Digital life in Indonesia is evolving rapidly. Every day, thousands of people are opening bank accounts, making online transactions, and applying for loans. But behind this progress, a dark reality looms, account takeover attacks are on the rise. Unfortunately, traditional authentication methods are failing to protect users.
Fraudsters manipulate customers through a simple phone call, a fake message, or a misleading email that trick people into revealing their passwords, OTPs, and personal information. These account takeover attacks can happen in any minute to everyone, draining their bank account to empty before the victim realizes it.
How is the account takeover attack landscape globally, especially in Indonesia? What are the risks behind it and how can we prevent it? Let’s take a look at this article!
In recent years, the frequency and sophistication of Account Takeover (ATO) attacks have escalated. For instance, Indonesia’s shift to online transactions brings security risks. In 2023, Indonesian banks reported losses amounting to Rp2.5 trillion (approximately USD 150 million) due to fraudulent activities. Similarly, UK banks faced losses of GBP 580 million from social engineering scams, while Singapore witnessed a doubling of scam cases within a year, with 90% involving stolen One-Time Password (OTP) codes. These statistics underscore the global nature of the threat and its profound impact on victims.
Account takeover attack occurs when cybercriminals gain unauthorized access to someone’s online accounts. They use various techniques to steal login credentials and bypass security measures. Below are the most common methods used in ATO attacks, explained in simple terms.
Phishing is one of the most common tactics used by hackers. Attackers send fake emails, text messages, or social media alerts that look like they’re from a trusted source (such as your bank, an e-commerce site, or even your employer). These messages often contain urgent warnings that make you panic.
The link provided will direct you to a counterfeit website designed to steal your login credentials. Once you enter your username and password, hackers immediately gain access to your account.
How to protect yourself from phishing: Never click on suspicious links, check the sender’s email address for inconsistencies, and use multi-factor authentication to protect your accounts.
Many people reuse the same password across multiple websites. This led to the fact that 80% of breaches are due to weak or stolen passwords. Hackers take advantage by using stolen login details from previous data breaches to access different accounts. For example, if your email-password combination was leaked in a breach, hackers will try using the same credentials on banking, e-commerce, and social media sites.
You can prevent these attempts by avoiding the reuse of the same passwords for many accounts. Use a password manager to generate unique passwords for each account.
Brute force attacks involve hackers using automated software to try thousands (or even millions) of password combinations in a short period. If your password is something weak like "123456" or "password123", it won’t take long for attackers to guess it.
The Rockyou2024 breach, which exposed 10 billion passwords globally, left businesses reeling, with fraud rates still remaining at historically high levels. Hackers use lists of commonly used passwords and systematically enter different variations until they find a match.
How to stay safe: Create long and complex passwords with a mix of letters, numbers, and symbols, also implement account lockout features after multiple failed login attempts.
In Indonesia, 97% of businesses have been targeted by social engineering. Social engineering, unlike the name, does not involve engineering in its tactic. Instead, it is when hackers manipulate people into revealing sensitive information. They "hack" human behavior.
Fraudsters often pretend to be an authoritative person from financial institutions and ask you to follow their instructions. They convince you to give personal information, verify your identity, and make transactions. When in fact, they are manipulating you.
How to stay safe: Always verify identities before sharing sensitive information, be cautious of urgent or unexpected requests for login details, and ensure that the numbers contacting you are from official company communication channels.
Malware is a type of malicious software that silently runs on your device and steals login credentials. The most common forms of malware used in ATO attacks include:
Hackers can infect your computer with malware through phishing emails, malicious downloads, or unsecured websites.
How to stay safe: Avoid downloading attachments from unknown sources, install reputable antivirus and anti-malware software, keep your operating system and apps updated to patch security flaws.
SIM swapping is when hackers manipulate your mobile carrier to give you a number to a new SIM card they can control. Once they have your phone number, they can intercept your OTP and gain unauthorized access to your accounts.
How to stay safe: Use app-based authentication (like Google Authenticator or Microsoft Authenticator) instead of SMS-based 2FA and monitor suspicious account activity related to your phone number.
In MITM attacks, hackers position themselves between you and a legitimate service to intercept sensitive information. This often happens when users connect to public Wi-Fi networks that are not encrypted.
For example, you log into your bank account using an unsecured Wi-Fi network at a coffee shop. Then hackers intercept your login details before they reach the bank's server, now they have full access to your account.
Avoid logging into sensitive accounts like banking or e-commerce on public Wi-Fi. Also use a VPN to encrypt your internet connection.
Account takeover attacks can have severe consequences, affecting both individuals and businesses in multiple ways.
ATO attacks can lead to unauthorized withdrawals, fraudulent transactions, and drained savings. In Indonesia alone, 44% of businesses have suffered significant financial losses due to social engineering attacks, which often serve as entry points for account takeovers.
Once an account is compromised, fraudsters can extract personal information and use it to open new accounts or commit crimes under the victim's name. This is particularly alarming as 84% of Indonesian businesses have encountered identity fraud, with 56% of them reporting synthetic identity fraud cases, where stolen data is used to create entirely new fraudulent identities.
A business that falls victim to ATO attacks risks losing customer trust and damaging its brand reputation. With 48% of businesses reporting financial losses, data breaches, and reputational damage due to fraud, the impact extends beyond direct financial harm. It affects customer confidence and long-term business sustainability.
For example, a couple in Padang lost Rp1.1 billion after clicking an unknown WhatsApp link, while an individual in Malang saw Rp500 million vanish within minutes due to a phishing attack. These incidents illustrate the devastating personal and financial impacts of ATO attacks.
Unlike traditional methods such as passwords or PINs, Silent Authentication allows users to verify their identity without any manual input like typing a password or entering an OTP. Instead, users simply authenticate themselves through biometric verification, such as a selfie.
But how can security be ensured when authentication is done with just a selfie? While this method seems simple from the user’s perspective, the technology behind it is highly sophisticated, involving multiple layers of security.
A user’s device plays a crucial role in authentication. Using Public Key Infrastructure (PKI), the device ensures that only the rightful owner can access their account. This eliminates the need for passwords or OTPs, which are vulnerable to phishing and SIM swap attacks. By binding authentication to the user’s registered device, unauthorized access attempts are automatically blocked.
VIDA Phone Token eliminates the need for passwords and OTPs by leveraging device-based authentication. It binds the user’s identity to their phone using PKI encryption and device biometrics, ensuring that only the authorized user can access their account. This makes it highly resistant to phishing, credential theft, and SIM swap fraud.
This is the only step the user needs to take, just a simple selfie. The system matches the user’s facial biometrics with their registered profile and verifies that the authentication is being performed on a trusted device. This ensures that even if a fraudster obtains a user’s credentials, they still won’t be able to access the account.
VIDA Face Token combines facial biometrics, liveness detection, and device authentication in a single step. Unlike traditional face recognition, which can be tricked by deepfake or static images, VIDA Face Token ensures that authentication is live and tied to a trusted device. This makes it an ideal replacement for OTPs, providing a seamless yet ultra-secure way to verify users.
Account takeover attacks present a powerful challenge in today's digital landscape. Understanding the methods employed by attackers and adopting advance prevention measures are essential steps in safeguarding accounts from this fraud.