Fighting the rising threat of payments fraud and ATO in fintech

What are the major fraud risks that fintech companies face today? 

Account Takeovers (ATO) pose a major risk for fintech, especially in the current fast-growing environment. Besides the tech-forward financial services that seem to be springing up everywhere, there's also the digitalization of legacy financial institutions. 

Considering the incredibly high potential for financial gain, user accounts on fintech platforms are heavily targeted. Users expect the platform they are engaging on to protect them against ATO attacks. And in a highly saturated market, platforms that are unable to fulfil this requirement risk losing customers to competitors. 

Identity fraud is also becoming a greater issue, as bad actors have access to a plethora of stolen PII that they then use to create accounts to facilitate illegal activity. 

According to Sift data, most fraud attacks target cryptocurrencies and digital wallets. What could account for this? Are these two payment methods particularly vulnerable?

Cryptocurrencies have exploded recently and are now widely considered mainstream. Similarly, digital wallets have naturally become increasingly popular in the digital era we live in. Payment methods like Apple/Google Pay, Venmo, Cash App are used regularly to facilitate financial transactions, whether it be making a purchase in-store or online, sending money to a friend, or making investment purchases. 

Bad actors are known to take advantage of trends, so it is no surprise that they are fully taking advantage of this opportunity. 

According to the same research, consumers feel most at risk of ATO when using financial services websites. In most cases, ATO is discussed in the ecommerce context, but what can you tell us about this type of fraud in fintech? Are there any new techniques to consider in terms of the way ATO works and its consequences

Users probably feel most at risk when using financial services, because there is a lot more to lose. Again, due to the fact that accounts are incredibly lucrative. This is not limited to fintech, but ATOs are becoming increasingly complex. Compromises are happening at the email level, making traditional remediation methods – like sending a password reset instructions – less effective. Moreover, we’re seeing a lot more credential stuffing attacks impacting platforms. In this situation, bad actors deploy scripted attacks to test batches of credentials against a platform. This, of course, makes the scale of ATO so much greater. 

Why do hacked accounts sometimes go unflagged?

Compromised accounts often go unflagged because there is not an immediate downstream event (password update, transaction, transfer, purchase). This is especially the case in credential stuffing attacks. In these cases, bad actors only test the validity of a set of credentials they’ve obtained, so that they can either sell this information on the dark web, or hoard accounts to launch a greater attack in the future.

Account information is one of the most popular ‘items’ on the dark web, but when you consider that this is an underground market void of morals, how do you know the information sold by fraudsters is genuine?

We talk a lot about how the Fraud Economy is an interconnected network of cybercriminals. They rely on each other to survive. What’s surprising to many people is that they also have a ‘code of conduct’ amongst themselves that also includes things like purchase guarantees. We’ve seen this on dark web marketplaces and forums like Telegram. Individuals who don’t follow these ethics codes are often ostracized from the community. 

How can fintech trust and safety teams outsmart fraudsters and become more proactive to protect consumers’ data?

Leveraging the right technology is key. As mentioned, attacks are becoming more sophisticated as bad actors leverage technology, so it only makes sense that teams match this as well.  Additionally, I would encourage teams to participate in trust and safety forums where you can connect with others in the industry to discuss what you’re seeing and effective ways of dealing with specific challenges and issues. 

For identity fraud, Sift customers utilizing Jumio and Onfido for KYC and ID verification can benefit from a much simpler and more powerful tool. New connectors will allow joint customers to trigger validation experiences directly from Sift with a simple Connector, and send data back to Sift automatically to continue training the model and ensure optimal performance.

About Jane Lee

Jane Lee is a Trust & Safety Architect at Sift, who specializes in spam, account/content abuse, and payments risk. Prior to joining Sift, she was on fraud teams at Facebook and Square, and also spent some time as a Private Investigator. She is passionate about designing and operationalising systems for detection and enforcement of fraud at scale.

About Sift

Sift is the leader in Digital Trust & Safety, empowering companies of every size to unlock new revenue without risk. Our cutting-edge platform dynamically prevents fraud and abuse with real-time machine learning that adapts based on Sift’s unrivaled global data network of 70 billion events per month.