account takeover prevention (noun)

Rick Howard: The word is: account takeover prevention. 


Rick Howard: Spelled: account as in an identity and list of access authorizations for a computer system, takeover as in gaining unauthorized access and control, and prevention as in stopping unauthorized access to a user account that belongs to someone else. 


Rick Howard: Definition: The prevention of the first part of an intrusion kill chain model exploitation technique, where the hacker steals valid login credentials from a targeted victim.  


Rick Howard: Example sentence: Account takeover prevention is a $15 billion market that is growing significantly year over year.  


Rick Howard: Origin and context: According to the Verizon 2021 Data Breach Investigations Report, 61% of cybercrime starts with compromised credentials. Bad actors capture victim passwords through a variety of techniques like credential stuffing, phishing and spear phishing, watering hole attacks, password spraying, keylogging, brute force attacks, and local discovery. These attacks are so common that according to Aliza Vigderman, senior writer for security.org, one in every five adults on the planet have been victims. Credential stealing is so popular because, compared to developing software exploits to take control of a system, hackers stealing passwords is relatively easier to accomplish. And once hackers have a valid credential, they can log it into the targeted system as a legitimate user and not set off any alarm bells.  


Rick Howard: Most pundits agree that the single most useful countermeasure is some form of multi-factor authentication, or MFA. According to Microsoft, this one step would prevent 99% of all account takeover attempts. Other countermeasures include monitoring for user ID and passwords sold in underground forums, using password managers to prevent simple passwords and password reuse, and perhaps going passwordless.  


Rick Howard: As of 15 September, 2021, you can sign into a Microsoft account with the Microsoft authenticator app, Windows Hello protocol, a security key, or an SMS email verification code instead of a password. According to Melanie Maynes,Senior Product Marketing Manager at Microsoft, " Industry protocols, such as Web Auth n and CTAP 2, ratified in 2018 have made it possible to remove passwords from the equation altogether. These standards, collectively known as the FIDO 2 standard, ensure that user credentials are protected end-to-end and strengthen the entire security chain."  


Rick Howard: Nerd reference: In Mr. Robot Episode 3, Season 1, Elliot, played by Rami Malek, sends his boss, an email that includes a link to a fake website that looks amazingly like Evilcorp's official website.  


Rick Howard: Elliot created it using a software package called the Social Engineers Toolkit and a module within the toolkit called Credential Harvester. Both are real open source tools. Credential harvester automatically copies a website, and then hosts the fake version of it at an attacker's specified location. 


Rick Howard: Once Elliot's boss went to the fake website and entered his login credentials, Elliot collected those credentials and used them to legitimately log in to his boss's account. 


Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.