Account takeover fraud continues to be a risk for individuals and businesses, and banks continue to be a key target. Given the stringent nature of the financial sector, a full understanding of account takeover fraud, and how to prevent it, is essential.
In this article, we will explore the impact of ATO fraud on financial accounts, the methods that cybercriminals use to gain unauthorized access, and how banks can prevent account takeover attacks in the first place.
A form of account takeover fraud, a bank account takeover occurs when fraudsters gain access to a user's bank account. A natural target for cybercriminals, bank accounts include enough personal information to cause considerable damage, as well as access to an individual's financial resources.
Once a fraudster gains access to user accounts, they have the power to carry out various malicious activities. These actions can lead to significant damages not only for the genuine account holder but also for others who may unwittingly become entangled in the scam.
Fraudsters can steal funds from compromised accounts for their own profit. This can be achieved through multiple methods, such as making hard-to-trace purchases or transferring the money to other shady accounts.
Account takeovers in many accounts can become a form of identity theft. Cybercriminals can use the details gathered to commit various acts under the assumed identity of the victim. If they have details for a user's credit card accounts, for example, they can make payments and operate under the victim's identity. This can, for instance, lead to unauthorized transactions on behalf of the victim, while the fraudster is untraceable.
Aside from the customer, account takeover attacks represent a big risk for financial institutions. This sector has very stringent privacy requirements, even before GDPR and other data compliance policies, so data breaches of any kind can result in fines, penalties, and related financial repercussions.
Additionally, exposed bank accounts can lead to a great loss of trust from the public, and a potential drop in new business due to a damaged reputation. Having to announce data breaches alone implies the possibility of account takeover, which is of great concern to customers and their accounts.
These two factors combined can greatly impact a bank's operational status, thus heightening the need for account takeover fraud protection. Consequently, it's in the bank's best interests to invest in account takeover prevention rather than adopting reactive measures.
One critical step in preventing account takeover fraud is understanding how access is gained in the first place. There are many ways in which bank account takeover fraud occurs, from singular targeted attacks to large scale operations.
If a corporate account is targeted, it opens up a treasure trove of crucial information about the bank's customers. Sometimes, this can include all the credentials needed to gain entry, while, in others, it might include some key information, such as email addresses, that can then be combined with other methods on this list.
Such a data breach doesn't need to be committed by the fraudster directly, either. Data breaches are often orchestrated by individuals who then peddle the compromised information online – often in the seedy corners of the dark web – giving the opportunity for further exploitation by other fraudsters.
Also known as dictionary attacks, this approach sees cybercriminals attempting different combinations of letters and numbers, combined with known email addresses, to guess passwords. This strategy utilizes a lot of bots to scale effectively.
Social engineering methods are the real plague of banking fraud. When it comes to individual bank accounts, fraudsters can deploy a number of scams to collect passwords and account details from users. Common methods include:
These processes are also often known as "man in the middle" approaches. During this kind of attack, the fraudster relays communication between the user and the bank. As the information is still delivered to the bank, the user achieves their expected outcome, leaving the bank oblivious to the ongoing fraud.
As mentioned before, if login credentials don't differ between accounts, this could allow fraudsters to exploit that information to access online banking as well. Dedicated cybercriminals will take stolen credentials that they know work on one platform, and attempt to use them on as many other platforms as possible to find new vulnerable accounts.
Fraudsters can also gather sensitive information through keylogging malware. One popular method involves mobile banking trojans in the form of apps designed to represent a legitimate bank's application. Other forms can include sending files through email or websites, often combined with phishing attacks.
Banks can implement measures such as multi-factor authentication (MFA). This gets around some of the more primitive methods, such as brute force attacks and password guessing, as it requires additional input from the customer, such as a unique PIN code or input via a mobile banking app.
However, this alone is not enough, and banks also have to balance the strength of their MFA against the user experience. It's better for banks to combine MFA with more advanced solutions that detect potential account takeover incidents in real-time. After all, by properly assessing data and putting the correct account takeover alerts in place, such measures are truly effective
Banks can implement continuous monitoring to flag suspicious behavior, assigning it a risk level and acting accordingly. For example, if the risk is high enough, the bank can automatically ask for additional authentication steps, prevent services, or otherwise take action as needed.
Such an approach is important for banks, as traditional means only need to be bypassed once. In the case of stolen accounts, using a password will not raise the alarm on the bank's side. Continuous monitoring makes it much harder for an account takeover attack to be successful since the company has numerous more opportunities to detect ATO fraud.
By implementing tracking software that logs the last device used to access an account, banks can better detect when suspicious behavior occurs. This works by analyzing data that is hard for fraudsters to spoof.
Since users need to log in to their online accounts to use banking services, this serves as a viable option for financial institutions to protect against account takeover attempts at the earliest stages.
Similar to device fingerprinting, banks can also implement software that compares the user's real-time behaviour with their historical data. This can range from the actions taken to the time between clicks or even the strokes on their keyboard.
Banks can also likewise set up automated systems that look for signs of suspicious activity. This can include multiple login attempts, login IP addresses that are geographically too far apart, or extensively long login times. There are countless such alerts that can be considered.
Combined, all of this creates a clear digital image of a user and their expected activity. Since fraudsters are not aware of these details during account takeover attempts, it gives the bank a significant advantage.
When it comes to preventing bank account takeover fraud, it's critical to stay up to date and respond in real time. This includes not only setting up alerts for suspicious behavior, but also keeping up with the techniques and methods used by fraudsters.
For the former, Mangopay provides advanced digital fingerprinting, behavioral analytics, and pattern anomaly detection. This system monitors user activity in real time, flagging suspicious behavior, assigning it a risk level, and responding appropriately. Because it's automated, your bank will be able to respond immediately, resolving the situation and removing the greater risk of financial losses if left unchecked.
Every user shows a unique behavioral pattern. The script embedded on the website extracts information on how clients behave, including how they type, focusing on specifics such as the time between pressing particular keys and the duration of pressing the keys. Each user session is compared with the previous ones to check if the person behind the monitor is a legitimate, recurring user or a fraudster. Our machine learning models adapt to constant changes in user behavior to avoid rejecting a legitimate user.
During every session, we create multiple digital fingerprints connected with the user’s browser. Each time the user tries to log in, Mangopay uses machine learning and rules models to assess if the device and its setup have not changed. The analysis is based on hardware, software, and browser characteristics, as well as network intelligence. The solution checks, for example, whether the user is trying to anonymize the session or uses virtual machines or a TOR network.
However, we can also provide up-to-date information on fraudster tactics and strategies. As defenses become more advanced, cybercriminals look for new ways to acquire sensitive information and gain access. Our experts monitor this activity and respond to new approaches as they develop.
Keep up with fraudsters’ tactics while protecting your good users! Get in touch with us to learn how.