Every Click and Swipe Tells a Story: How Digital Behavior Can Detect Account Takeover

Dec. 14, 2020 | by Heidi Bleau

The role of digital services in our lives has never proven more pivotal than it has this year as a result of the global pandemic. From banking and shopping to how we work and learn, the most routine activities we do every day have been completely upended.

For financial institutions, this has meant putting years of investment in digital transformation to the test by providing a high level of trusted service to address the needs of customers that must be served almost primarily through digital channels today.

For fraudsters, this has meant an incredible opportunity to grow their criminal business in a time where the use of digital tools and channels is at an all-time high. One way in which they are doing this is through account takeover attacks.

Account Takeover Schemes Grow Amid the Pandemic

Account takeover is a form of identity theft in which a fraudster gains access to a victim’s account and uses it to make unauthorized transactions or purchases. It remains an ongoing problem for financial institutions, e-commerce merchants, and virtually any organization that offers products or services that can be monetized. These attacks are growing as the increased reliance on digital services offer fraudsters more potential victims to target. Some types of account takeover attacks include:

Manual account takeover

The most common type of account takeover is a manual act where a fraudster attempts to log in to a bank account using stolen credentials. Fraudsters have been preying on the fear and confusion brought on by the pandemic to harvest fresh banking credentials from victims in a variety of ways. Phishing attacks and fake websites exploiting the news of a COVID vaccine are popping up globally. Interpol recently issued a warning addressing this concern and citing a study that they found more than 1.700 of these websites lead to phishing links or malware downloads designed to steal user credentials.

Malware and Remote Access Tools

Remote Access Tools (RAT) are one type of malware that allow a fraudster to take administrative control over a user’s device. RATs pose significant challenges to fraud teams as they often take over after login, meaning a session is authenticated, and by design circumvent traditional fraud detection tools that look for the presence of malware, bots and blacklisted devices or IP addresses. There have been many reported incidents of mobile apps being exploited as a way to distribute banking malware capable of taking over a user’s device under the guise of contact tracing apps and other COVID-related news.

Social Engineering Voice Scams

The most sophisticated type of account takeover, and perhaps most difficult to detect, is social engineering voice scams such as authorized push payment fraud. These scams start with a phone call from a fraudster posing as a representative from a legitimate organization such as a bank, utility company or government agency. Fraudsters may use a variety of tactics, most often claiming there has been suspicious activity on an account and the victim must take immediate action to protect their funds. The fraudster will then tell victims that a new account has been opened in their name and persuade them to transfer money into the new “safe” account, one that is actually controlled by the fraudster.

The fraudsters that perpetrate these attacks are well-scripted and often knowledgeable about a bank’s security practices and processes. What makes these scams so hard to detect is that the transaction or payment is being conducted by the genuine user who is logging in from their own device from a valid location. In addition, even if required to provide additional authentication credentials, such as a one-time passcode, the legitimate user will be able to provide them.

A Fresh Approach to Detecting Account Takeover Fraud

Behavioral biometrics takes a fresh approach to detecting all types of account takeover fraud. The technology analyzes a user’s real-time physical interactions such as keystrokes, mouse movements, swipes and taps, and profiles both genuine users and fraudsters on the user level and population level to identify patterns associated with genuine and fraudulent activity.

For example, patterns such as high familiarity with data is associated with genuine users, while high computer proficiency is often associated with fraudulent behavior. Another pattern indicative of fraudulent activity is a disruption in hand-eye coordination which is immediately visible when observing scrolling patterns and suggests a session is being conducted by remote access.

In other cases, such as social engineering voice scams, behavioral biometrics provides a deeper level of insight to help determine a user’s intent or emotional state in context of the activity being performed. For example, segmented typing patterns can indicate dictation such as a fraudster reading off an account number that they want a victim to transfer funds to. Another insight spotted by behavioral biometrics is hesitation. The time it takes a user to perform simple intuitive actions, such as clicking on the submit button, shows a statistically significant increase on average during a social engineering attack, indicating they may be operating under duress.

These are only a few examples of thousands of indicators where digital behavior can be used to detect fraud attacks such as account takeover. Behavioral biometrics is introducing an extra layer of visibility into fraud risk where traditional fraud detection tools are leaving blind spots. Solutions that rely solely on location, device, and network attributes to validate a user’s identity or activity have been shown to be spoofed by fraudsters. One thing that cannot be spoofed, stolen, or replicated, however, is digital behavior. Every click, swipe, and scroll tells a story – one of fraudulent activity or genuine user behavior.

Learn more about how to detect RATs, malware and other automated attack methods used in account takeover in a new white paper, “Protect Online Banking from Remote Access Trojan Attacks.”

Topics: Account Takeover