Consumers understand this, too. According to Experian’s 2021 Global Identity and Fraud Report55% of consumers say security is the most important aspect of their online experience.
At the same time, account takesovers are a major threat to that security. The same report states, “We’re already seeing an increase in account takeover attacks, which entail fraudsters using compromised usernames and passwords to commandeer consumer accounts.”
The 5 methods of ATO attacks
What are cybercriminals doing to compromise consumer accounts, and what can you do to prevent them? The following are five of the most common methods of ATO compromises.
Brute force attacks
Brute force attacks are “guess and check” attacks that exploit weak passwords. These attacks can be performed either online by attempting to log into an authentication portal, or offline by testing potential passwords against password hashes (obfuscated versions of passwords) exposed in a data breach. Weak passwords can be cracked in seconds, while long, random ones are virtually uncrackable. After cracking a password, the attacker can log into a user’s account.
This tactic exploits our bad habit of reusing the same passwords for multiple accounts. In fact, reports say hackers targeted TurboTax with credential stuffing. In most cases, criminals start with large data dumps of credentials they stole from another site or purchased on the dark web. They then use bots to test them across many different sites and apps.
Phishing and smishing
We’re all familiar with phishing, and yet so many of us are still tricked by deceptive emails that lure us to well-spoofed sites. Once you log in, attackers have stolen your credentials. Spear phishing is very similar but targets specific individuals. Smishing simply replaces fraudulent phishing emails with SMS texts.
Man-in-the-middle (MITM) attacks
There are many forms of these attacks, but all employ a method of deceiving a user to authenticate to a spoofed site or to provide a password to a criminal over the phone or text. The criminal then uses that information to log in as that user to the real site. Sophisticated criminals are able to use MITM to overcome many forms of multifactor authentication, such as SMS one-time passwords.
Attackers can transfer a target’s phone number to a SIM card by convincing the service provider they are the account owner. Once they have control of a phone number, they use weak SMS authentication to perform password resets on accounts by SMS one-time passwords or magic links.
Indeed, the US Federal Bureau of Investigation recently warned that SIM swapping attacks are rising. This is what happened to Apple engineer Rob Ross who lost nearly $1M when hackers took control of his number and accessed his cryptocurrency account.
Passwordless authentication eliminates ATO threats
ATO attacks have been a threat for years, and multiple solutions have been proposed. In the past, multi-factor authentication (MFA) using OTPs was considered best practice. However, this can be overcome using MITM and SIM swapping attacks. What are we to do?
The US Government recently issued guidance on the subject. In the January 26 memorandum on “Moving the US Government Toward Zero Trust Cybersecurity Principles,” OMB’s acting director Shalanda Young states, “MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach. However, many approaches to multi-factor authentication will not protect against sophisticated phishing attacks… Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open ‘Web Authentication’ standard, another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services.”
Consumers face the same types of ATO threats as government agencies. Therefore, the security mechanisms used to protect consumer accounts against those threats must be equally as strong as those the government is mandating. PIV, which relies on physical smart cards, is not a viable option for consumer accounts.
On the other hand, W3C’s Web Authentication standard, otherwise known as WebAuthn, is well suited for consumer accounts. WebAuthn enables biometric passwordless authentication that leverages consumer devices such as mobile phones. WebAuthn is part of a standard set of protocols called Fast Identity Onlineor FIDO. Most modern mobile phones support FIDO today, along with an increasing number of tablets, laptops, and desktops. FIDO is mainstream, allowing for broad adoption in consumer-oriented use cases (ie, Consumer Identity & Access Management, or CIAM).
Most importantly, FIDO-based passwordless authentication, when done right, is impervious to all the threat vectors described above. There are no credentials to phish, and devices only authenticate to trusted sites to which they’ve registered and authenticated previously. It’s as solid as the public key cryptography on which it is based.
Furthermore, this form of authentication is easier to use than passwords, especially when those passwords are augmented by additional factors such as one-time passwords, tokens, or push-to-authenticate schemes. FIDO and WebAuthn represent one of those rare cases where your users can have better security and a smoother customer experience (CX).
There are challenges with FIDO authentication for consumers. Not everyone uses a FIDO compliant device. Some users are not comfortable with using biometric authentication for their devices, or to use those devices to support authentication to online services. However, these scenarios are easily addressed with the right passwordless CIAM solution.
We have a large, global retail customer that is implementing Transmit Security’s passwordless digital identity solution using FIDO authentication and fallback options that avoid reusable passwords. The fallback options include magic links and SMS one-time passwords. It may be tempting to discard such an approach because not every customer will use FIDO and WebAuthn as their primary authentication method. However, given the alternative — reusable passwords with all of their insecurities and customer friction — a mixed model of FIDO authentication and non-FIDO fallback options is ideal for better security and better user experience.
The time is right for passwordless customer authentication. Research shows that consumers trust biometric authentication. Passwordless, FIDO-based authentication is more secure and easier to use, and most consumers carry a device that’s capable of making it work.