Facebook, Google, loyalty points and Account Take Over (ATO)
A report published by Forter (fraud prevention) raises concerns around how intertwined social and commercial aspects of web usage have become. It also indirectly highlights just how much can be determined about us based on what we do online.
It seems like more and more websites are allowing you to set up an account and thus login later using your Google or Facebook credentials. It sounds convenient but know that this violates a primary rule for internet usage: ONE PASSWORD FOR EACH ACCOUNT. The pros and cons of not following that rule are: PRO – convenience, CON – one breach exposes everything you have online.
If you missed it, Facebook disclosed that 50,000,000 accounts had their access tokens compromised. This is not the password but a string of characters that allows you to stay logged in without having to reenter your password. If someone else has that token, they can connect as you without knowing the password–and that means anywhere you have used your profile to create an account. Supposedly after these tokens were reset, other websites that had properly implemented code would not accept them. Who knows where the code is poorly implemented and these tokens are still good. So now you have a breach that does not involve a password, but allows access not to the breached site, but potentially other sites where you have used your profile.
This problem exists whenever you use one account to create or login to other accounts. Microsoft, Yahoo, Twitter, AOL, LinkedIn, etc. all can create the same issue if you use one of them as your gateway to other accounts.
Part of your security tune up should be to remove access given to other accounts if possible. This website has a nice list of links to help you review the access you have given out over time.
This ‘single sign on’ scenario sets the stage for doing an account take over (ATO). Like all attacks on credentials and accounts the motivation is monetary. Three ways this can be done are:
- The fraudster hacks into the account and uses the payment method attached to the account to make a purchase
- The fraudster hacks into the account and adds new (stolen) financials which are then used to make purchases
- Many loyalty programs allow customers to use their points for purchases, so the fraudster uses the victims points to purchase items. (Think cashing in airline miles for a ticket, or merchandise)
Part of the attack involves setting up a delivery address that gets the goods sent to the attacker and not the victim.
In the most extreme cases, a fraudster (or sometimes a fraud ring) will write code to automate every step they need to take, streamlining and speeding up the process. They can automate everything from logging in, to changing the shipping or email address in an account, to purchasing goods or exploiting a loyalty program. Some highly sophisticated models even build in repeat visits to the account before purchase, acclimatizing the system to their presence
Forter’s research indicates that fraud rings are often responsible for 20-30% of ATO attacks against a site. They’re fast, efficient, and frequently sophisticated. They are finding out that a compromised account may have a very high value due to being linked to many other accounts.
The use of the web for commerce and everyday life is unlikely to diminish. As the electronic way of doing business becomes more pervasive and business looks to make it more convenient, there will be increasing pressure on minimizing the number of logins needed during the day. If at all possible, remember that the more access one login has, the more damage that will be done when it is compromised. These days it is not a matter of if your information will be exposed, but when. Don’t make it any easier for the bad guys to make use of exploited information by giving one login access to multiple accounts. It’s a pain, but compromised security hurts more.