The online world has opened up a new dimension in creativity with the opportunity to take over accounts. This article will highlight how this can be achieved and how to avoid it.
Contents
What is Account Takeover?
Account takeover is defined as a fraudster using a legitimate user’s credentials to access and use that person’s online accounts fraudulently. The fraudsters in these scams often gain access to passwords in several ways: obtaining them with keyloggers or phishing emails, or buying them from other scammers.
Once they have the usernames and passwords, they’ll either sell them through underground forums or try to log in directly. They may also take over an account without login credentials by guessing security questions, especially if the answers are easily found via social media or Google.
Kinds of Account Takeovers
There are many forms of account takeovers, but I am going to explain some of the most common ones below:
Email Takeover
Passwords are either guessed or stolen via malware and used to log into another person’s email address. Access can be gained to other information on the internet such as Facebook, PayPal, or almost any web-based service requiring registration details, including banks.
Social Media Takeover
When a person’s social media account is compromised, it can give the attacker a lot of access to private information. Many people have friends and family on these accounts, thus providing a direct link for someone to steal data from your personal life.
SMS Takeover
We all know that phone numbers are not secure, and if an attacker was to get hold of yours, they could easily use that as a way of gaining access to your other online accounts simply by receiving one-time passwords sent via SMS. Therefore, by stealing your number, they would be able to log into your email, bank, or Facebook and take over those accounts!
Mobile App Takeover
Many applications like Angry Birds and Whatsapp will request permission to read your contacts. Some applications will also request access to write/read SMS messages allowing an attacker with stolen phone number information to use these functions (not available on Whatsapp).
How Do People Normally Take Over Accounts?
There are many ways people can gain unauthorized access to your account. The key is to understand how you could lose control of them.
Guess
Sometimes it is just guesswork, but other times there are different techniques that might be used, such as phishing campaigns or software vulnerabilities that allow someone’s password to be discovered.
On other occasions, the person may have made their password weak by using dictionary-related words or choosing passwords based on common words and numbers.
Steal
If a person’s password has been stolen, it can be used to take over their account by logging in to it. This could happen through malware on the victim’s computer or by clicking on an emailed link that takes them to a website that requests their username and password.
Sniff
Sniffing is the process of eavesdropping on network traffic to read the information being transmitted between two parties. For example, sniffing wireless networks allows attackers to extract usernames and passwords from people who log onto public WiFi networks with no encryption enabled.
Social Engineering
Websites typically use security questions to verify who you say you are, but these security questions can be easily circumvented if an attacker has managed to get hold of private information about the victim, such as date of birth, mother’s maiden name, and favorite pet.
This is why people mustn’t use these questions since they may be used against you when trying to access your account!
Takeovers can take place anytime and anywhere. They could happen when online at home or in a public WiFi environment (e.g. coffee shop). Therefore, it is essential to be aware of the risks while surfing the internet wherever you are.
Preventing Account Takeover
Here are some simple steps that can help prevent your accounts from being taken over by someone else:
2-Step Verification
When possible, enable this feature. It can add an extra layer of security in which you will be sent a one-time password to your mobile phone when logging into specific accounts.
Passwords
Use complex and unique passwords that cannot be easily guessed or discovered by others, such as keeping them written down under your keyboard or making them at least eight characters long, including upper and lowercase letters, numbers, and symbols. Also, do not use dictionary words for your passwords!
Ensure you change your passwords every three months if possible and update them whenever you notice they have been compromised (e.g., due to a data breach). If the website has been hacked, it is best to change all of your details on other websites with the same password like this one.
Password Managers
These are great tools for keeping track of your passwords, and they can offer an added layer of security. They will allow you to generate random passwords (that even you won’t know) for each site you use them on.
You can also make sure all of these strong passwords are unique since they will ask if the new password is the same as any previous ones saved in their ‘vault.’
2-Factor Authentication (2FA)
Some websites offer this feature which requires two forms of authentication instead of just one, meaning that someone would need both your username and password, along with another piece of information before gaining access to your account.
It could be the code sent to your mobile phone or something you have in physical possession (e.g., key fob, token generator).
Browser Add-Ons
Many websites offer ‘security extensions’ that can protect you while you are surfing online. For example, LastPass allows you to store all of your passwords and log into websites automatically without having to remember them yourself by just clicking a button on its toolbar.
If desired, it can also generate random passwords for each site, meaning they will be unique for every website account! Also, it offers many other features such as secure notes storage and even can act as a form filler, so you don’t need to type out your address details again when submitting forms online wherever possible.
Anti-Virus/Anti-Malware Software
Ensure you have good malware security software installed on your mobile phone, tablet, and desktop devices.
Cookies
Delete any unwanted cookies that could be tracking your surfing habits to send targeted advertisements back at you! You can view which cookies are stored by accessing the ‘History’ or ‘Cookie’ file in the options of most web browsers.
Phishing
Always check for both spelling mistakes and HTTPS:// before submitting any personal details online since phishers may try to trick you into believing they are genuine websites by imitating them (e.g., hTTps://www.website.com vs. hTTpS://www.website.com).
Also, do not click on any links sent in emails from senders you do not recognize, and be cautious about clicking on advertisements as they could redirect you to fake websites.