The use of digital online services shapes our everyday lives. The spectrum ranges from e-mail, social networks, and online stores to utilities, insurers, health insurance companies, and professional services. Access data is correspondingly attractive to criminal attackers, who use it to take over existing user accounts (account takeover).
Attackers are constantly developing new ideas for obtaining confidential access data to online services. These can be divided into two categories: on the one hand, access data can be stolen directly from the online service itself; on the other hand, attackers use methods to capture access data from users.
If access data is stolen from the online service, the attackers have usually been able to identify and exploit existing security vulnerabilities in the technical infrastructure of the online service in advance in order to gain access to sensitive system areas and subsequently copy parts of the user database. In parallel, attackers try to steal access data from the users themselves.
Specialized malware is used for this purpose, which records the access data entered on an infected device, i.e. e-mail addresses and passwords, and sends them to the attackers. Alternatively, attackers use social engineering methods such as phishing emails to capture access data. For example, e-mails are regularly sent in which a different sender is simulated, whom the recipient of the phishing e-mail knows as well as possible. The aim of such an e-mail is to persuade the recipient to visit a specifically prepared website mentioned in the e-mail and enter his or her access data for this service.
Dimension of the account takeover threat
Once access data has been stolen, it is published, exchanged or sold in relevant forums on the Internet and thus gets into the hands of many attackers. This creates a significant risk of misuse of user access to online services, often resulting in extensive financial damage for users and service operators or companies.
This risk is significantly increased by the typical way users handle their access data, especially the multiple use of passwords for different online services. Once in the hands of criminals, access to multiple services is directly affected. Studies show that on average 51 percent of service users use the same passwords for multiple online services. And in fact, stolen credentials of company employees also play a role in almost all major IT security incidents that have become known in recent years, such as the attack on the American Colonial Pipeline in 2021.
For the eCommerce sector, surveys show that 97 percent of online businesses have already fallen victim to fraud, that the average financial loss from a single account takeover attack is between €500 and €950, that around one in four online orders in the “trending products” sector is fraudulent, and that German online retailers lose €2.5 billion every year to online fraud.
How can simply effective protection be achieved?
Against the backdrop of the threat of account takeover by means of stolen credentials, an interdisciplinary team of IT security researchers, data protectionists, lawyers, psychologists, and online service providers has been working on the development of concepts for protection against these threats in the EIDI research project, which has been running for several years.
Initially, it was possible to develop intelligent procedures that continuously and largely automatically detect and analyze forums for criminal exchange and trading of stolen access data, thus giving researchers access to the data, which can be analyzed in downstream processing steps in line with data protection requirements and further processed to protect against account takeovers.
These techniques have already captured more than 25 billion stolen access records. The protection and warning mechanisms against these threats have been examined and further developed, among other things, with regard to their effectiveness and can be differentiated according to whether the affected users on the one hand, or the online service providers involved on the other need to take action.
The first category includes so-called leak checker services such as haveibeenpwned or the HPI Leak Checker as well as the Leak Checker developed by the University of Bonn in the EIDI project, which allow each user to individually check whether the respective leak checker service knows access data to be assigned to the user.
However, these checking services only achieve effective protection for a small proportion of the users concerned, namely only for those who use these services as a precaution and on a regular basis. Comprehensive protection can be achieved if online service providers perform appropriate checks for their users, usually both customers and employees. These privacy-compliant protections were designed and tested by the EIDI project team.
The spin-off startup Identeco provides these easy-to-integrate services to protect employee and customer accounts for enterprise customers. The immediate benefits have already been impressively proven with several million protected user accounts.
With an eCommerce partner, with more than 10 million customers, a test was conducted with one million stolen access records, revealing approximately 40,000 email address matches and approximately 4,500 complete valid access records. Misuse is thus easily prevented. Another test was conducted with a social network with more than 15 million users: the verification of 5 billion stolen access records provided valid access data to 1.4 million user accounts. The implementation of protective measures for the affected user accounts was accompanied by a drastic drop in the volume of spam messages and complaints about them within the social network.
