Brian Krebs reported today about cybercrime services that help attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. These bot-based services that make it relatively easy for crooks to phish OTPs from targets.
<p>At the core of this issue is phishing – showing yet again how phishing threats are on the rise. Even if your organization is up to date with the latest malware software, it’s impossible to protect your employees from every potential business email compromise like this. That\’s why it\’s important to prioritize security training for all your employees and teach them best practices on how to spot and report phishing. Without employee education, issues like this will continue to impact businesses.</p>
<p>Cybercriminals are finding every means possible to leverage weaknesses in human behavior for financial gain. Stolen credentials, like OTPs, can be used for credential stuffing and ATO attacks, which can steal value, whether that is in the form of gift cards, credit card numbers, loyalty points, or false purchases. ATO attacks are a major threat to any business and all of this just creates more fuel to feed the ATO attack fire.</p>
<p>It is much simpler and lucrative to walk in through the front door of a digital business with valid, stolen credentials than to look for holes in an organization’s cybersecurity defenses.</p>
<p>PerimeterX research found that between 75-85% of all login attempts in the second half of 2020 were account takeover attempts. Organizations need to be aware of signs that they’ve been attacked. These can include surges in help desk calls, spikes in password resets and inhuman user behaviors, such as thousands of login attempts on an account in a short time period and then take the appropriate action to block these attacks. And on the flip-side, consumers need to ensure they are using varied and robust passwords across different websites and applications and lock down their credit reports as well.</p>