Decoded: Account takeover fraud

Customer accounts are being increasingly targeted thanks to the greater availability of personal data combined with lucrative paydays for cybercriminals

By Tim Ferguson

Wed 31 Oct 2018 @ 14:58

Account takeover fraud sounds a bit ominous…

It could be if you’re a victim or your organisation is targeted.

Account takeover fraud – or ATO – is an increasingly common phenomenon where personal information is used to hijack online accounts. Once they have control, cybercriminals use the registered payment information and other privileges connected to the account to gain access to money and goods.

What’s the scale of the problem?

Globally, account takeover fraud increased 80 per cent between 2016 and 2017, according to the 2018 Ecommerce Fraud Index from online fraud prevention vendor Signifyd.

In the US, research consultancy Javelin Strategy & Research found that account takeover increased significantly in 2017, with total losses through ATO reaching $5.1 billion, more than double the figure for 2016.

The 2018 Identity Fraud: Fraud Enters a New Era of Complexity report also found that victims of ATO in the US paid an average of $290 and spent an average of 16 hours resolving each incident. ATO currently drives the largest fraud losses in North American financial institutions within digital channels, according to another report.

Why is it on the rise?

As cybercriminals gain access by impersonating consumers, they have been assisted by the exposure of personally identifiable information by a number of significant data breaches.

Weak customer authentication methods and the rise of mobile devices used for payments and e-commerce have also had an impact.

The growing acceptance of chip-and-PIN card technology for payment has been a factor in the US. This has made it more difficult for cybercriminals to perpetrate counterfeit card or card-present fraud, and so they have shifted their focus to ATO.

Finally, ATO is lucrative for cybercriminals, as they can hijack multiple accounts in quick succession, meaning they can secure enough cash to make it worth their while.

Why are these attacks such a concern?

A cybercriminal using ATO could potentially empty a bank account, and it can take weeks to recover the money. In addition, unlike a stolen credit card that impacts a single consumer account, once fraudsters gain access to one account, they use it to gain access to others.

Once criminals gain access to an account, there is also the potential for them to add new authorised users to a credit card and make expensive purchases or transfer money from a stolen current account to a new account. In addition, they could take advantage of offers for prequalified customers or apply for a car loan, for example.

ATO attacks are also difficult to detect because fraudsters are pretending to be the account holder and fraudulent transactions take place among genuine payments made by the account holder. In addition, consumers are often unaware that their accounts have been taken over, as cybercriminals change their communications preferences – phone numbers and email addresses – meaning victims can be none the wiser for some time.

Perpetrators are also difficult to catch, with ATO fraud not detected by credit monitoring systems and identities often sold to other criminals, increasing the level of anonymity for fraudsters.

How can we combat ATO?

Clearly consumers can do their bit by being more careful about the information they share online and by being aware of the risks posed by criminals looking to obtain personally identifiable information through phishing scams.

Another approach is for consumers to undergo more steps to prove who they say they are. While this would decrease the likelihood of fraud, this would worsen the experience for customers, and potentially drive them away. The emergence of biometric technology to make it harder to impersonate account holders would help in this context.

The use of device-based identification data – phone ownership information, device information (usage, phone type, operator), and offline verification data such as name and address – has also been touted as a way to tackle ATO fraud.

But with cybercriminals often finding a way to overcome defences, the latest security detection and mitigation technology – including machine learning and artificial intelligence – would be a wise investment for banks and e-commerce organisations to make. This type of technology will help surface suspicious account activity and contain it before fraudsters can get away with their crimes.