What is it?

Since the beginning of 2023 I have seen several of these types of cases cross my desk, as well as the desks of some of my colleagues. An account takeover starts with a criminal actor getting possession of a victim’s critical private information, such as the following:

• Full Legal Name
• Date of Birth
• Social Security Number
• License Number
• Full Legal Address
• Common PIN # or Passphrase
• Information about Family Relations

This doesn’t seem like a lot of information, and quite honestly not all of this information is needed in order to effectively take over a victims account. But what do we mean when we talk about “account takeover”?

An account takeover is when a criminal actor uses your personal information in order to socially engineer a financial institution or other company into believing that they are in fact you. If they succeed at their goal, they then can request new credit and debit cards be issued, or a new cell phone with your mobile number issued directly to them. It could also be a criminal actor finding your leaked credentials online and using those credentials to log in and take over your online accounts.

The repercussions:

They are huge, the criminal actor how has full access to your bank account to make purchases, withdraw funds, or close accounts and run with the money. Additionally, in cases where a replacement cellular device is issued, the criminal actor has the ability to reset passwords to almost any online account where your mobile device number is associated as a method of two-factor authentication or 2FA.

For example, if a criminal actor is able to successfully take over your Verizon account and issue themselves a replacement device with your number, they could go online to Facebook.com and request a password reset on your account based on your telephone number. If the criminal actor is able to do this with your personal email address, they pretty much will have full reign over all of your accounts and effectively have stolen your real identity and your digital identity as well. I have seen cases where criminal actors will utilize the account takeover to gain access to password vaults and then have full reign over any online account the victim has ever stored information about in their password manager.

How can I avoid this?

1. Use a password manager with enhanced features: There are many options for password managers out there, personally I like Bitwarden. Bitwarden offers a basic free plan, but their paid personal version is less than $20 a year and offers some additional features like storing all of your OTP (one-time passcodes) rather than using a mobile app like Google Authenticator. The benefit of Bitwarden as a password manager is it will automatically search for compromised passwords and will help generate new random passwords for every online service you use.
2. Limit providing sensitive information: You inevitably will not be able to maintain control of your own information in the digital world we live in. Those businesses, institutions, and agencies who have access to our personal data are responsible for helping ensure that your personal data is not leaked online. However, there is always a possibility your online health portal information might be leaked, or information stored by your bank online might be leaked. Limiting release of your private personal information to non-reputable sources will help, but alone may not prevent your personal information from being leaked on the internet.
3. Utilize a hardware security key to access your online accounts: A security key is a piece of physical hardware that looks similar to a USB thumb drive, but holds a security key that helps validate that you are who you say you are. If an attacker was able to discover your username and password for an online account and attempted to log in, they would physically need your security key to successfully login There is no amount of social engineering that can bypass a properly configured security key, that is of course unless you physically leave the key behind or don’t take steps to keep it on you at all times.
4. Education yourself on what phishing attacks are and how to avoid them: Phishing attacks are what often lead to leaked data and account takeovers, do not click suspicious links and always attempt to confirm email addresses and any attachments directly with the sender in person prior to trusting the validity of what is being sent via email or text message.
5. Update and patch your devices often: Keeping your computer and phone up-to-date helps protect you from vulnerabilities in the software that allow for data to be leaked, always keep your devices up to date with the most recent patches and updates.

How easy is it for you to become a target?

Very, if you don’t know what to look for and steps to help protect yourself online. Here is an example to show just how vulnerable you may be.

There are a number of resources online to help you become more secure online, education is key! However, don’t feel bad if you fall victim to account takeover, with certain social engineering techniques your bank or cellular provider may actually believe that a criminal is you and issue cards or devices without your knowledge at all, especially if your security pin is leaked or easy to guess.