Account Takeover

AKA Hyjacking, Stolen Credentials, Account Verification Attacks

Google / USB Study

Google’s worked with UC Berkeley (and paper). Two sets of significant results:

First, the three types of attacks studdied are listed by their efacacy of full account takeover

1. 25% of credentials obtained via phishing
2. 12% of keylogger victims
3. 7% of victims in thirdparty data breaches

However, phishing also collects phone numbers, geo location, and device profiles. This, combined with historical password enumeration, makes phishing even more successful.

Second, the risk signals

• a user’s historical geolocations
• device profiles (User-Agents or machine identifiers)
• unphishable 2fa