SaaS: The Next Target for Account Takeover
27 Apr 2017
SaaS: The next target for ATO
When you think of account takeover (ATO), what comes to mind? High-profile data breaches? Embarrassing celebrity Twitter hacks? Although these companies are certainly at risk, they’re not the only ones vulnerable to ATO. Software-as-a-service (SaaS) businesses are equally – if not more – vulnerable to damaging account takeovers.
SaaS companies that offer services to other businesses store a wealth of customer data. That means data breaches can lead to extraordinary damage. For example, fraudsters who steal a customer’s account credentials can then reuse them to commit fraud on a massive scale. So, what is account takeover? Why should SaaS companies worry? And how can you take steps to protect your business?
What is account takeover?
ATO, also known as account compromise, is just what it sounds like: a bad actor getting access to a good user’s account. Once that access is achieved, the fraudster can use the account for all kinds of opportunistic and malicious ends: making high-value purchases, using up stored credits, scamming other users, creating fake listings, spamming, and more. In the case of SaaS companies, fraudsters may be targeting financial information, or they may be wanting to misuse or exploit customer data.
Fraudsters are often able to keep victims in the dark about attacks long after their account is hijacked. In many cases, businesses don’t know that their users’ data have been compromised – and neither do the users themselves – until significant damage is already done.
Why SaaS companies make good targets
Fraudsters love SaaS companies because they’re extremely lucrative. Each holds valuable customer data and financial information. Business-to-business (B2B) services are especially vulnerable, since a single account holder could provide access to private information for entire companies: dozens, hundreds, or even thousands of users’ credit card information and personal data.
Although SaaS companies may be doubling down on cybersecurity defenses, weaknesses still persist. Many SaaS companies comply with ISO 27001, an auditing standard designed to prove that service providers have control over the location and security of their data. But surveys show that even ISO 27001-compliant businesses commit “bad practices with regard to privileged user management.” The same features that make SaaS services so convenient–that data can be accessed anywhere, that storage is boundless – also contribute to an increased risk of ATO.
By attacking one B2B business, scammers can secure access to that business’s information, but also to their customers’ information. For example, if a hacker takes over a business’s account to access their profile on a customer relationship management (CRM) service, they can wreak serious havoc. Fraudsters could download the business’s client base and use it to hold the business ransom, sell the client base to a competitor, or damage the business’ reputation.
In another common scenario, fraudsters take over accounts to access listings on resume-hosting or real estate database services. Once they’ve accessed a listing, the fraudsters can change contact information. So, someone intending to send their resume to a company that’s hiring or their financial information to a real estate agent instead sends their information to the fraudster’s address. The fraudsters can then steal customers’ personal information.
Because SaaS companies are a recent target, many have yet to implement robust fraud solutions to counter these attacks.
How to prevent ATO
For SaaS companies, success breeds vulnerability. As a SaaS company grows, security takes on an increasingly central role. Customer safety is vital for preserving your reputation, protecting your bottom line, and continuing to scale. But that’s easier said than done! How do you deal with ATO and keep your customers safe?
When seeking to protect users’ accounts, many online businesses may introduce security checks like 2-factor authentication, email links, SMS codes, captchas, and even phone calls. When used selectively and intelligently, these checks can be a powerful tactic to prevent ATO. But they can also inconvenience honest customers, making it harder or less efficient for them to access their account.
The cost of an attack is high, but the cost of making it hard for people to log into their accounts is also high. If people find a service too cumbersome, they become less engaged, or stop using it entirely. A better solution is for SaaS businesses to stop ATO before it happens. The first step to earning your customers’ trust is ensuring their safety. Ready to start?