A project of the Integrity InstituteHijacking, like it's aviation namesake, refers to the unauthorized takeover of someone else's online account. It typically involves gaining unauthorized access to the account by exploiting weak or reused passwords, though more advanced techniques like social engineering, sim swapping and other techniques are also potential vectors for hijacking. Once the attacker has access, they often will change the password, preventing the user from accessing their account. In addition the attacker may then go on to use the account for a wide range of malicious purposes, including identity theft, fraud, spreading malware, account resale, or accessing sensitive information.
Since the problem of weak and reused passwords is such a dominant cause of account hijacking the design of authentication systems has an enormous impact on how often users will get hijacked on a platform. The two best strategies are to either:
- Outsource authentication to a third-party authentication provider (through a system called OAuth), which centralizes the capacity for detection, remediation, and security with a single, heavily trusted and well resourced organization. Though a slightly different flavor, login-by-emailed-link is another authentication strategy that holds most of the same benefits.
- Require Two-Factor Authentication in order for people to log in. By requiring two discrete kinds of information about a user (something they know, something they have, or something they are), you dramatically increase the challenges an attacker has to surmount in order to obtain access to the user account.