Account Takeover: A Dire Online Crime

Content provided by USAA

"Account takeover" may be a new term to you, but it's a crime that's been around since the dawn of Internet banking, says Gary McAlum, USAA’s chief security officer.

"It's one of the most nefarious and dangerous forms of online fraud — and everyone is vulnerable," McAlum warns.

What is an account takeover

Account takeover occurs when someone gains unauthorized access to one or more of your online accounts. Originally a tactic to target businesses, account takeover has become a serious problem for consumers.

It's worse than a simple hacking attack, McAlum says, because consumers usually have no idea their accounts have been compromised. An attacker who has your logon information may lurk in the background — sometimes for weeks or even months.

"It's more concerning than other attacks," McAlum says. "Think of it as someone having access to your house without you even knowing about it. That would be a very personal sense of violation."

How could my account get taken over?

Account takeover can happen to any online account: bank, retail, social media and email. Any website where you have a user ID and password is at risk.

The easiest way for a hacker to commandeer an account is by having a weak password, McAlum says. Once a password is compromised, savvy hackers usually will try it on other services — if it works on your email account, it might work on your bank account. Just like that, the hacker has accessed two accounts for the price of one. Criminals who use this method to attack your bank account can siphon away money before you realize it or use personal information for identity theft purposes.

Phishing is another common way hackers steal information. Methods typically used for account takeover attacks include:

• Phony websites that look legitimate and emails designed to trick you into divulging your account information.
• Malware that lands on your computer undetected, which can capture your keystrokes or spy on your online activities.

The bottom line: It doesn't really matter how your logon information is obtained, but once a hacker has it, you're vulnerable to an account takeover.

Why is it dangerous?

The damage done in an account takeover can be considerably greater than that of other frauds, such as having your credit card stolen, McAlum warns.

"Credit card fraud can be easy to take care of. Generally, you can quickly see the charges, your bank cancels the card, and you get a new one, he says. "Account takeover is far more difficult to manage, because it can go undetected for so long that the damage done can be extreme."

Unauthorized charges and money transfers are just the beginning. If your email account is compromised, it can be used to access and make changes to your other accounts. Ultimately, a takeover could lead to full-blown identity theft, which can require a lengthy process to resolve.

Finally, if an attacker suspects that you're aware of the account threat, the takeover may end with a "scorched earth" attack. All your email may be deleted, damaging messages could be sent to colleagues, or financial accounts may be quickly drained. The attacker could even change passwords on your financial accounts and email, locking you out altogether.

How can I help protect myself?

Protection against account takeovers requires a team effort between the security and monitoring provided on your account by providers and you as a consumer, McAlum says.

"At USAA, we monitor your credit card transactions for fraud, ensure proper authentication is used when someone calls asking about an account, track who's logging on to your accounts and block hackers every day."

"As good as our security team is, we can't do it all," he adds. "Consumers need to take action to help protect themselves as well."

Your action starts with your passwords, he says. Make them difficult to guess by using a combination of letters, numbers and characters. Don't use obvious words or variants — or any word that appears in a dictionary.

"Hackers are very sophisticated. A simple password is the No. 1 way people get into your accounts," McAlum says.

When you create or change your password at usaa.com, the website provides a visual indicator of the strength of the password. Improve your password by adding characters and complexity until the indicator shows it is "very strong." McAlum also recommends changing passwords every six to 12 months and not sharing them with others. In addition to having strong passwords, always use a PIN on your mobile device, since more and more personal information is being stored on smartphones and tablets.

In addition to a strong password, standard anti-malware software will help cut down on phishing and viruses. Make sure you keep anti-malware software up-to-date on your computers. As an extra layer of protection, USAA offers an anti-malware tool called Trusteer Rapport that alerts you if you attempt to visit a website that is identified as a phony destination.

Even stronger security measures are under development at USAA, including biometric systems that will let you use your fingerprint or other unique personal features to log on to your account, McAlum says. These will make it even tougher for hackers to take over your account.