The Fraud Blog with Tracy Kitten

Account Takeovers Get More Sophisticated Why Advanced Authentication Is Essential

Account takeover techniques are getting more sophisticated. Now, attackers no longer need to use phishing, vishing and smishing attacks to get users to cough up their account logins and passwords.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

Instead, attackers known as carder gangs are using what are commonly known as "account checkers" to grab usernames and passwords directly from online merchants' e-commerce sites. These gangs are then stealing accountholders' names, addresses and credit and debit card information.

Logins and passwords have clearly become inadequate forms of authentication. 

It's a big and growing business.

Automated Testing

A once-contained Vietnamese rootkit, designed to run script that automates username and password testing on e-commerce sites, is now spreading through underground forums and message boards. Within recent months, several online merchants have reported account takeovers and fraud linked to compromised credentials. Those compromises are believed to be linked to the use of the Vietnamese rootkit.

Akamai Technologies, the web security firm that discovered the rootkit in the fall of 2012, says these account-checker or automated credential-testing attacks exploit the inherent vulnerability of logins and passwords.

Logins and passwords have clearly become inadequate forms of authentication.

Insecure User Behavior

Too many consumers use the same usernames and passwords for account access across multiple e-commerce sites as well as online-banking sites. So when attackers find a login and a password that works for account access on one site, they often discover those same credentials work for account access on other sites as well.

Until e-commerce sites, online banking sites and others drop the archaic username and password method of authentication, we can expect account-checker attacks to become more common and more successful. It's time to require more sophisticated forms of authentication, such as fingerprint scanners or a verification code sent via SMS/text to a mobile device, before transactions are confirmed.

Technical Controls Available

The script for the Vietnamese rootkit is well-written, Mike Kun, a security response engineer with Akamai, tells me. The authors behind it have made it easy to use.

The good news is that there are some technical controls that can help an e-commerce sites slow the account-checking attack.

Rate controls, for instance, track login requests from an individual IP address. A threshold can be set for login requests made during a certain window of time. If too many requests are made, login to the account can be automatically blocked while the customer is notified of a potential takeover attempt.

Also, geo-blocking of certain IP addresses may be effective if the majority of the e-commerce site's users are based in a specific country or region. Geo-blocking is just what it sounds like - blocking traffic coming from IP addresses based in certain suspect countries.

"If it takes too long for the script to run through, then the attackers will stop and try to hit another target," Kun says.

Online merchants who notice that an address has been changed on an account need to promptly notify the customer because that could be a sign that the account has been compromised.

Most of the time, however, it's the customer who's notifying the merchant when they notice something in their account has been changed, or fraudulent charges to the account have been made, Kun notes.

"If the hacker accesses your account, and if you have a credit card stored there, then they can just use your card for purchases," Kun says.

So far, Kun says fraudsters seem to favor compromising accounts on sites, such as Amazon, where they can purchase gift cards, typically within the $50 to $100 range.

E-commerce sites also need to be on the lookout for numerous login attempts coming from the same IP address.

Account-checker attacks are straightforward and effective, and they eliminate the need for phishing. So we shouldn't expect to see these attacks stop anytime soon. That's why e-commerce sites need to come up with ways to enhance authentication, following the example of online-banking sites.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network