Questions? Call us today: (516) 778-5639

authID Home
authID Home

Major Security Breaches

  • Account takeovers can result in massive losses
  • The attacks aren’t always that sophisticated, but they still succeed
  • Attackers impersonate privileged users through common methods and easily-acquired information
  • Biometric verification can lock out bad actors and prevent fraud while providing a friction-free path for legitimate users

 

Home » Major Security Breaches

With Digital Crime, It’s the Same-Old Same-Old

Cyber-crimes are like certain other terrible events in that they happen so often, we have become almost numb to them. Because of this, we often do not easily absorb the enormity of the consequences. Perhaps it has dawned on many of us, even the majority of us, that so many data breaches have occurred, all the personal information we have striven to protect is already out there. It’s on the dark web, it’s on the servers of foreign adversaries, it’s in the hands of very bad people. And so it might sound reasonable to say, what’s one more breach? Our Social Security numbers and other PII have been stolen enough times that it no longer matters.

But now we’ve gone well beyond mere breaches. Certain state-sanctioned hackers steal information in order to commit fraud. Other foreign-based organizations have stolen huge stores of PII and have yet to use it, which makes us wonder, what is their plan? Still, unless we’ve personally received a notification from our carrier, our credit card company, our car dealer, that our PII has been exposed and we’ve been gifted a year’s worth of free credit checking, we hear the news of yet another intrusion of a data aggregator and we yawn.

The Evil Evolution of Account Takeovers

So what captures our attention now? We hear more and more about deepfakes, those AI-generated avatars that seem so very frightening. Innocent parents are fooled by deepfaked, hysterical voices of their children claiming to have been kidnapped and needing to be ransomed. Deepfake faces and voices of colleagues on a Zoom call convince a poor employee to wire tens of millions to what turns out to be a sinister destination. Deepfake politicians and celebrities spread harmful disinformation.

But most deepfake crimes are still one-offs. There’s an even more targeted kind of attack that is wreaking havoc on companies and their constituents in all new and quite horrific ways: account takeovers.

Compromising individual consumer identities allows fraudsters to steal, one bank account at a time. But compromising privileged users’ identities allows criminals to steal and disrupt on an industrial scale. Privileged users have the power to affect large numbers of employees and consumers, and when their accounts are taken over, huge volumes of data can be stolen, intellectual property can disappear, and ransomware can cripple entire infrastructures.

Account takeovers have always been a problem, although at the corporate level, most solutions have been geared toward limiting damage (such as through segmentation of access, time-sensitive access, or strict role-based access) rather than preventing it in the first place.

What has put account takeover in the news, and back in front of those for whom data breaches were no longer of interest, is their combination with ransomware and other ancillary attacks. These double-whammy assaults have resulted in widespread disruption of consumer and public services.

Account Takeovers – Nothing New But the Scope

In past years, untold numbers of individual users have been victimized by ransomware. Even visiting seemingly innocuous sites could result in having one’s personal computer locked up. Clicking on URLs where hackers had installed trojanware could bring up the dreaded message that “your files are being encrypted. Send money to this address to get the key.” Sites that provided virtual pets, appliance documentation, weather reports, and many other common destinations become unwitting delivery points for this kind of nefarious software.

But these don’t get in the news. What does are those incidents where entire facilities are taken hostage by ransomware and other intrusions. Companies with sensitive data are robbed, with the cyber-thieves threatening to release that data. The theft of intellectual property has been responsible for destroying companies.

The public’s view of “hackers” is often that of a scary-looking guy in a hoodie, huddled in a dark room in front of a computer and typing away until he is able to invade someone’s company system. And this still happens (maybe without the hoodie). But an even easier way through corporate defenses is posing as a trusted individual who has all the access needed to get at data, uncover IP, and even install ransomware at a level deep enough to do real damage.

How Account Takeovers Are Accomplished

So how do bad actors appear to be good ones? How do they take over those over-empowered accounts?
There are different methods. At times they are layered together to accomplish the task. These methods of intrusion are not cutting edge (although the defenses have definitely become more sophisticated). They rely on traditional approaches. Once the bad guys use these approaches to get inside, they employ other, traditional attacks. What’s changed are the frequency and depth of these attacks.

So again … how does account takeover happen?

