Account takeover risks and mitigation
Season 5 Episode 03
Transcript
Juan José Ríos (Host): Everyone is a potential target for cybercrime, which is ruthless with its victims. The internet, social media, and other means that connect us to the outside world drive the economy and modern life, but they have also become entry points for multiple attacks.
In Mexico, between 55% and 77% of people use social media to search for jobs. This reality has not been ignored by fraudsters, who create fake profiles and post non-existent job offers to obtain personal information. During the supposed hiring process, victims share sensitive data such as card numbers, bank accounts, and other personal information.
The scammers then use this data to impersonate financial institutions, gain the victim's trust, and obtain even more confidential information, which they ultimately use to defraud accounts and cards.
My name is Juan José Ríos, and I welcome you to Mundo Financiero Seguro, the podcast from Plus Technologies & Innovations.
Today we will address the risks of account takeover, an attack that has become increasingly common as digitization gains relevance in our daily lives.
Joining us are:
- Andrés Gueci, founder and CEO of KarTech, a company specializing in cybersecurity.
- José Ruiz, Product Manager for Transaction Security and Digital Fraud at Plus Technologies & Innovations.
Juan José Ríos: José, to begin with, what are the methods most commonly used by fraudsters in this type of attack?
José Ruiz: Thank you, Juan José.
Account takeover attacks usually begin with unsolicited contacts, as in the example you mentioned. This initial phase typically involves phishing or spear phishing techniques, when the attack is targeted at a specific person.
The goal is to create urgency, fear, or false authority so that the victim will disclose personal information. Criminals pose as representatives of well-known organizations to gain trust.
There are also methods that do not require direct interaction with the victim, such as:
- Brute force attacks, using automated software to test password combinations.
- Credential stuffing, using credentials leaked in other data breaches.
- Malware or keyloggers that record what the user types.
- Man-in-the-Middle attacks, which intercept communication.
- SIM Swapping, where the fraudster convinces the phone operator to transfer the victim's line to a SIM card under their control.
In the latter case, the attacker gains access to calls and messages, including authentication codes.
Juan José Ríos: We observe that the attack begins far from the money: social media, phone calls, messages. This implies that the responsibility for prevention goes beyond financial institutions.
José Ruiz: Exactly. In the case of SIM swapping, for example, telephone operators are focused on customer service, not necessarily on preventing digital fraud.
Furthermore, many social networks are not subject to strict anti-fraud regulations, although countries such as the United Kingdom and Australia are already promoting initiatives to involve technology and telecommunications companies in prevention efforts.
Juan José Ríos: Andrés, what's happening with the stolen data?
Andrés Gueci: Mainly, the data is sold or used to commit fraud.
Marketing occurs in:
- Social media
- Private channels such as Telegram or WhatsApp
- The Deep Web and the Dark Web
In many cases, a free sample is offered to prove that the information is real before selling the complete package.
There is also a clear segregation of roles within the criminal ecosystem: some steal data, others sell it, and others use it to carry out fraud. It is a truly organized market.
This data can be used for identity theft, unauthorized access, post-login fraud, or attacks such as Man-in-the-Browser and remote access Trojans.
Juan José Ríos: José , what is the impact of this fraud?
José Ruiz: For individuals, the most obvious impact is financial loss. But it can also affect their credit history and cause emotional stress.
Since stolen information is traded, a victim may be attacked on multiple platforms.
For institutions, in addition to economic losses, there is:
- Reputational damage
- Risk of regulatory sanctions
- Operational interruptions
- Loss of customer confidence
The way in which the complaint is handled is key to preserving the relationship with the customer.
Juan José Ríos: Andrés, how can we prevent these attacks?
Andrés Gueci: A comprehensive approach is required.
First, having cyber intelligence services that monitor:
- Open web
- Social media
- Deep Web
Not only to detect information exposure, but also to take action: request removal from sites or alert the affected organizations.
Second, implement technology that monitors:
- Real-time transactions
- Digital sessions
- Abnormal behaviors
It is not enough to analyze the transaction; you also have to monitor the entire session, as fraud can occur after the login.
And, of course, combine this with internal controls and awareness programs.
Andrés Gueci: Security awareness is essential. Organizations must carry out educational campaigns for both customers and employees, including phishing and vishing simulations.
It is a continuous cycle: measure, train, re-measure, and improve.
Juan José Ríos: José, is it sufficient to authenticate the legitimate user?
José Ruiz: The answer is yes and no.
Authentication is necessary, but it must go beyond an SMS code. Strong authentication validates:
- Something the user knows
- Something the user has
- Something that the user is
In addition, it must be continuous throughout the entire session.
It is also important to consider risks such as malware that steals biometric data and enables the creation of deepfakes.
An additional measure is behavioral biometrics analysis, i.e., how the user holds the device, how they navigate, and how they interact with the application. This allows for continuous validation of their identity and detection of deviations.
Andrés Gueci: Organizations must adopt a proactive and comprehensive approach. Not only protecting internal channels, but also monitoring the external exposure of confidential information.
Cyber intelligence is key to anticipating fraud.
José Ruiz: My recommendation is to go beyond what local regulations require. Implementing robust controls not only prevents account takeover, but also other types of fraud.
Understanding the customer profile, applying dynamic authentication, and minimizing friction without compromising security is essential.
Juan José Ríos: Account takeover has a devastating impact on both individuals and institutions. Prevention requires multiple layers of protection: technology, intelligence, robust authentication, and awareness.
Thank you for joining us on this episode of Mundo Financiero Seguro.
Until next time.
