Tuesday, July 14, 2020
Technology writer Ionut Ilascu suggested that two-factor authentication alone is insufficient to protect against ATO fraud. In his July 9, 2020, post on bleepingcomputer.com, titled "Over 15 billion credentials in circulation on hacker forums," he proposed implementing multilayered security and other protections that make committing fraud not worth the effort for attackers.
"Protecting against ATO attacks is an easy task for normal users, who can pick strong, unique passwords and enable two–factor authentication (2FA) on services that support it," Ilascu wrote. "This does not eliminate the risk completely but makes it infeasible to attackers as the reward is not worth the resources."
Kevin Gosschalk, founder and CEO at Arkose Labs, agreed that removing economic incentives can disincentivize fraudsters from launching attacks. "Our whole product philosophy is designed around this concept of increasing costs for bad actors," he said. "If we can make it cost more to break into a merchant's website or a bank or wherever they're trying to attack, and remove their return on investment from doing so, they will stop."
Ilascu also warned that businesses are extremely vulnerable to attacks because they may have multiple points of failure due to unpatched systems, repositories of sensitive data and insufficient employee security awareness throughout the enterprise.
Will LaSala, director of security solutions and security evangelist at OneSpan, observed that up to 25 percent leaked credentials includes banking and financial services data, making it easy for hackers to conduct ATO attacks on consumer financial accounts. "We have been watching the number of stolen credential rise for over 20 years now," he said. "We should not be surprised that we have finally eclipsed the 15 billion credentials number."
LaSala has also seen a spike in consumer fraud during the COVID-19 shutdown, which he noted has presented "a field day for hackers of all types, as digital customers are a prime target for cyberattacks."
Gosschalk stated that by sending everyone out of stores and online, COVID changed the economics for attackers, and Arkose Labs has seen a 30 percent increase in online fraud resulting from the business shutdown due to the coronavirus pandemic. "Having more people online means there are more people to abuse," he said. "Online phishing and SPAM attacks become more profitable for hackers during the current work-from-home environment, because they can target more people at once."
LaSala went on to say that standalone authentication methods such as passwords, SMS texts or knowledge-based security questions can expose users to compromise, because hackers can easily get past single-layered protections by exploiting numerous holes and backdoors on mobile apps and the internet.
Multifactor authentication combined with application shielding technologies can further protect applications from being attacked, LaSala stated, adding that banks can protect customers by keeping risk analytics technologies up to date and continually checking real-time transactions across all applications and channels for anomalies and patterns that are hallmarks of an attack.
"Hackers have all the information they need to attack billions of users today, but consumers and financial institutions can make things more difficult if the correct technologies are applied," LaSala added.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.