Last month I highlighted the concerning rise in fraudulent log-ins and the huge increase we have seen in credential stuffing. Not good. Today we consider account fraud take-over. Juniper Research estimates the total cost of account takeover will have reached $25.6 billion in 2020. This is over a 50% increase from the $16.9 billion loss of 2019 and a 500% increase from the cost of $5.1 billion in 2017.
Consideration needs to be given to both the direct fraud cost as well as the time cost of forensic assessment and lost customers. In relation to the fraud cost, the perpetrators are using account takeover attacks not only for the information itself held in accounts but also to power other downstream fraud, such as reselling personal data to third-party sites, laundering money or launching phishing scams. Juniper estimates on average an account takeover has direct costs of $290. In relation to the cost of investigation, typically 9 working hours are spent in forensic investigation.
Will the problem continue?
Online accounts are here to stay. 42% of consumers say they are more inclined to spend money on a site if they have set up an account. At the same time, operators know account holders visit more regularly, spend more and can be more effectively served personalised marketing so the benefits of accounts are too great for them to go away, quite apart from the need for regulation.
The main driver of password-based account takeover is the availability of freshly harvested credentials. For this reason, one of the highest priorities of the development in cybersecurity standards and good practice over the last 10 years has been to abolish the existence of large hacker honeypots of users’ data. To date, this objective has clearly failed; there remain a large proportion of credentials that are not salted, encrypted or adequately secured.
Indeed, November marked a new low point because a known site for hacked data (Cit0Day) revealed a file containing 23,618 hacked databases comprising 13 billion fields. It is not yet clear how many of these are duplicates of the existing 15 billion available but some of the many smaller databases appear to be new so in the absence of a new solution, the outlook for future credential stuffing attacks and account takeovers looks bleak.
The good news is that having spent many millions on research and development, we at MIRACL believe that we have the solution to address the problem of all forms of password-based account takeover attack, from credential stuffing, which is most common, to man-in-the-middle and malware relay attacks, which are more sophisticated and social engineering attacks, which are harder to scale.
Crucially, we achieve - while also improving the users’ experience - by providing a passwordless single user-step way to login that works on any device. Domino’s, Experian and Credit Agricole are implementing this method with some of their processes, could you too?