How to Assess & Eliminate Points of Account Takeover Vulnerability in Your Security & Operations
There’s a lot of talk these days about identity theft in the digital market. That doesn’t mean consumers are listening, though.
According to one report, account takeover incidents rose 72% between 2018 and 2019, and grew by another 20% in 2020. But, at the same time, over 85% of consumers admit to having left personal information exposed while accessing bank accounts or other financial data.Learn more about account takeover fraud
What does this mean for businesses, though? Well, corporate entities present a much bigger, more profitable target for fraudsters. The danger to merchants could be growing at an even faster pace than most of us realize.
Corporate account takeover, or CATO, might be one of the leading risk factors facing businesses in coming years. It’s important that you take stock of your exposure by performing a comprehensive account takeover risk assessment.
- Fraud Blacklisting & Whitelisting: The Right Move for You?
- What are Velocity Checks? How Do They Stop Fraud Attacks?
- Fraud Detection: Here's How Merchants Can Stop Fraud in 2023
- Fraud Detection Machine Learning: a “Smart” Move for Retail
- Manual Review: Is it Really Necessary for Fraud Prevention?
- Detecting Credit Card Fraud in 15 Steps
Account Takeover Vulnerability: In Context
Before diving in, let’s take a minute and get a little bit of context regarding CATO.
Account takeover happens when one party (the fraudster) gains unauthorized access to someone else’s online account. Using that access, the criminal attempts to benefit by pretending to be the actual account holder.
Obviously, this would be a problem if it involved a consumer’s personal account. With corporate account takeover, though, scammers focus their attention on business organizations. A bad actor can hijack a corporate account to:
- Make purchases using the target’s corporate card or line of credit.
- Steal corporate data, including sensitive customer information.
- Gain access to other accounts, including those of C-level executives.
The inherent interconnectivity of corporate accounts can create holes in security. These weak points are then exploited by cybercriminals. Finding and fixing these points of account takeover vulnerability is the key to limiting CATO fraud.
Locating those vulnerabilities can be difficult, however. Some can be well hidden, while others are often overlooked because they hide in plain sight. Either way, most vulnerabilities can be traced back to three main areas: computer systems and networks, physical assets, and personnel. We’ll examine each of these sources individually and offer some suggestions on both identifying and mitigating their risk.
Point of Attack | Computer Systems & Networks
One of the main points of vulnerability for corporations is the systems their computers run on, and how those systems are interconnected. Any system that has access to the internet, either directly or indirectly, could be attacked.
This includes everything from corporate storage or processing units, all the way down to individual workstations. Even an organization’s private intranet may be a target.
Weak spots in any network usually stem from one of two sources: opportunistic attacks enabled by human error, or planned and targeted attacks.
Human error refers to things like accidentally sending an email to the wrong address, mistakenly responding to a phishing attempt, or visiting a URL that downloads malware.
In contrast, targeted attacks from an outside source won’t rely on random human mistakes. Rather, they’re built on tricks like account testing (hoping to find a legitimate account through automated sending of emails to potential company addresses) or credential stuffing (large-scale attacks where bots fill in forms with username and password combinations until a match is found).
Assessment & Resolution
Remember: the key thing you’re looking for is accessibility from outside sources. You should evaluate not just whether an outsider can access internal networks, but also how much access each user has to other personnel or system data.
Regularly check for updates and patches to both operating systems and any installed software, and make sure you’re always using the most current version of all software. This includes any user-installed programs (if that is even allowed at your organization).
Go over access points to your network, both internal and external. Are there non-essential openings that could be closed? Do you have strong firewalls in place to limit outside interference? Are employees required to sign in with 2-factor authentication?
Here are some steps you can take to address and eliminate points of account takeover vulnerability in your systems:
- Provide ongoing education and training. Formal, mandatory training sessions should also stress the important role all employees play in reducing risks.
- Implement an ongoing schedule of comprehensive systems checks, making sure systems are up to date, no malware has been installed, and virus detection is active.
- Install advanced, dynamic firewalls to limit outside attacks without impacting intra- and inter-organizational data communication.
- Mandate 2-factor authentication for all employees to log in to the network, and require regular password updates.
- Discourage personal use of company computers and other devices. This would include installing non-approved software, using company email for personal communication, or accessing social media.
Point of Attack | Personnel
No one is perfect. Even your best employees might make occasional mistakes, or overlook one (or several) security best practices. Unfortunately, even a minor oversight might leave you vulnerable to corporate account takeover attacks.
Of course, not all oversights are innocent. In some cases, your team members might be leaving you deliberately exposed.
We spoke of human error earlier, but it is also possible to have personnel who are more explicitly causing issues. This could take multiple forms, but most scenarios come down to one of two issues: employees collaborating with scammers, or simply disregarding rules.
With an intentional attack, one of your employees is leveraging insider information for personal profit, either alone or working with an outside party. In contrast, deliberately opting to ignore digital safety mandates can be just as damaging. For instance, leaving one’s station unlocked while away can make for an easy ATO target.
Personnel risks can come from employees, but contractors and consultants should also be carefully considered. Any vendors or suppliers who may have access to your system would fall into this category.
Assessment & Resolution
While having trust in your people is important, there are levels of trust to consider when assessing personnel for account takeover vulnerability. Some factors that should be considered include:
- Tenure: How long has a worker been with the company? Do they have a track record of taking security protocols for granted?
- Interaction: How does your team interact? Security is often tighter when all employees collaborate closely. However, communication does present some additional vulnerabilities.
- Accountability: Are there mandatory checks and balances in place? Who is responsible — and accountable — for ensuring that security protocols are followed?
