Bad guys want your data – a short introduction to Account Takeover fraud

But, equally important for users is the security these app provide; any app that handles sensitive financial data of customers must provide greater security assurances. This not only helps businesses to fight bad actors, but also enables them to draw a more loyal and trusting user base.

No matter whether you are a bank or an ecommerce website, a possible flaw in your app, such as insecure random-number generation, client-side injection of malicious code, private key exposure, or readable and writable permissions, leaves the door open to account takeovers, synthetic identity fraud, credit application fraud or identity theft, among other risks. Similarly, when a business experiences a data leak or a data breach, personal and financial data is exposed inviting criminals to use it for two main purposes: opening new accounts (which can lay dormant for periods of time and then used to make payments using stolen card details) and taking over existing accounts (to purchase goods and services, steal credentials and payment details).

These problems are real, costing businesses their reputation and money. For instance, in 2018, account takeover stood at USD 4 billion in losses, with overall fraud incidents and fraud losses hitting USD 14.7 billion. In addition, according to Aite, almost three quarters of financial institutions (74% of FIs) that took part in an internal survey said that digital channel fraud losses have increased over the past two years. Among the top two leading causes of these fraud losses, the research group found account takeover fraud and application fraud.

Account takeover is a form of identity theft. This type of fraud doesn’t necessarily have to start with what is traditionally considered highly sensitive information, such as a social security number or PIN. Account takeover can potentially be started from nearly any piece of personal data: an email address, a full name, a date of birth – any identifier entered during the validation process can work.

DataVisor has analysed over 50K compromised accounts and approximately 100 detected fraud campaigns across multiple global online services aiming to portray the anatomy of account takeover attacks, to discover how accounts are compromised, the financial motivation behind these, and to share some account takeover prevention and remediation strategies.

The findings and stats have been compiled in DataVisor Fraud Index Report: Q2 2019 to help DataVisor’s business partners prevent this type of fraud. They found out two general types of ATOs: one that is fully automated and the other one only partially automated. The first type of attack is based on scripts or tools that enable the fraudster to launch a massive number of login attempts to access victim accounts, at any time of the day (with approximately 80%-90% of the fraudulent ATO logins falling into this category). For the other type of ATO attack, the fraudulent accesses are concentrated around specific periods of the day (e.g., from 10am until 3pm) and attack activities (e.g., fraudulent transactions or spam), taking place sporadically (e.g., mostly at 5pm, then 9pm).

Yet, most account takeover attacks go unnoticed, with 65% of dormant accounts belonging to users that have not logged in for more than 90 days. Another important finding of the report was the fact that criminals that compromise financial accounts take additional steps to stay under the radar. As such, 20% of compromised accounts were accessed within 300 miles of the account owner’s location.

Overall, ATO attacks are conducted at scale, with the majority of successful ATOs coming from credential stuffing attacks where hundreds of thousands of unique IP addresses are used for logging into user accounts via bots and automated scripts.

One of the best way to prevent account takeover is to follow best practices for account security like enabling multi-factor authentication whenever possible and leveraging password managers to avoid password reuse. Also, as consumers shift to a mobile-first mentality, many fraud executives believe fraud prevention technology investments should focus mostly on the mobile channel. This strategy could pay off very well for businesses acknowledging this shift in consumer behaviour.

Nevertheless, the ultimate goal of any fraud management strategy is, besides detection, prevention. Achieving this goal requires action from all stakeholders—businesses, individuals, and fraud management solution providers. Companies need to work with fraud management solution providers to adopt future-facing solutions powered by AI and machine learning, which can proactively detect brewing attacks before they launch and can cause damage.

I hope that DataVisor’s Fraud Index Report: Q2 2019 has not only raised awareness of the fact that account takeover is a big threat for your business and brad reputation, but also some ideas and strategies for you to apply within your own fraud management strategy.

Enjoy your reading and don’t forget to share your feedback with us at info@datavisor.com .

About DataVisor

DataVisor is the leading fraud detection company powered by transformational AI technology. Using proprietary unsupervised machine learning algorithms, DataVisor restores trust in digital commerce by enabling organizations to proactively detect and act on fast-evolving fraud patterns, and prevent future attacks before they happen. Combining advanced analytics and an intelligence network of more than 4B global user accounts, DataVisor protects against financial and reputational damage across a variety of industries, including financial services, marketplaces, ecommerce, and social platforms.

About Mirela Ciobanu

Mirela Ciobanu is a Senior Editor at The Paypers and has been actively involved in covering digital payments and related topics, especially in the cryptocurrency, online security and fraud prevention space. She is passionate about finding the latest news on data breaches, machine learning, digital identity, blockchain, and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor degree in English language and holds a Master’s degree in Marketing.