrub/delete personal info from non-essential accounts:
Seriously, get rid of info about yourself online and delete accounts with personal info attached.