Ai Editorial: Why consumers are proving to be the weakest link in ATOs?

First Published on 4th May, 2018

Ai Editorial: The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information, writes Ai’s Ritesh Gupta


Coming to grips with the issue of account takeover (ATO) isn’t a straightforward task, and a major reason behind the same is poor password hygiene.

Consumers are proving to be the weakest link in the fight against ATO fraud. According to the findings of a recent analysis, initiated by password management specialist LogMeIn’s LastPass, nothing much has changed over the last two years when it comes to creating and handling of passwords. This is important as password stealing means all account-based online services are under a threat.

The level of awareness about hacking and data breaches has gone up, but a feeble approach towards password management is paving way for hackers to steal confidential information. In their Psychology of Passwords research, LogMeIn has referred to following traits of individuals representing society at large and explains why people are falling short of taking action:

The issue of same passwords: Majority of 2000 respondents have between one and 20 online accounts for work and personal use. When it comes to password creation, nearly half indicate there is no difference in passwords created for these accounts. This attribute is dangerous and helpful for hackers in doing their job. Let’s say a customer has an account in both Starbucks and Lufthansa. If there is a data breach at Starbucks, and although Lufthansa hasn’t faced any attack and are safe from that perspective, but if a user happens to use the same login credentials for both the companies, then the credentials are vulnerable for illegitimate use at other places. The fear of forgetfulness is the major reason behind using the same password for multiple accounts. Despite being aware of the security risks owing to weak passwords or even breaches, people tend to avoid any action. They stick to the same passwords and don’t change them often. Even the millennials, a group supposedly well-versed with technology, mostly reuse passwords because of fear of forgetting and commonly use a variation of 1-2 passwords they can remember. 

On the positive side, according to the same study, more users are opting for more secure password storage and automated password resets to overcome the anxiety of failing to recall.


Onus on merchants 

The scale and sophistication of breaches is ascending, and this is resulting in more ATOs. These takeovers are increasingly performed at scale by bots, as well as manually. Hackers work on scripts that try out different groupings of stolen usernames plus probable passwords across numerous websites and apps, until they find a way in. Travel e-commerce companies suffer owing to chargebacks, loyalty fraud, resources spent on resolving issues etc. Companies like Google highlight that enterprising hijackers are persistently looking for, and are able to gain access to, a plethora of platforms’ usernames and passwords on black markets.

Specialists such as Sift Science recommend that airlines and other travel companies need to be proactive, especially considering that “every one’s credentials have already been compromised”. The company recommends following measures:

Ø  Work out planned evaluation of models and rules to ensure they are updated once bad signals are uncovered.

Ø  Keep on informing and educating customers about the significance of passwords. There might not be anything new in these instructions but nevertheless the importance of strong passwords can help. For instance, constructing unique passwords that include a sequence of upper and lowercase letters, numbers and special characters. Directing users not re-use same passwords. The database of passwords needs to be secure, too.

Ø  Create awareness about the root cause of ATOs: Fraudsters get access to stolen credentials from a number of sources. These include:

·          From data breaches, sold on the dark web

·          Phishing with fake websites

·          Malware, trojans, spyware

·          Social engineering

·          Hijacking a mobile device

Ø  Stringent verification: Keep a vigil on aspects like IP, cookie, device ID, session history, event velocity, and key-logging. In case there is a sign-in from a device a user hasn’t used or a location that isn’t associated with an account, companies need to seek additional information before allowing access to accounts. Verification is a blocking event: once sent, the respective activity (login or another) cannot proceed until with the verification is successfully completed. Dynamic challenges feature two-factor authentication on all doubtful logins, while allaying the danger of account lockout.

Ø  Looking beyond passwords: Airlines need to look for more protections beyond just passwords. The claim for owning an account needs to be handled carefully. Machine learning comes in to understand the user behavior. Advancements in computing and big data power, as well as the gaining prominence of API-based machine learning solutions, mean that machine learning is emerging a scalable method to grow without increasing risk. It identifies patterns in data that aren’t spotted by humans. So this can result in lesser number of false positives and false negatives.


For Ai’s 2018 Events, check -

Follow Ai on Twitter: @Ai_Connects_Us