I don't give a damn about my reputation.
Joan Jett & the Blackhearts had the luxury of belting out those lyrics before the modern internet age, back when counterculture was subversive, cool, and edgy.
Today, counterculture is mainstream. And our online reputations are everything. Our digital personas are deliberately curated, highly visible, and tightly managed as we wed ourselves ever closer to the devices in our pocket.
So, when accounts get taken over because of credential stuffing and bad actors take advantage, the results can be devastating on a very personal level.
Panic, embarrassment, and shame.
These are real feelings resulting from things that occur in our digital world.
This is especially true in the case of social media account takeover, which the Identity Theft Resource Center (ITRC) has dubbed an “Account Takeover Epidemic.”
According to the ITRC, who in 2021 had just short of 15,000 identity crime victims contact them for support services (a record in and of itself), there was a 1044% increase in social media account takeovers from 2020 to 2021. A stunning statistic.
As a follow up, the ITRC conducted a survey of social media account takeover victims and found that 66% reported experiencing strong emotional reactions to losing control of their social media account: 92% felt violated, 83% worried and anxious, 78% angry, 77% vulnerable, and 7% suicidal.
In the spirit of World Mental Health Day, these are important stats to consider within the cybersecurity space. And while it may be easy for some to view social media identity theft as a mere inconvenience, these figures demonstrate how closely tied one’s online reputation is to their emotional wellbeing.
Take a couple friends of mine, Trevor and Stacey, both of whom had their social media accounts hacked by presumably the same credential stuffing attack in July 2022. Neither had set up their 2-factor authentication.
Both friends are successful professionals who were active on social media, and one happened to be a moderate crypto enthusiast.
The bad actors posted on their Instagram stories a not-so-subtle message about getting involved in a bitcoin mining scheme. It was a screenshot of an iPhone lock screen which included a picture from their profile (in the case of Trevor, a picture of he and his wife from his profile) and displayed a bogus text message from BofA, followed by a screenshot from his supposed bank account:
While it doesn't take a cybersecurity expert to recognize this was a scam, it could nonetheless prove to be an effective phishing tactic since it is coming from the trusted source’s actual account within a social ecosystem not known for abuse.
Curious about the sophistication of these attackers—and because I'll never pass up an opportunity to speak directly to our black-hatted counterparts—I responded to the story to see how effective their messaging was:
I know, I know. I'm such a good friend, right?
It was an awful ordeal for both individuals. Trevor was able to use Instagram's facial recognition verification process, which scans your face and compares it against their endless library of tagged photos. He was able to regain access within 27 hours and set up his 2-factor authentication.
Stacey, on the other hand, left social media altogether. The ordeal was just too much of an embarrassment and created so much anxiety for her that she just up and left. Decided the whole persona in a digital realm thing was not for her.
This is not unusual. A study from 2020 suggests 28% of consumers will stop using a website if their account was hacked.
Panic, embarrassment, and shame.
Not the sort of feelings we want customers’ end users to have when they rely on our products. And while this example may be specific to social media, the sentiment is something we can all share.
Whether it’s social media, fintech, ecommerce, or any other organization with an exploitable user base, credential stuffing is a cat-and-mouse game that is here to stay—and with eyebrow-raising impact.
According to Javelin Strategy and Research in their 2021 Identity Fraud Study, account takeover (ATO) fraud resulted in over $6B in total losses in 2020. Companies create new defenses, hackers develop tools to bypass these safeguards, and the cycle continues.
So how can businesses fight back?
In a recent Aite Group report, risk executives from financial institutions, fintech lenders, and ecommerce companies were interviewed to learn how they are protecting themselves from the escalating volume of ATO attacks.
Among the key takeaways:
Looking beyond the obvious bottom-line impacts of ATO attacks, it’s important to remember these crimes have a real human impact.
Stopping fraud isn’t only about saving money. It is just as critical for preventing the kind of human trauma that is surreptitiously corroding the fundamental fibers of a more ideal digital future. As in the physical world, what we want requires safety, security, and trust.