Account Takeover (ATO) attacks are on the rise. The 2019 Forter Fraud Attack Index shows a 45% increase in this type of attack on consumer identities in 2018. ATOs are just what they sound like: cybercriminals gain access to accounts through various illegal means and use these take over accounts to perpetrate fraud. How do they get access to accounts? There are many technical methods that bad actors can use, such as consumers responding to phishing emails; grafting through fake websites; collection of credentials from keyloggers, rootkits, or botnets; harvesting cookie data using spyware; credential stuffing; brute force password guessing, or perusing compromised credential lists on the dark web. However, they don’t even have to use sophisticated means. Sometimes account information can be found on paper, so variations of “dumpster diving” still works.

Once cybercriminals have account information, depending on the type of account, they can use it for many different kinds of fraud. Of course, financial fraud is a top concern. A banking overlay is a type of mobile malware that looks like a legitimate banking site but is designed to capture bank customer credentials. Banking overlays usually pass on user interaction to the underlying banking app, but also pass on the captured credentials to the malicious actors. Some are sophisticated enough to grab SMS OTPs, thereby defeating that form of 2FA. This problem is more acute on Android than iOS. Using mobile anti-malware and ensuring that users get apps from trusted app stores can help prevent this kind of attack.

Consumer banking is not the only kind of financial industry targeted by cybercriminals. B2B banks, mortgage brokers, investment banks, pension fund managers, payment clearing houses, and cryptocurrency exchanges are also under attack. From the cybercriminals’ point of view, it is easier to attack the end user and the often-less-secured apps they use than to attack financial industry infrastructure.

Just about any online site that exchanges anything of value has become a target for fraudsters. Airline frequent flyer programs and other kinds of travel/hospitality loyalty programs made up 13% of all accounts for sale on the dark web as of the end of 2018. Other consumer rewards programs that can be monetized are also being stolen and brokered. Digital goods, such as in-game purchases, can be highly sought-after, so there are black markets for gamer credentials.

ATO fraud has hit the insurance sector in a big way in recent years. Fraudsters use ATO methods to get insurance customer credentials to submit claims and redirect payouts. Some malicious actors go after insurance agent credentials to facilitate claims processing and get even bigger gains.

Though these stories have been circulating for years, real estate and escrow agents are still occasionally getting ATO’d, such that the home buyers are deceived into transferring large sums to fraudsters during real estate closing deals.

Consumer-facing businesses need to take two major steps to help reduce ATO fraud.

  1. Implement MFA, and not just SMS OTP. This is the biggest bang for the buck here. Passwords are ineffective. SMS OTP can be compromised. Use securely designed mobile apps. Use mobile security SDKs to build apps. Push notifications in-app and native biometrics are a better choice than passwords and texted passcodes. FIDO Alliance has standardized 2FA and mobile-based MFA. FIDO 2.0, released this year, greatly improves interoperability with web applications. Use FIDO authentication mechanisms for not only better security, but also enhanced privacy, and a more pleasant consumer experience. For comprehensive reviews of MFA products, see our Leadership Compasses on Cloud-based MFA and Adaptive Authentication (on-premises products). 

  1. Use fraud reduction intelligence services for real-time analysis of many pertinent behavioral and environmental factors to reduce fraud risk. Examples of factors that fraud reduction platforms evaluate include user behavior, behavioral biometrics, device hygiene, device reputation, geo-location, geo-velocity, bot intelligence, and cyber threat intelligence. These solutions employ machine learning (ML) techniques to more efficiently identify potentially malicious behavior.

ATOs and how to mitigate them will be one of the main topics discussed at our upcoming Consumer Identity World event in Seattle from September 25-27,2019. For more information, please see the event page at  KuppingerCole will be publishing additional research on Fraud Reduction Intelligence Technologies in the near future. Stay tuned.

See also