SaaS — the Hot New Target for Account Takeovers
Posted May 4, 2017
Cybercriminals monitor the current landscape for industry dynamics and technological trends that they can exploit. And, it seems as if they have set their sights on a new, yet not so new, target — SaaS offerings.
In recent months, Slack, Microsoft 365, Dropbox, Salesforce and other popular software-as-a-service (SaaS) offerings have beefed up security to fend off a disturbing industry trend of account takeover (ATO) attacks. Attacks are up 31 percent, while losses from ATO topped $2.3 billion last year — a 61-percent increase from 2015, according to Javelin Research.
Why the surge? Some believe it is due, in part, to the accelerating adoption of SaaS solutions. These offerings aren’t somehow less secure than their customers’ homegrown systems. In fact, SaaS solutions for the enterprise actually tend to be much safer.
Instead, the rise in attacks on SaaS offerings can be attributed to their proliferating numbers and indisputable practicality — along with new realities that make it shockingly easy to bypass their security without detection.
Current efforts to prevent ATO among SaaS providers — including two-factor authentication (2FA) — are proving futile, just as they have in other industries.
Economic factors, of course, play a key role in this growth. On-demand software can cost 50-percent less than software deployment, with little or no upfront capital expenditure.
In addition, SaaS also propagates product enhancements and updated security features directly from the provider, reducing the burden on IT staff. Nonetheless, for many companies, SaaS can still present a significant security issue.
According to Forbes, the average enterprise has 508 different SaaS-based applications in use — many directly provisioned by employees without oversight from the security department. Many others are officially unsanctioned, but tolerated by IT teams, such as GitHub for source code and Skype for internal communication.
Unfortunately, many of these SaaS-based apps are consumer-grade, meaning they do not come with enterprise-class security. In addition, 88 percent of these apps enable file sharing and 81 percent of data downloads occurs in apps with no encryption of data at rest.
These factors alone make SaaS solutions a prime target for cybercriminals. But, there is another one that is making them easy prey. Even the most robust security mechanisms are defenseless against bad actors logging in with legitimate user credentials.
Unfortunately, sophisticated phishing attacks and an endless number of corporate data breaches mean everything from login credentials to user IDs to PIN codes are widely accessible to cyberthieves online. More than 6 billion personal files have been compromised during the past few years, and that number grows by the day.
With this information so readily available, crime rings can easily log in to accounts and take them over. Many even engage in credential stuffing, which involves using swarms of bots to automate the process of testing stolen credentials to accelerate takeovers. According to some estimates, such credential-stuffing attempts can make up to 90 percent of all enterprise login traffic.
Once an account is taken over, cybercriminals are treated just like any other trusted customer, employee or partner, and are free to appropriate whatever legitimate users have access to — financial assets, corporate data, intellectual property and more.
Aside from the loss of data, account takeovers can dampen business growth and seriously damage brand reputation if your customers are getting attacked through your product.
2FA is Not Enough
To shut down takeover attacks, many companies are beginning to clamp down on unsanctioned SaaS solutions and are requiring 2FA.
In addition to entering a username and password, 2FA entails a second method of verification, such as entering a one-time passcode (OTP) sent to the user’s mobile phone. Others use USB-based cryptographical security keys.
Unfortunately, everything cybercriminals need to bypass 2FA — from login credentials, to secret questions, to token-generated passwords, to device ID data and more — can easily be obtained on the dark web or simply stolen.
According to industry reports, thieves now have the technology to steal credentials that report OTPs in real time, so they can login before the victim can. If biometrics or other mechanisms are added to the mix, crooks can hijack live sessions from a remote location.
So, while 2FA provides an extra layer to help verify user identity, it can’t protect against malware or session hijacking. Plus, it introduces user friction, which slows down users and customers.
Change the Landscape
While enterprise IT teams can put security measures in place in an attempt to keep the bad guys out, they can’t protect against a bad guy who they think is a good guy. In response, a growing number of companies are transitioning to multi-layered authentication solutions that leverage emerging forms of digital identity intelligence that are virtually invulnerable to fraud.
This new generation of digital identity solutions authenticate users based on as many as 500 different dynamic data elements, and identify risks by assessing the associations between users and their devices, locations, accounts and behavior, as well as the presence of any threats.
It’s time to change the landscape again — to one that is no longer favorable to the cybercriminals.
For an exclusive white paper on preventing account takeover, click here.