Walking through the exhibit hall this week at Black Hat USA 2023, the number of solutions for “Next Generation Threats” and “AI-Powered Adversaries” might reasonably lead you to believe that this is where a majority of cyber risk lies. Indeed the fixation on well-resourced adversaries capable of doing novel and clever things is so ubiquitous that it might cause you to think that classic problems have been largely “solved.” This begs the question: With so many security vendors out there, why does Account Takeover (ATO) still occur?
Account takeover (ATO) attacks have recently surged, impacting 1 in 4 adults in the US. The primary culprit is credential stuffing, the rapid testing of username and password pairs harvested from previous breaches. What makes this attack vector particularly vexing is its source – not platform vulnerabilities or cryptographic flaws – but the widespread habit of users reusing credentials across sites.
Password reuse remains prevalent, despite the availability of password managers (with estimates ranging from only 22% to 45% of users using them). Compromised credentials on one site embolden malicious actors to attempt entry across multiple platforms using these credentials. Simple and free tools allow bad actors to perform this operation at remarkable speed and scale.
When security teams consider the threat of compromised credentials for internal privileged accounts, their first thoughts may rightly be implementing 2-factor authentication (2FA) as a safeguard against unauthorized logins. After all, this has been a hallmark of identity and access management when it comes to privileged accounts, to say nothing of its inclusion as a requirement in any number of compliance standards. Crucially, however, the best methods for protecting a privileged account aren’t necessarily the best methods for protecting customer accounts.
To be clear, this article doesn’t intend to advocate the abandonment of 2FA. Multi-factor authentication is undeniably an essential tool in the layered protection of privileged accounts. Instead, it critically assesses its applicability and value when countering ATO risks targeting customer accounts.
MFA: An Increasingly Targeted Vector
As multi-factor authentication (MFA) becomes more widespread, attackers increasingly focus on exploiting these added security layers in account takeover campaigns.
Despite the popularity of using text messages for delivering one-time passwords (OTPs), this method exposes these crucial passcodes to various vulnerabilities. Attackers can employ manual techniques, like phone porting and sim swapping, to redirect SMS messages to their controlled devices. Additionally, more complex attacks involve SMS interception by exploiting weaknesses in legacy protocols like Signaling System No. 7, man-in-the-middle attacks, and stingray-style cell interceptors.
Although OTPs generated through mobile apps (such as Google Authenticator) or hardware tokens offer improved security, they remain susceptible to exploitation. While these are often compromised through phishing and social engineering, security researchers have also documented a rise in OTP-interception-as-a-service providers. These services automate social engineering by sending their targets messages that suggest suspicious account activity and prompting them to enter their OTP. Users are more likely to comply since these messages don’t request victims’ usernames or passwords (which the attacker may already know from prior credential stuffing attempts).
1.5 Factor Authentication
There is a common thread here that OTPs don’t quite satisfy the classic definition of MFA. MFA is commonly defined as requiring a combination of:
- Something a user knows (such as a password)
- Something a user has (such as a keycard)
- Something a user is (biometrics)
OTPs are commonly considered “something you have” because users typically retrieve them from their device, such as an authenticator app or a password-generating fob.
On more detailed examination, however, we can see that one-time-passcodes might be better defined as something a user KNOWS because it’s been delivered through something the user HAS in their possession. Although the knowledge is short-lived, as is the passcode’s validity, this still leaves this information more susceptible to theft through user manipulation and social engineering than a physical keycard.
Mobile apps that use push notifications as a second factor align more closely with our definition of “MFA.” However, even these methods aren’t immune to attacks, like MFA fatiguing. This technique involves repeatedly attempting to log in with compromised credentials, bombarding the legitimate user with push notifications until they finally click, “Yes, it’s me” in their authenticator app, due to confusion, frustration, or by accident. MFA fatiguing has proven so effective that it has been attributed to breaches at major companies such as Microsoft, Cisco, and Uber.
Keep in mind that all of these attacks against multi-factor authentication are built on top of credential stuffing attacks, executed by inexpensive, large-scale botnets.
The Cost of Account Takeover Attacks
The examples in the previous section illustrate that 2FA/MFA is not a perfect solution. Undeniably, it’s of some value, but exactly how much? We know ATO attacks have a variety of associated costs, such as fraud, chargebacks, and customer satisfaction – and it’s essential to consider the value of a dynamic ATO mitigation solution.
Authentication leader Okta has reported that an estimated 34% of all login attempts are linked to credential stuffing attacks. This statistic should lead us to consider the staggering scale of unmitigated ATO attempts and the immense cost to service these login attempts – even if they completely mitigate an attack. Apart from the infrastructure expenses needed to handle these countless requests, the costs of 2FA challenges, especially those delivered via SMS, can be staggering.
With a truly effective bot mitigation solution, SMS costs can decrease by millions of dollars. One of our customers saved $6 million per month in SMS costs. While 2FA is surely doing its job in hindering the success of these attacks, the resources required to supply these services and infrastructure hardly paint a compelling picture of security ROI.
Although it’s challenging to quantify, we must also consider the cost of a poor user experience. Requiring users to authenticate their identity through multiple factors inherently adds complexity compared to a standard login. In cases of privileged enterprise accounts, this is generally an acceptable requirement. However, customers often have less patience. While users have learned to tolerate MFA challenges in sectors like insurance, banking, and healthcare, users are far less accommodating in highly-targeted sectors like eCommerce, travel, and entertainment. In these industries, the cost of implementing MFA might not be measured in carrier charges for SMS, but in total loss of a customer to competitors who don’t use MFA.
Automation: The Common Thread
While we’ve discussed a number of authentication-related topics in this article, there is a simple commonality: Account Takeover attacks remain remarkably successful, mainly due to their reliance on inexpensive automation and credential stuffing tools. Additional authentication factors offer some mitigation; however, these factors themselves are susceptible to attacks and carry both tangible and intangible costs.
When considering the best mitigation for ATO attacks, consider the ubiquity of “shift left” initiatives. This idea centers on addressing issues as early as possible to minimize costs. Visualized, the further “left” on the timeline of an issue, the earlier and therefore cheaper it will be to mitigate. 2FA/MFA is about as far “right” as it gets on the timeline of an ATO attack. This analogy is akin to mitigating a rainstorm with an expensive dryer after getting drenched instead of using an inexpensive umbrella to stay dry.
By reframing ATO attacks as an automation challenge rather than as an authentication problem, we can shift left on the event timeline. In doing so, we can unburden the user experience, reduce costs by addressing the problem earlier in the timeline, and avoid implementing additional measures to compensate for the shortcomings of most 2FA/MFA implementations. While 2FA/MFA undeniably has a place in our layered account protections, it can be relieved of an enormous volume of work by identifying and mitigating these requests as unwanted automation.
Ultimately, ATO attacks are fundamentally bot attacks and must be treated as such.
Effective and Cost-Effective Security
Kasada is on a dedicated mission to combat bots by accurately identifying them as malicious automation that exploits legitimate services meant for genuine users. Rather than doing this through CAPTCHAs that inconvenience users to prove their humanity, Kasada detects the artifacts and indicators of automation invisibly.
Both effective and cost-effective, Kasada defends against Account Takeover attacks and thwarts other bot activity such as fake account creation, retail scalping, promotion abuse, and content scraping.
Request a demo to learn how Kasada can help protect your customers, align with your risk management “shift everywhere” initiatives, and alleviate the costs of your overworked authentication services and infrastructure.