- Vetting: Is your pre-hiring process thorough enough? Are you researching candidates closely to ensure that they are who they claim to be, and that you aren’t hiring fraudsters in disguise?
A good program would include regular check-ins with staff, general tracking of performance records, and a system that regulates the amount of access any one person has. Also, hiring practices should be reviewed regularly. The more comprehensive your pre-hiring checks, the more likely issues will be identified prior to onboarding.
The only resource you need to become an expert on chargebacks, customer disputes, and friendly fraud.Download the Guide
Point of Attack | Physical Assets
This category is a little more vague than the previous two. That said, it’s very possible for corporate account takeover fraud to be initiated through a company’s physical assets: the presence, absence, or ineffectiveness of tangible objects.
Anything from an unlocked door to a password written down on a notepad could be a point of account takeover vulnerability. For example, if a fraudster can easily slip through an unsecured door, they may gain access to unmonitored devices and manage to take over the workstation.
It sounds like something out of a spy movie, but the reality is a lot more mundane. For instance, a maintenance worker might get access to your facility, notice an unsecured computer, and opportunistically take it over.
Assessment & Resolution
Some physical vulnerabilities can be easily assessed simply by taking note of existing systems:
- Are doors locked and alarms set?
- Are keyed entrances functional?
- Are security cameras well-placed and working?
- Do you have enough surveillance to sufficiently cover the area?
Other potential trouble spots may take ongoing monitoring, as well as education on problematic practices:
- Do employees allow entry by unidentified persons?
- Are papers or files with restricted information left exposed?
- Is sensitive information shredded and disposed of appropriately?
- Are machines ever left unlocked and unattended?
While education is an important factor, resolving on-site vulnerabilities starts with creating the best security policies. Any of the assessment issues above could be corrected, but that’s just the start. A strong policy and ongoing monitoring for security management are necessary for long-term risk mitigation.
Point of Attack | Your Customers
The final point of account takeover vulnerability is the base of loyal customers you’ve built up around your business. More specifically, how you handle the data they entrust to you in order to facilitate a personalized experience.
To enhance the consumer experience, many eCommerce businesses allow customers to create online accounts for shopping or for loyalty programs. This is especially true of recurring billing models that charge subscribers on a regular ongoing schedule.
Providing a personalized experience typically means the business stores the customer’s personal information, including credit card details. While there are regulations and mandates for keeping this information secure, it still presents a potential weak spot for ATO attacks.
If your security is not airtight, you’re opening the door to a potential data breach. Corporate account takeovers are a common fraud technique: the hacker hijacks an account, then uses those permissions to steal sensitive customer data from your secure server.
These attacks are hugely damaging to your reputation and public image. They can also make you liable for any damages that your customers suffer as a result.
Assessment & Resolution
Assessing the takeover risk of customer accounts starts with asking basic questions:
- Are customer account data standards as secure as other systems?
- The point of providing customer accounts is convenience. But, is access too easy?
- Do you offer alternative payment options, such as digital wallets, that rely on an outside provider?
- Are there safeguards in place to limit how much damage a fraudster could do?
Once you have made a complete account takeover risk assessment, you can start implementing a strategy to protect against attacks on your customers’ data. Protections may include requiring multi-factor authentication at sign-in, and deploying velocity checks and other account limitations to restrict what a fraudster can do if they manage to gain access.
Even if your systems are secure, consumer account takeover can still be a threat. Fraudsters use stolen cardholder data to make purchases at your online store. Once the crime is discovered, the cardholder may file a chargeback against you, even if you had nothing to do with the theft.
5 Tips to Limit Account Takeover Vulnerability Overall
We’ve talked about specific ways to address potential security vulnerabilities, but it’s important to have a formalized, written risk management strategy.
These guidelines should plot out how to identify existing vulnerabilities throughout the organization. Protection strategies should be formalized to increase oversight and mitigate risk.
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Get the FREE guide
A few points to ensure that you incorporate into this strategy include:
A Serious Threat… But Not the Only One
Corporate account takeover fraud represents a serious and growing threat to organizations. Remember, though: even consumer account takeover can hurt you.
Swindled account holders will not hesitate to file customer disputes and attempt to get lost money refunded. While you may not be liable for the actual refund, you’ll typically get stuck with fines, lost merchandise, and hit to your chargeback ratio.
Concerned about your organization’s vulnerability to CATO or other cyber threats? Talk to the experts at Chargebacks911®. Our team of risk management professionals are here to help.
What is account takeover vulnerability?
Account takeover vulnerability is a measurement of how exposed an organization may be to having an unauthorized user gain access to one or more accounts. This includes what security measures the company has in place, how easily accessed accounts are, and how much damage could be seen if any account was hacked.
What is the impact of account takeover vulnerability?
The more vulnerable the organization is to a cyber attack, the more likely it is that a hacker will be able to sneak through security measures. Accessing even one account can provide a door to the entire company’s data or finances.
What is corporate account takeover (CAPO)?
Corporate account takeover, or “CATO,” is a type of fraud attack by which the targeted account belongs to a business or other organization. Once an account is compromised, hackers may gain access to sensitive internal data or authorize fraudulent financial transactions.
Fraudsters often obtain access to corporate accounts by targeting employees with phishing attacks, phone scams, or malware. They may also create credentials based on information gleaned from social media sites.
What's the difference between identity theft and account takeover?
Account takeover attempts usually target accounts within an organization, allowing the fraudster to either make unauthorized purchases or transfers, or to leverage the information to gain deeper access to company files. With identity theft, hackers are using stolen personal details and essentially making new accounts by posing as the cardholder.