It is relatively easy for hackers to gain access to a user’s account. Many websites and platforms require user login details for account security. Unsurprisingly, many account holders are prone to using the same information across platforms.
Identical login credentials create an opportunity for hackers to get into multiple accounts. A weakness or vulnerability exploited in one account often results in the taking over of many. Account takeovers generate negative attention to the brand; the loss of customers’ trust is a blow that is difficult to recover from.
Customers also need to prove the account takeover and take additional security measures, causing massive disruption to their life. Consequently, their negative experience will be associated with the merchant’s brand.
Account Takeover Explained
One danger to modern online business is the account takeover. An account takeover occurs when a hacker gains access to a user account. The leading platforms that are targeted are eCommerce or financial technology companies.
The hacker gains access to accounts for their own financial gain. In some cases, the hacker will order products to be delivered to different addresses. In more severe cases, a hacker will gain access to money directly.
How Does an Account Takeover Happen?
Account takeovers happen when a hacker gains access to a user account. They often perform account takeovers through malicious malware such as Spyware. An account takeover is hard to detect since it is still employing the user’s credentials.
The user is often buying products, making account changes, and performing business as usual. The challenge for the platform is separating regular user activity from the abnormal.
Account Takeover Method: The Breach
A standard method for account takeover is a breach of the user’s account. Hackers gain user account data through malicious malware such as Spyware. Login credentials are then used to hack into accounts across a wide variety of platforms.
The damage is compounded by the prevalence of identical login details across accounts. These usernames and passwords are then sold to other hackers to commit more fraudulent crimes in vulnerable accounts.
Account Takeover Method: Cracking
Some account takeovers are the result of brute force hacking. In this type of account takeover, bots input commonly used passwords to force their way into an account. This method takes advantage of users who use simpler passwords for their accounts.
How Can Account Takeover Harm Your Brand?
Account takeovers cause damage to brands. Users will often blame the platform for making it easy to hack. Even if the account is hacked through malicious malware such as Spyware, the platform is perceived as weak and unreliable. This may result in customers losing confidence in your company or avoiding your platform altogether.
While hackers gain access to accounts by exploiting vulnerabilities in user habits, customers nevertheless blame the brand for not being stricter with password allowances. Customers will also expect platforms to detect suspicious account activity.
Dangers to your Brand in the Long Term
Once a hacker finds a brand that is an easy target, they will continue targeting that platform. Multiple user accounts can be hacked at will. Once news of vulnerability spreads, other hackers will start targeting the same brand. This results in a negative perception of your business that can last for years after the account takeover scam took hold.
In the long term, irreversible damage happens to the brand, and users will avoid the platform. Expected compensation from the users becomes a financial burden. Without recouping financial losses to the user, account takeovers turn into publicity nightmares. The lost compensation from previously loyal customers can be financially devastating to a business because it costs a lot more money to bring in new customers than to retain existing ones.
Additionally, profits can decline because other users do not want to use the platform they now perceive negatively.
Additionally, other companies that you do business with may also be too scared to maintain this relationship. If they find out that your platform suffered a malicious infiltration, they may back out of deals with you so that they can avoid any negative association of their own.
Therefore, your long-term risks of account takeover are significant, including:
- The requirement to pay customers financial compensation for their losses
- The loss of existing customers and brand loyalty
- The loss of potential customers who otherwise would have done business with your company had the negative publicity not deterred them
- The loss of valuable business relationships
These potential long-term risks demonstrate the importance of identifying and preventing account takeover risks.
Bad for Customers
It’s hard for customers to prove an account takeover. Account takeovers often proceed through normal account activities. Many users make account changes and place orders. It is hard for a merchant to determine which cases are fraudulent.
Someone needs to pay for the goods or lost money. Customers will sometimes be liable for their own losses. In some cases, merchants may take responsibility if customers provide proof. Proving an account takeover is a complicated and often lengthy process.
In addition to the initial fraudulent charges, customers may also suffer from long-term financial consequences, including identity theft. Once their personal information is compromised, the criminals may use it to open new accounts that the customer is not even aware of. By the time they find out about these accounts, the criminals may have accumulated tens of thousands of dollars of debt or more in the victim’s name. Additionally, it can be a frustrating and time-consuming process for customers to recover their identity. Experian estimates it takes an average of six months and 200 hours for a consumer to recover their identity.
Protection from Account Takeovers
Neither customers nor merchants have the desire to have account takeovers happen. There are a few options when it comes to protection.
- As a user, use complex passwords incorporating upper and lower case characters. Browsers like Chrome offer users randomly-generated passwords that are protected by the platform.
- As a user, ensure that each account has a unique login.
- As a merchant, increase the complexity of password requirements. This means having users incorporate a combination (or all) of:
- Upper case characters
- As a merchant, there is also two-step authentication. This means having the user provide a password, then having a code emailed or sent as a text message. The user needs to give this code to gain access.
- As a merchant, have the user answer an additional question. This could be their mother’s maiden name, the name of their first pet, or the first street they lived on.
Account takeovers are damaging to a brand and inconvenient for users. Both merchants and their customers can take steps to prevent these attacks. More complex login details and additional authentication steps make it harder for hackers to access accounts. The shift to eCommerce and online finance has created an opportunity for fraudsters to make quick money. The solution to this problem is increasing vigilance for brands and customers alike.
David Lukić is an information privacy, security, and compliance consultant at IDstrong.com. The passion to make cyber security accessible and interesting has led David to share all the knowledge he has.