Account takeover via hacking bots

An increasingly mobile & digital landscape

As mobile transactions now account for 58% of total transactions, mobile is now fuelling each stage of the customer journey and has become the preferred method of interaction. Across industries, almost two-thirds of all account creations now come from a mobile, whilst in financial services, mobile transactions make up 61% of all account creations and 66% of all account logins.

With the global push for digitisation, online transaction volumes are relentlessly increasing, mimicked by a corresponding surge in cybercrime and automated attacks. Compounded with the regulatory push for disclosure, individuals have resigned themselves to the dramatic headlines and alarming statistics.

Technology as an enabler: opportunity knocks...
The more consumer behaviours change and adoption of new technologies increases - such as machine learning (e.g. AI driven financial apps, chatbots), the IoT (e.g. payment wearables, home assistants) - the more criminals find additional opportunities to exploit vulnerabilities. Indeed, the 21st century has given fraudsters an ideal playground with the combination of digital interactions, the systemic failure of organisations to keep pace with the security measures needed for new technologies, readily available personal data that can be harvested from the many data breaches that have or have not made the news, and the willingness of many merchants to relax their risk controls during peak transaction times to approve more orders (such as during world sporting events or holiday periods). Moreover, as criminals also have the opportunity to capitalise on new technologies and automated tools, this melting pot of opportunity has enabled them to find new ways to hide behind large transaction volumes, leading to spikes in bot activity (ThreatMetrix Q2 2018 Cybercrime Report).

A complex regulatory landscape

As payment industry reforms (e.g. 3DS 2.0 and Open Banking worldwide, or PSD2 in Europe) try to promote innovation and reduce friction whilst providing secure payment interactions, data protection regulations (such as the GDPR in Europe or the CCPA in California) apply even more pressure on businesses that handle personal data.

To meet the regulatory challenge and manage risk effectively, organisations must get as close as possible to a single end-to-end view of the customer, regardless of service/product, channel or device. And they must do this as seamlessly as possible. In other words, businesses must be able to distinguish between genuine customers (who are increasingly ubiquitous) and fraudsters (who are increasingly able to mimic genuine customers).

The automation era

Indeed, stolen data (and identities) will be used by criminals for two main purposes: opening new accounts (which can lay dormant for periods of time and then used to make payments using stolen card details) and taking over existing accounts (to purchase goods and services, steal credentials and payment details). Large ecommerce retailers are a target of choice for automated bot traffic, which makes use of readily available stolen identities and capitalise on the fact that individuals will often reuse passwords across many sites (aka “Credentials Stuffing”).

Automated bots enable criminals to launch attacks that keep trying credentials until they match an existing account, with very little effort.

Source: ThreatMetrix Q2 2018 Cybercrime Report

By contrast, the financial services industry has always been heavily regulated, and security and fraud prevention mechanisms are generally stronger than in other industries. It is no surprise therefore that the preferred attack method is through social engineering (e.g. tricking customers into transferring funds to a mule account, or giving away credentials). A notable exception to this is that fraudsters see fintech providers as easier targets than traditional financial services companies due to the fact that fraudsters attempt to exploit new and emerging platforms to exploit gaps in process and infrastructure (e.g. “Loan Stacking” - where new loans are applied for using an infiltrated account, using one loan to pay off the next until the loan value is inflated to the maximum amount available, which is when the criminal defaults on payment), targeting account logins and payments transactions.

Challenges and opportunities

As consumers continue to adopt new and emerging technologies, the challenge is to balance customer experience with security. This will mean that businesses will have to ensure that they deploy dynamic approaches to counter the proliferation of stolen identity credentials and advanced device and identity spoofing techniques which allow fraudsters to bypass the most complex online application procedures. Indeed, recognising legitimate customers across industries and channels will also fuel growth and opportunities. This also means that businesses must use a variety of fraud detection and prevention methods, stop relying on passwords as their top form of authentication and look beyond retrospective transaction analysis towards real-time and predictive consumer behaviour analysis, as well as moving beyond rules to context and attributes. Moreover, the lack of digital identity integration with wider customer engagement strategies will lead to fragmented customer experiences and customer attrition, the inability to capitalise on customer data to inform decision-making and enhance the overall customer experience, as well as to data privacy challenges. Real-time solutions combining multiple data points (eg device information, biometrics, contextual, predictive, and behavioural information etc.) will help businesses better recognise their customers - rather than challenge them - and will also help identify anomalies such as account takeover and automated bot traffic.

About Neira Jones

Neira advises organisations on payments, fintech, regtech, information security, regulations and digital innovation. She holds a number of Non-Executive Directorships and Advisory Board positions and is on the Thomson Reuters UK’s top 30 social influencers in risk, compliance and regtech 2017 and the Planet Compliance Top 50 RegTech Influencers 2017.

About Emerging Payments Association

The Emerging Payments Association (EPA) has over 130 members from across the payments value chain. We connect the payments ecosystem, encourage innovation and drive business growth, strengthening the payments industry to benefit all stakeholders. Get in touch at info@emergingpayments.org or +44 20 7378 9890.