Joan Jett & the Blackhearts had the luxury of belting out those lyrics before the modern internet age, back when counterculture was subversive, cool, and edgy.
Today, counterculture is mainstream, and our online reputations are everything. Our digital personas are deliberately curated, highly visible, and tightly managed as we wed ourselves ever closer to the devices in our pockets.
So, when accounts get taken over because of credential stuffing and bad actors take advantage, the results can be devastating on a very personal level.
Panic, embarrassment, and shame.
These are real feelings resulting from things that happen in our digital world.
This is especially true in the case of social media account takeover, which the Identity Theft Resource Center (ITRC) has dubbed an “Account Takeover Epidemic.”
According to the ITRC, who in 2021 had just short of 15,000 identity crime victims contact them for support services (a record in and of itself), there was a 1044% increase in social media account takeovers from 2020 to 2021.
As a follow up, the ITRC conducted a survey of social media account takeover victims and found that 66% reported experiencing strong emotional reactions to losing control of their social media account: 92% felt violated, 83% were worried and anxious, 78% felt angry, 77% felt vulnerable, and 7% felt suicidal.
These are all important statistics to consider within the cybersecurity space. And while it may be easy for some to view social media identity theft as a mere inconvenience, these figures illustrate how closely tied one’s online reputation is to one’s emotional wellbeing.
A couple of friends of mine, Trevor and Stacey, both had their social media accounts hacked by presumably the same credential stuffing attack in July 2022. Neither had set up their 2-factor authentication.
Both friends are successful professionals who were active on social media, and one happened to be a moderate crypto enthusiast.
The bad actors posted on their Instagram stories a not-so-subtle message about getting involved in a bitcoin mining scheme. It was a screenshot of an iPhone lock screen, which included a picture from their profile (in the case of Trevor, a picture of he and his wife from his profile) and displayed a bogus text message from Bank of America (BofA), followed by a screenshot from his supposed bank account.
While it doesn’t take a cybersecurity expert to recognise this was a scam, it could nonetheless prove to be an effective phishing tactic since it is coming from the trusted source’s actual account within a social ecosystem not known for abuse.
Curious about the sophistication of these attackers—and because I’ll never pass up an opportunity to speak directly to our black-hatted counterparts—I responded to the story to see how effective their messaging was:
I know, I know. I’m such a good friend, right?
It was an awful ordeal for both individuals. Trevor was able to use Instagram’s facial recognition verification process, which scans your face and compares it against their endless library of tagged photos. He was able to regain access within 27 hours and set up his 2-factor authentication.
Stacey, on the other hand, left social media altogether. The ordeal was just too much of an embarrassment and created so much anxiety for her that she just up and left. Decided the whole persona in a digital realm thing was not for her.
This is not unusual. More than ever, consumers will stop using a website if their account is hacked.
Panic, embarrassment, and shame.
Not the sort of feelings we want customers’ end users to have when they rely on our products. And while this example may be specific to social media, the sentiment is something we can all share.
Whether it’s social media, fintech, ecommerce, or any other organisation with an exploitable user base, credential stuffing is a cat-and-mouse game that is here to stay—and with eyebrow-raising impact.
According to Javelin Strategy and Research in their 2021 Identity Fraud Study, account takeover (ATO) fraud resulted in over $6B in total losses in 2020. Companies create new defenses, hackers develop tools to bypass these safeguards, and the cycle continues.
So how can businesses fight back?
In a recent Aite Group report, risk executives from financial institutions, fintech lenders, and ecommerce companies were interviewed to learn how they are protecting themselves from the escalating volume of ATO attacks.
• Most consumers use the same handful of usernames and passwords across websites, creating a vulnerability exploited by organised crime rings.
• The available attack surface continues to expand, making detection and mitigation more complex.
• Organisations need a solution that leverages real-time data analytics to keep pace with automated attacks and block malicious activity before it affects the business.
• Firms with robust defenses will see attack volumes decrease as criminals focus their attacks on easier targets.
Looking beyond the obvious bottom-line impacts of ATO attacks, it’s important to remember that these crimes have a real human impact.
Stopping fraud isn’t only about saving money. It is just as critical for preventing the kind of human trauma that is surreptitiously corroding the fundamental fibers of a more ideal digital future. As in the physical world, what we want is safety, security, and trust.