Five Things Fueling Account Takeover

May. 6, 2020 | by Heidi Bleau

The role of digital services in our lives has never proven more pivotal than it has in recent months. From banking and shopping to how we work and how our children learn, the most routine of activities we do every day has been completely upended. 

For financial institutions, in particular, this means putting years of investment in digital transformation to the test. For example, it is estimated that the biggest global banks have saved $15 billion from cloud adoption and cut technology infrastructure costs by 25 percent in recent years. Have those investments also paid off in their ability to offer a high level of service and address the needs of customers that must be served almost primarily through digital channels today? In addition, financial institutions have had to adjust to entirely new ways of working to serve and protect their customers.

For fraudsters, they go where the money is, and in current times, this means the digital world. They are seizing the opportunity to grow their criminal business in a time where the use of digital tools and channels might be at an all-time high. One way in which they are doing this is through account takeover attacks.

Account Takeover Grows Amid Pandemic

Account takeover is a form of identity theft in which a fraudster gains access to a victim’s account and uses it to make unauthorized transactions or purchases. It remains an ongoing problem for financial institutions, e-commerce merchants, and virtually any organization that offers products or services that can be monetized. 

There is a sense that these attacks are growing as the increased reliance on digital services offer fraudsters more potential victims to target and more opportunity to fly under the radar as some businesses temporarily lower their security barriers in order to provide an optimal customer experience.

Advanced malware is just one of many ways fraudsters are harvesting fresh credentials that can be used in account takeover attacks. One recently discovered malware, called EventBot, disguises itself as a legitimate Android app that, once downloaded, is capable of taking over a user’s mobile device to steal banking passwords and 2FA codes

Remote Access Trojans (RAT) are another type of malware that allow a fraudster to take administrative control over a user’s device. RATs pose significant challenges to fraud teams as they often take over after login, meaning a session is authenticated. By design, they circumvent traditional fraud detection tools that look for the presence of malware, bots, and blacklisted devices or IP addresses.

Five Factors Fueling Account Takeover

Regardless of the means, there are five drivers that continue to fuel the growth in account takeover attacks.

1. Data Breaches

A data breach to a fraudster is like a treasure chest to a pirate — full of gold. There have been more than 9.5 billion account credentials compromised in the last few years, mostly email addresses and username-password combinations. Breaches are fueling the underground economy and providing fraudsters with a ready supply of credentials to commit account takeover fraud.

2. Fraud Automation

Fraudsters are continuously working to innovate and develop the tools, technology, and methods they use in cybercrime attacks. One example is the use of fraud automation tools like SNIPR and Sentry MBA in automated attacks such as credential stuffing.  These tools enable fraudsters to check the validity of high volumes of credentials against any website in minutes. According to a study by the Ponemon Institute, each account takeover attack involving credential stuffing targets an average of 1,041 user accounts and costs an average of $4 million in losses.

3. Social Engineering

Humans are the weakest link. Whether it’s clicking on a link in a phishing email, downloading a rogue mobile app containing malware, or unknowingly authorizing a fraudulent transaction, every successful fraud attack relies on the ability to exploit human vulnerabilities. Advanced social engineering scams, such as authorized push payments, are the most difficult type of attacks to detect and nearly impossible to recognize with traditional fraud prevention methods.

4. Expansion of Digital Banking Services

The financial services industry is undergoing a rapid digital transformation to simplify banking and optimize user experience. The pressure on traditional banking from emerging challenger banks and FinTechs has created an innovation race. From mobile and cloud to instant payments and P2P platforms, financial institutions are faced with balancing the benefits of innovation against the potential new risks of an expanding attack surface.

5. Existing Security Controls

With a near-universal reliance on passwords, most fraud prevention tools are designed to provide an additional layer of strong authentication at login based on parameters such as device identification, IP, geo-location, and one-time passcodes. However, fraudsters have learned to circumvent many of these security controls. Today, 100 percent of fraud occurs within authenticated sessions, making visibility beyond login based on user behavioral parameters critical to minimizing fraud risk.

What else do you think is fueling account takeover attacks? Share your response with us on Twitter at @BioCatch. 

Learn more about how to detect RATs, malware, and other automated attack methods used in account takeover with behavioral biometrics in our new white paper, “Protect Online Banking from Remote Access Trojan Attacks.”

Topics: Account Takeover