  • Phishing. If it ain’t broke, why fix it? It’s a numbers game: send out enough emails with dangerous links, you’ll eventually get somebody to click. Then the malware happens, and the account can be controlled. Keystroke captures may give them passwords or other information that allows the fraudster to directly take over the account.
  • Phishing, once more. But instead of overtly taking the account through malware, the intruder learns enough information to make takeover attempts through other means. That information feeds those other attempts. The information could be usernames, colleagues’ identities, and personal data that could be used for impersonation.
  • Spear phishing. This occurs when criminals have specific targets in mind. These are either executives with access to high-level / sensitive data, or IT professionals with access to backend systems.
  • Password resets. More often than not, fraudsters assume privileged users’ identities through the very defenses that are meant to thwart them. Resets are in fact very common attack points. Forgotten password processes may ask security questions, and the answers may have been gleaned through phishing. In some high profile incidents, the personal data found through phishing was detailed enough to allow fraudsters to impersonate the compromised users in contacts with other IT staff who then “help” the fraudster to gain total control of the target account.
  • Help desk. In smaller organizations where everybody knows each other, the help desk staff may take a call and manually perform password resets. This has actually gotten more risky in the age of deepfake voices. But if the help desk demands that the caller identify themselves through answers to security questions, and those answers have been acquired through phishing, then the fraudster gains enough trust to have the help desk reset the password for them, and now they own that account.
  • Device takeover. If access is directly tied to a particular device, this can be an even easier route to account takeover. The common SIM swap allows a criminal to transfer control of a privileged user’s device to their own device, then infiltrate a system which trusts that device. SIM swap can be pulled off through insiders at the telco, or through an over-friendly staff member of the telco’s help desk who falls for a SIM request from a crook. Malware on a desktop unit can also give a criminal a path to sending requests or pushing additional malware, such as worms or ransomware, into the corporate network, again through a trusted device, and all in the background, without the actual desktop owner knowing a thing.
  • Public wi-fi. There’s a reason that security professionals preach against using that free router which may have been compromised. It’s also common for clever criminals to set up their own wi-fi and name it something that appears to be from your hotel or coffee shop. Once you’re using that wi-fi, its owner can see everything you send and receive, including your login credentials.

So now you see how multiple techniques can be orchestrated to accomplish account takeover.

The Damage

In one notable incident, a large children’s hospital in the American Midwest was attacked, shutting down admitting, billing, diagnostic and other systems, impacting their ability to deliver treatments and procedures, and gaining the criminals data which they claimed to have sold on the dark web for millions. The attacker was a known threat actor who regularly employs phishing to accomplish account takeover.
There have been many other notable cyber intrusions, resulting in hundreds of millions in losses. It’s one thing when your personal data may have been affected, but it’s another thing entirely when an entire organization is suddenly unable to deliver its goods and services.

The Solution

Through phishing and breaches, criminals can know what you know, more than enough to impersonate you. Through SIM swaps and simple theft, criminals can have what you have, and use that vector to gain access.

But criminals can’t actually be you. And that is the weakness in their attack. By forcing users to irrefutably assert their identities, you ensure that legit users achieve their access, and even those bad actors who have acquired personal information won’t be able to get inside.

Credentials, passwords, devices, they can all be compromised. But biometrics can’t be argued with. Fingerprint is unsupported across a large selection of common devices. Voice is now to easily spoofed through deepfakes. Therefore facial biometrics is the optimal route. A platform that can verify a user’s face is live and present, not a deepfake or a printout or a screen, can provide assurance that only legit individuals can gain proper access.

Powerful accounts in the wrong hands can only bring disaster. Strong identity assurance keeps those accounts under the control of the right people, so they can do the right things for their employers, employees, and users.

authID has created useful summaries of just a small number of these kinds of attacks, as cautionary tales. These represent our perspective on some of the largest and most damaging account takeover incidents of the last year. We outline how they were accomplished, the extent of the losses, and how they could have been prevented with strong biometric identity verification.

You’ll also learn how authID protects the enterprise from fraud, while easing the path to access for legitimate users.

Major Security Breach Analysis

Data Breach Insights

Some of the Top Financial, Medical and Hospitality Brands Trust authID

Beem Logo from authID
Hamilton Reserve Bank Logo from authID
ABM Logo from authID
ABR American Board of Radiology Logo from authID
PickleJar Logo from authID
Syntrove Logo from authID
Intellicheck Logo from authID
Kompliant Logo from authID
KaiaSoft Logo from authID
IDMWORKS Logo from authID
EinStrong Foundation Logo from authID
ShotPro Logo from authID
authID Free Trial Image

According to IBM Cost of a Data Breach Report - 2023

The average data breach in the US last year cost business $4.4M. Biometric verification would have helped stop it.

Set up a free 30-day trial today to help prevent a data breach!

We will contact you within 24 hours to set up your demo.
authID Free Trial Image

According to IBM Cost of a Data Breach Report - 2023