A Thing
The Green SheetGreen Sheet

Tuesday, July 14, 2020

Stolen data flood dark web, ATO attacks soar

Security analysts are warning consumers and business owners to enhance anti-fraud solutions to protect against a new wave of aggressive account takeover (ATO) attacks. A record-high trove of stolen data for sale in criminal forums underscores the need for multilayered security, experts say.

Technology writer Ionut Ilascu suggested that two-factor authentication alone is insufficient to protect against ATO fraud. In his July 9, 2020, post on bleepingcomputer.com, titled "Over 15 billion credentials in circulation on hacker forums," he proposed implementing multilayered security and other protections that make committing fraud not worth the effort for attackers.

"Protecting against ATO attacks is an easy task for normal users, who can pick strong, unique passwords and enable two–factor authentication (2FA) on services that support it," Ilascu wrote. "This does not eliminate the risk completely but makes it infeasible to attackers as the reward is not worth the resources."

Kevin Gosschalk, founder and CEO at Arkose Labs, agreed that removing economic incentives can disincentivize fraudsters from launching attacks. "Our whole product philosophy is designed around this concept of increasing costs for bad actors," he said. "If we can make it cost more to break into a merchant's website or a bank or wherever they're trying to attack, and remove their return on investment from doing so, they will stop."

Merchants, consumers vulnerable

Ilascu also warned that businesses are extremely vulnerable to attacks because they may have multiple points of failure due to unpatched systems, repositories of sensitive data and insufficient employee security awareness throughout the enterprise.

Will LaSala, director of security solutions and security evangelist at OneSpan, observed that up to 25 percent leaked credentials includes banking and financial services data, making it easy for hackers to conduct ATO attacks on consumer financial accounts. "We have been watching the number of stolen credential rise for over 20 years now," he said. "We should not be surprised that we have finally eclipsed the 15 billion credentials number."

WFH environments targeted

LaSala has also seen a spike in consumer fraud during the COVID-19 shutdown, which he noted has presented "a field day for hackers of all types, as digital customers are a prime target for cyberattacks."

Gosschalk stated that by sending everyone out of stores and online, COVID changed the economics for attackers, and Arkose Labs has seen a 30 percent increase in online fraud resulting from the business shutdown due to the coronavirus pandemic. "Having more people online means there are more people to abuse," he said. "Online phishing and SPAM attacks become more profitable for hackers during the current work-from-home environment, because they can target more people at once."

MFA, application shielding

LaSala went on to say that standalone authentication methods such as passwords, SMS texts or knowledge-based security questions can expose users to compromise, because hackers can easily get past single-layered protections by exploiting numerous holes and backdoors on mobile apps and the internet.

Multifactor authentication combined with application shielding technologies can further protect applications from being attacked, LaSala stated, adding that banks can protect customers by keeping risk analytics technologies up to date and continually checking real-time transactions across all applications and channels for anomalies and patterns that are hallmarks of an attack.

"Hackers have all the information they need to attack billions of users today, but consumers and financial institutions can make things more difficult if the correct technologies are applied," LaSala added. end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing