Why are we still talking about Account Takeover fraud?

As the year’s busiest sales period approaches, Account Takeover fraud is again making the headlines. Callsign’s Ryan Gosling asks why the oldest trick in the book still a major problem today.

The battle against fraud is something of an arms race – one that’s recently been escalated by the pandemic, driving massive online adoption by businesses and their customers alike in every sector.

That’s hardly news – criminals have always been quick to respond to anti-fraud countermeasures. But recently I’ve noticed that one type of fraud is consistently making headlines, and it’s far from sophisticated.

The fraudsters and scammers are still relying on the tried-and-tested approach of Account Takeover (ATO) fraud – and as it stands, they’re winning.

An unchecked problem

As we all know, cyber criminals use many different approaches to compromise accounts. Bots, scripted attacks, Remote Access Trojans (RATs) and malware are just a few of the tools that they have at their disposal.

Often, they’ll just resort to using credentials exposed in data breaches to try and gain access – and there’s no shortage of those. And with so many accounts relying on nothing more than a username and password for security, all too often they’ll succeed.

With that in mind, it’s perhaps not surprising that I’m seeing a lot of traffic in my news feed regarding ATO. But, given that this is a problem that’s existed for a long time, it got me wondering why it still remains a serious issue at the end of 2021.

Old tricks, new clicks

From the viewpoint of the fraudsters, ATO is a gift that keeps giving. Banks, financial institutions, and the larger retailers have taken steps to prevent ATO; but in many cases, those steps don’t really present much in the way of a challenge to dedicated fraudsters.

I’ve noticed that many businesses rely on second-factor authentication methods such as SMS OTPs – but as well as adding friction to customer journeys, these are actually very easy to circumvent via methods such as SS7 attacks or even just a simple SIM swap.

But there are other targets that potentially require less effort – such as loyalty programmes. These are generally perceived to be of low value, and subsequently often have accordingly low levels of security.

The reality is very different, though. The cash value of unspent loyalty points is in the hundreds of billions of dollars, representing everything from airline tickets to generous discounts at checkout. And as we move into the period of elevated sales that stretches from Black Friday through the festive season to the new year, you can see why fraudsters see those accumulated points as low-hanging fruit.

Reputations and regulations

Of course, money is only one side of the coin. Customers who have been defrauded are far from voiceless, and will be quick to take to social media channels to express their dissatisfaction. The resulting reputational damage that can result from even a single instance of fraud can easily eclipse any immediate financial loss.

And make no mistake, regulators are getting tough on businesses who aren’t doing enough to prevent ATO. In the US, the Securities and Exchange Commission (SEC) is taking a very hard line with businesses who allow cyber security breaches, and it’s a certainty that the likes of the UK’s Financial Conduct Authority (FCA) will follow suit.

The USD 26 billion question

The cost of ATO in 2020 alone was estimated to be in the region of USD 26 billion; a significant amount by anyone’s standards. And that brings me back to my original question: why are we still dealing with ATO fraud and most importantly, what do we need to do about it?

Some of the reasons are immediately obvious. An over-reliance on outdated authentication technologies is a big part of the problem. Protecting valuable assets such as customer accounts with little more than a password – a technology that originated in the 1960s – is unbelievably risky in an era when the password reset has become the new login.

Using SMS OTPs for second-factor authentication doesn’t provide the security that we need. Aside from increasing customer friction and the risk of compromise from SIM swaps, they also increase the likelihood of being scammed, by authenticating in the same channel that fraudsters use – just think about the number of scam messages that you receive every week. It’s not the answer.

The solution is to employ seriously secure authentication technologies, such as a layered intelligence approach to detect genuine users. Combining Callsign’s behavioural biometrics with device and threat information, for example, not only improves security – it reduces the costs associated with step-ups, which in turn improves UX by reducing friction in the customer journey.

And of course, it’s of paramount importance that businesses understand the value – to their finances, their customers, and their reputations – of plugging each and every security hole and making all of their accounts completely secure.

It’s achievable, the technology is out there. I really hope that ATO isn’t front page news this time next year.

About Ryan Gosling

Ryan Gosling is the Commercial Director at Callsign, covering the UK market with a particular focus on providing SCA solutions, and helping customers prevent fraud.

Prior to Callsign, Ryan spent 10 years in Banking, including digital fraud & security at Lloyds Bank – delivering initiatives to improve the bank’s authentication strategy for 15 million customers, and reducing fraud losses.

He also spent a number of years in fraud operations, where direct involvement with customers reporting fraud gave him valuable insights into the techniques that fraudsters were using; a very grounding experience that created the career motivation to protect customers from fraud.

About Callsign

Callsign has a simple vision: we want to make digital identification seamless and secure. Our unique positive identification approach balances high security and user experience, allowing customers to interact online safely, with minimal friction, while ensuring that bad actors are blocked to protect customer’s identities and business interests.