What You Absolutely Must Know About Account Takeovers & Your E-Commerce

Think your user data is safe? Think again. High profile attacks have hit companies like Yahoo, eBay, Target, Equifax, Anthem, Home Depot, Sony’s PlayStation Network and even the U.S. Securities and Exchange Commission. Account takeovers and data breaches are simply facts of life in our e-commerce-driven 21st-century economy. But for a business, these security breaches are costly and can erode consumer confidence in both your brand and your processes.

Account takeover (ATO) is a fast-growing problem for businesses, driven largely by an increase in massive data breaches and phishing schemes. With billions of compromised credentials already in the hands of people intent on harm, businesses must protect their users’ accounts, their brand, and their bottom line.

During an account takeover, a bad actor gains access to a user’s account. With that access, the criminal can use the account for any number of opportunistic and malicious activities. What can be done with the information gained in these types of cyber attacks? Criminals can:

  • Change a user’s password, locking them out of their account
  • Change email addresses so the legitimate user doesn’t receive communication about new activity on their account
  • Expend stored credits or reward points to make fraudulent high-value purchases
  • Purchase digital goods
  • Scam other users
  • Send spam
  • Sell user credentials
  • Engage in identity theft

Frighteningly, hackers take the stolen username and password data leaked in third-party data breaches and test them across multiple websites, trying to find a match and gain access to other, potentially more fruitful accounts. For example, a small site that doesn’t even use credit card data is breached. The username/password data that is stolen is then used to try to access other accounts tied to a user’s financial information like Amazon, Uber, Postmates and more.

 
SamePasswordStat_v2.png
 

How often do people use the same passwords across a number of different sites? Too often. These credential stuffing attacks are challenging to protect against because even if a user has a relatively strong password, it doesn’t matter when the criminal has that password in their hands and can use it anywhere.

If a hacker is using stolen credit card information on a fake account or adding a compromised card number to a real user’s account, you and your company are potentially on the hook for chargebacks and lost goods.

The damage done by these attacks is extensive. It includes negative PR, brand damage, legal and compliance issues, financial losses, and more. Stolen credentials are a serious problem and these data breaches potentially compromise both your corporate data and customer data. While no business can completely buttress themselves against cyber-attacks, data breaches, and account takeovers, there are a number of ways you can keep your sensitive data safer.

First, multi-factor authentication provides some protection against credential stuffing and account takeovers, but it isn’t a sure thing and users tend to dislike it. Other practices that offer some protection of sensitive data include an encrypted database for stored passwords, restricting employee access, and ensuring your employees are using strong passwords and changing them often.

The reality is that hackers move in pace with our attempts to subvert them and it becomes a continual process of employing the latest method in protecting data. When you can detect an account takeover campaign as it’s happening, you’re able to protect critical customer data in real time.  Your e-commerce site can be set up to detect signs that an account takeover might be underway. Signs which indicate a potential attack include:

  • Login attempts from new devices/locations
  • Suspicious device configurations, like proxy or VPN setups
  • Buying more than usual or a shift from usual buying patterns
  • Changing settings, passwords, emails, shipping information and more
  • Multiple failed login attempts
  • Unusual logout attempts
  • Unusual interaction with the application

For instance, among the first things bad actors will do once they fraudulently accessed an account, is change the account email address so that a victim does not receive information and updates about their account changes. Your system can be set up to detect new email addresses, shipping changes, unlikely or unfamiliar domains, and other changes that suggest an attack is underway. In applying behavioral analysis on a large scale, you can examine all user activity across the network in order to get an accurate picture of how it usually appears and when it might indicate an attack.


Legacy tools such as web application firewalls (WAFs), which are architected to look at inbound traffic for attacks that take advantage of software defects, can’t prevent damage from account takeover, fraudulent transactions or the scraping of private data off ‘protected’ web pages.
— 451 Research (July 2016) - PATHFINDER REPORT: Web Threat Detection

Along those same lines, many companies are switching to usernames that are different from customer email addresses, making it more difficult to use one set of stolen username/passwords across multiple sites. Some companies have added layers of extra security like 2-factor authentication, email links, SMS codes, and captchas.

These beefed-up security measures offer a powerful tactic to prevent account takeovers but must be implemented in a way that does not disrupt your customer’s experience. You can even implement safeguards dynamically so that higher-risk activity triggers more layers of protection, giving you heightened security only where it is most likely needed.

Where data breaches and account takeover attempts are a concern, it isn’t a matter of if but when. While you can’t protect against every bad actor intent on breaking in, you can implement some smart safeguards that act as deterrents by making it harder and less convenient to access your sensitive data.

How TechSparq Can Help Identify Threats & Opportunities

Technology is changing the apparel industry at record speed. At TechSparq, we work exclusively within the retail industry to help companies just like yours identify threats and maximize opportunities. We understand the bot landscape, the possible implications on your e-commerce business, and your bottom line. 

With our industry knowledge, deep technical skills and agile approach, we can evaluate your current systems and processes to determine what threats are looming, how to continually mitigate them and how your company could be using bots to reduce cost and increase customer satisfaction.

 
 

To find out more about how the TechSparq team can reduce risk and smooth your company’s path to the future, reach out