Written By: Swaroop Sham of Okta
As you likely know, 2018 was not a good year for data security. In the first half of the year, there was a 133% increase in compromised company records compared to the first half of 2017, and an average of 291 records stolen every second. Unfortunately, just a few months in, 2019 has already seen a number of big name corporation data breaches.
Part of the risk posed by data breaches is that they open the door to other threats to customer information, including account takeovers. We’ve seen this before—in the immediate aftermath of the Equifax breach, for instance, account takeovers were reported to increase by 53%. Account takeovers happen when hackers take control of a user’s account, gaining access to personal information, including their address and credit card details. This is problematic for any business that stores users’ credit card information, which hackers can then use to shop for items on the site. The results can be devastating.
The cost of account takeovers
Like data breaches, account takeovers are a growing phenomenon that are costly to both businesses and consumers alike. Between Q1 and Q2 of 2018, account takeover attempts on mobile transactions rose 200%. In the same period, incidents on financial services rose 40%.
These types of attacks are particularly costly to the affected individuals. According to Javelin Study & Research, in 2017, compromised individuals paid $290 and spent 16 hours to resolve each account takeover instance—totalling a cost of $5.1 billion to consumers. For e-commerce businesses, account takeovers can also be costly as they may have to reimburse consumers for any fraudulent charges, a practice that can amount up to 8% of a retailer’s annual revenue.
How to mitigate account takeovers
When developing a strategy aimed at blocking account takeovers, prevention is key. Read on to learn 3 things you can do to protect your company and your customers from account takeovers.
Consider passwordless authentication
It’s an unfortunate fact that many people use the same credentials to log into different accounts. This password practice is a big part of what enables account takeovers, as it increases the likelihood that hackers can use compromised credentials to access sensitive information across accounts. As a prevention method, organizations should consider implementing passwordless practices like fingerprints or facial recognition, as well as modern authentication standards like WebAuthn, which remove passwords from the authentication experience. When organizations opt for these authentication methods, they help to mitigate the risk of stolen credentials, and minimize the chance of account takeovers.
Implement adaptive multi-factor authentication
For organizations where passwordless authentication is not yet possible, the next best option is to use adaptive multi-factor authentication (Adaptive MFA) as a security measure. This approach monitors the user’s login behavior on the basis of location, device, network, and more to determine which authentication methods to use. If the risk factor is high, then the user would be asked to submit an additional identifying factor such as an TOTP code or a one-time password.
In retail or e-commerce settings, this is particularly effective as hackers will often change details, including the shipping or email address, associated with the account. By reacting to that type of change and requesting an additional factor, adaptive MFA can better protect a customer’s sensitive data.
Additionally, companies can design custom rules for when MFA should be used. For instance, some companies require that users answer a security question or provide an SMS code in their first login of the day. Other institutions, like banks or healthcare centers, may ask for multiple factors at every login.
Integrate security and user experience
In a time where user experience is a considerable satisfaction metric for all consumers, organizations should find ways to deliver seamless interactions with their products and services without compromising on security. Thankfully, organizations have access to tools and services that dramatically decrease the chance of an account takeover. Implementing additional authentication factors in a seamless way can give your customers piece of mind while they engage with your product, and ensure that you’re not the next company to make the headlines for all the wrong reasons.