Account Takeover

Account takeover (ATO) fraud is aimed squarely at gaining access to an account and the value it holds. With easy access to 15 billion stolen log-in credentials on the web, fraudsters have escalated their ATO strategies because it's a cheap, fast and efficient way to make money. Once you have log-in credentials, having individuals' names, addresses, email addresses, phone numbers and other data opens a floodgate of fraud opportunities.

Using identity data harvested from phishing, social engineering, phone scams, man-in-the-middle Wi-Fi attacks and credential stuffing techniques, fraudsters have exploited security weaknesses to fool traditional identity verification solutions. The proliferation of fake profiles hasn't helped. Fake new account registration fraud is surging, and trends show these fake accounts are linked to account takeover attempts. Here's how it works: When an attempt to register a fake new account is declined, that signals that a real account with those credentials likely already exists. At this point, the fraudster can switch gears to an account takeover attack. 

In response, fraud-prevention technology has upped its game. But it's about to get really weird. 

Using advanced technology, sophisticated cybercriminals and organized crime gangs are now expanding their repertoires of account takeover attack methods.

• Deep fakes: New image, video and voice technologies use AI to animate photos and videos and clone voices with extreme precision. Animate a deceased relative? No problem. Make people appear to do or say things they never did? Piece of cake. When fraudsters can outsmart victims' friends and families, identity verification solutions are pushovers. Deep fakes are used to supplement stolen credentials and synthetic identities.
• SIM swapping: If a phone has been lost or stolen, a fraudster can infiltrate the account, cut off phone service and drain a bank account within minutes. A fraudster sends a text message using the stolen phone to the carrier and receives a Porting Authorization Code. Presented with accurate, but stolen, data, the provider is convinced to switch the phone number to a new "phone"—a SIM card that the fraudster holds. Now the fraudster can intercept two-factor authentication and other SMS messages and lock the victim out of their account. Suddenly your phone doesn't work and your bank account is empty.
• One-time passwords (OTPs): Once thought to be an effective security measure, one-time passwords are useless if the fraudster has performed a SIM swap. Malware downloaded to computers and mobile devices also can intercept OTPs and resend them to the attacker. Adding a mobile number for two-factor authentication and OTPs can actually be a convenient back door for bad actors to exploit.
• Remote access Trojans (RATs): These are authentic-looking applications or files containing malware, which is downloaded onto your device. They enable fraudsters to gain administrative control over the targeted device. The malware then tracks keystrokes or other activity to capture login credentials. Rat-in-the-browser (RitB) is a variation that works with a RAT to hijack a session or alert the fraudster when the customer logs on. Mobile banking Trojan malware tries to access confidential information stored or processed through online banking systems.
• Pre-account takeover: A pre-account takeover occurs when an attacker creates a user account on a web application similar to the victim's account and uses the victim's email address. If the app cannot validate the email address, it connects the two accounts. Voila—easy access.

Merchants, banks and any organization targeted by fraudsters can't trust basic identity data to detect and stop account takeovers. Instead, they need to take a trust-based approach to verifying transactions and new account openings. They must be able to not only verify individual identity data points, they also must see the deep connections between identity elements presented to them by customers—or fraudsters—before they can confidently make decisions.

• See data that would be otherwise unknown: This includes having additional phone numbers, email addresses, social media usernames, connections between associates and data from other countries.
• Confirm with statistical confidence: Confirm that the data points are truly related to each other and to the individual when multiple identity data points are verified from multiple sources.
• Insert trust throughout the customer lifecycle: ATO attempts can occur at many points of the customer lifecycle. Automated trust-based verification can adapt to your specific needs and processes—adapting as the threat landscape changes.

A solution that protects your customers across the customer lifecycle can help you detect abnormal and unexpected activity on an account and prevent account takeover. Comprehensive identity information combined with advanced analytics and machine learning provides a strong defense against identity fraud. Establishing trusted identities helps organizations stop account takeover fraud while ensuring a seamless experience for trusted customers.

Contact us anytime to learn more about our digital trust solutions.