As more of our financial and personal lives happen online, the incentives for fraud and theft continue to grow. While inelegant, brute force attacks to take over accounts continue to be effective and popular. In the last quarter of 2021 alone, brute force attacks increased a staggering 274%. These hacks are frustrating, time-consuming, costly—and often the first indication of an ATO—but they are preventable.
This article examines the types of brute force attacks and how to recognize and defend your users from falling victim.
A brute force attack is a digital intrusion where hackers employ software to systematically ‘guess’ passwords to gain access to accounts. A form of account takeover, it’s unsophisticated in nature, as it involves casting the widest net possible to succeed. A brute force attack is almost always automated.
Because it’s simple, brute force is the most common form of hacking. In recent years, it has exploded in usage, due mostly to an increase in digital accounts created and used by remote workers.
Let’s look at why fraudsters implement this attack and the damage that often occurs.
Brute force attacks are often used to either to steal money (or steal an identity to conduct fraud) or cause digital disruption to a website. Knowing why they attack and what they stand to gain can help you defend your customers and ecosystem against them.
Here are the ways hackers conduct brute force attacks to steal money:
Here are the way brute force attacks can disrupt your product or website:
There are four main types of brute force attacks, all with their own unique ways to take ownership of an account.
The simple brute force attack is the most basic, as it entails guessing password combinations until successful.
In a dictionary brute force attack, hackers use automated software to enter multiple combinations of passwords until they find one that works.
The hybrid method combines dictionary and simple brute force tactics to guess passwords containing common words and random characters.
A reverse brute force attack takes a single password and attempts to access accounts by applying it to many username logins.
Now that you’re aware of the ways fraudsters are penetrating accounts, let’s see how to keep them out.
Preventing brute force attacks requires a proactive, creative approach that you periodically evaluate as part of your overall fraud prevention processes.
It’s a misunderstanding that a mixture of letters, numbers, and special characters make the best passwords. Instead, you should encourage your customers to create passwords that are built with lengthy sentences.
To a human, a password such as HagksyeHbB12@#4651 might seem tough to crack, but not for a machine: It’s simply 18 characters a machine can quicky reorder until successful. However, a longer password such as: thedogisbluewithgreenstripesandlikestoeattomatoeswithpasta will take much more time for a computer to crack, if at all.
There’s a thin line between cracking down on brute force attacks and providing a frictionless experience for your customers. One way to strike the right balance is to limit login attempts. That way, legitimate login attempts aren’t disrupted, while brute force attacks are shut down.
One of the problems companies encounter in their fraud prevention strategy is inadvertently providing accounts to hackers, which in turn are used to infiltrate more lucrative accounts within their ecosystem.
It’s critical to check for accounts that are dormant within your system to ensure hackers don’t use them to commit fraud.
Companies that embrace multifactor authentication (MFA) find that user logins are much more secure, and their customers end up with safer, better experiences. Brute force attacks target companies with websites that permit customers based on a single login, such as entering a username and password. By implementing MFA, the chances of a brute force attack working are slim, especially when used in combination with other security efforts. Google recently implemented MFA for accounts, and in the last year alone found a reduction of compromised accounts by 50%.
Ultimately, a brute force attack is only as effective as a company allows it to be. By being proactive and consistently evaluating your security stack to ensure you have the right mix of layered solutions, you can stop the attacks before they start.
TeleSign is committed to helping you keep your customers safe. If you’re interested in learning more about securing accounts from fraudsters, contact us today.