skip to Main Content
account recovery
share

Understanding Account Recovery

Tom Cronkright, Published on April 29, 2019

Let’s paint a familiar picture for you.

Imagine that you’ve recently signed up for a new online service. You’ve filled out your account information, set your username and chosen a strong password. Maybe you’ve even created a few security questions and answers to further improve your account’s security.

A couple of weeks go by, and the next time you try to sign in to your account, for whatever reason, you just can’t remember your password.

You try to reset your password via email, but you can’t access the reset page because you used an old email address and no longer remember the login credentials.

Alternatively, you still remember the password, but you didn’t pay attention to the security answers that you entered and now you have no way to confirm your identity.

Either way, this scenario represents a cybersecurity situation where you would have to go through an account recovery process to prove that you are the owner of the account in question.

In the following article, we’re going to take a look at account recovery to help you learn how to stay safe and avoid becoming a victim of wire fraud.

What’s the difference between a password reset and account recovery?

While it may be easy to confuse a password reset and an account recovery, there are distinct differences between the two.

Below, we’ll define each one to help eliminate any confusion you may have.

Password reset

When you forget your password, you can usually reset it by having a password reset link sent to your email address.

This should be a straightforward process; you receive an email and are asked to click on a link, taking you to a webpage where you can enter and confirm a new password.

After clicking on submit, your new password will be applied, and you’ll be able to login with your new credentials.

Account recovery

Account recovery, on the other hand, involves extra steps, not only resetting your password. A process usually referred to as multi-factor authentication.

This could involve answering a security question, receiving a code via SMS or a phone call, or even speaking to a representative and confirming other details about your identity.

Regardless, these precautions help you prove that you are the legitimate account holder. While these extra steps prove your identity, they also prevent fraudsters from being able to use a password reset to access your account.

What is multi-factor authentication in cybersecurity?

Multi-factor authentication, which is sometimes referred to as “2FA” or two-factor authentication, helps break the cycle of fraudulent password resets.

This type of authentication not only requires the user to create a password but also requires them to confirm their identity using one or more additional forms of verification.

As mentioned, this could be by creating a security question where only you know the answer or sending a multi-digit confirmation code via SMS or phone call. Some sort of biometric measure may even be used, such as a voice or facial scan or even one of your fingerprints.

Today, most major service providers offer some form of multi-factor authentication.

While none are perfect, these extra security checks help prevent attackers from compromising your passwords and accessing your accounts. In the end, multi-factor authentication creates a more secure type of account recovery.

In the event of either a forgotten or compromised password, this can be extremely helpful.

The importance of multi-factor authentication

When it comes to account recovery, the safety level of the process is determined by the number of steps taken to prove your identity.

For years, email has been the most common method to prove your identity when trying to recover an account. But this only represents a single step in personal verification.

The problem with a single form of authentication is if your email address is compromised. Any services or accounts connected to it that allow for a password reset are also at risk.

Image of account recovery screen using two-factor authentication

Suppose you have two accounts that you use as backups for one another.

A fraudster would only need to compromise one of your accounts in order to gain access to the other. Or, if several accounts were linked together, the attacker would be able to “piggyback” across these accounts to reach their target.

For example, a fraudster has access to a victim’s Gmail account, which just happens to be the recovery address for that person’s Outlook account. The attacker could initiate a password recovery for the Outlook account, which would be sent to the Gmail account.

Then, with control of the Outlook account, the crook could access the victim’s social media accounts such as their Facebook page. Should the victim have their Facebook connected to any other services, the attacker would be able to access those as well.

And all of this because of a single compromised Gmail account.

Safe account recovery

Multi-factor authentication is an effective form of cybersecurity and prevents this type of attack cycle from happening. The attacker would not be able to get any further than the initial compromised Gmail account.

That’s why we always recommend using multi-factor authentication on your email–and any other accounts that allow it.

Why should my company care how websites handle account recovery?

In the real estate industry, companies see hundreds of thousands of dollars change hands almost every day. The accounts used in these transactions represent an extremely good-looking target for criminals to attack.

When your company is dealing with a company that doesn’t take steps to perform their account recoveries securely, they’re exposing a weak spot for fraudsters to exploit.

For example, if a criminal gained access to your email account, they could easily reset your password and access any of your other accounts.

These extra, multi-factor steps in account recovery make it more difficult for criminals to infiltrate your organization by pretending to be you.

The damage of a compromised account

When these attacks are successful, fraudsters are able to infiltrate your company. This could lead to hundreds of thousands of dollars being stolen and your company assets compromised.

Not only is this bad for all involved, but it can also lead to lawsuits and even bankruptcy.

When dealing with any type of user account, it’s important to always maintain proper digital hygiene. Always use strong passwords, and never use the same password for more than one account.

Take extra precautions by applying multi-factor authentication wherever possible.

Digital hygiene with CertifID

After I became the victim of wire fraud attack several years ago, I decided to create CertifID as a solution to a widespread and very real threat in the real estate industry.

CertifID is a software platform that creates a safe environment for wire transfers. It ensures that all parties involved are accurately identified before any funds are transferred.

To learn more about additional security methods you can use to reduce your risk of wire fraud, don’t hesitate to Contact Us and request a demo of CertifID.

AUTHOR

Tom Cronkright

CEO and Co-Founder @ CertifID

Back To Top