‘Account Takeover’ (ATO) refers to any type of fraud where a criminal gains control over a consumer’s established account without their permission. It is a form of identity theft.
Any type of online account – banking, credit, e-commerce, brokerage, reward points, social security, healthcare or social media – can fall victim to account takeover fraud and the damage done can be devastating. On top of the financial losses that can be incurred by the original account holder (estimated to be an average of $12,000 per occurrence) victims are subjected to a highly stressful ordeal trying to reclaim their identity and regain control of their hijacked account.
For businesses, the reputational costs can be severe. If the reason a fraudster was able to seize a customer’s account was a weakness in your fraud prevention strategy, trust is lost.
Account takeover fraud: a multi-billion dollar problem
According to Javelin Research’s annual Identity Fraud Study report, account takeover losses in 2021 increased by 90% on the previous year, to an estimated $11.4 billion.
The study found that 24 million US households have experienced a criminal gaining unauthorized access to their account(s). That means that almost one quarter (22%) of the adult American population has been a victim of ATO.
This figure has skyrocketed since the pandemic. Many businesses, perhaps unprepared for the acceleration in the evolution of shopping habits and online payment options that Covid-19 brought about, inadvertently left vulnerabilities in their fraud prevention systems which fraudsters were able to exploit.
Sadly, despite the high rates of ATO attacks, consumers remain relatively unaware of the very real risk posed by habits such as using repeated passwords across multiple accounts and how open this leaves them to identity fraud. At the same time, many businesses are still not being proactive enough in protecting themselves from the financial and reputational damage that can occur when customers suffer ATO.
The stakes for business are incredibly high with 38% of study respondents saying they would leave a service altogether if they experienced an ATO attack via that platform.
It is vital, therefore, that organizations find the right set of tools to protect themselves and their customers from ATO.
How ATO attacks happen
ATO attacks are typically initiated using credentials obtained from data breaches and which are then sold on the dark web to third parties. A rising number of data breaches has meant criminals have had no shortage of access to personally identifiable information (PII) which gets them through the most common barriers faced at login.
Once a fraudster is into an account, they can make critical changes to a user’s profile, updating contact information and changing the password. This gives the fraudster control of an account, locking out the previously registered user and making it very difficult for them to regain control.
When the fraudster has successfully achieved the takeover, they are free to make unauthorized transactions that appear legitimate such as requesting new payment cards which can be sent to new addresses, adding users to the account, transferring money, or opening new lines of credit.
Multi-Factor Authentication: Enough to prevent ATO?
In other cases of ATO, criminals will steal devices, knowing that if they can seize control of devices linked to accounts, they have the means to bypass additional security measures such as two-factor authentication (2FA) or one-time passwords (OTPs). Earlier this year, a report by Auth0 found that attacks by cybercrime groups targeting multi-factor authentication (MFA) techniques had risen to the highest levels ever recorded, with its network logging roughly 113 million MFA attacks. This rise reflects the fact that MFA has become the secondary security method preferred by many major app and service providers. However, far from being a bar to criminals, they can be a gift. When 2FA codes are delivered to a device via SMS or email, they can be immediately intercepted by the criminal. Once the criminal has that code, they effectively have the keys to the kingdom.
This is exactly what happened to Charlotte Morgan, the victim in this case. By the time she realized her phone had been stolen during a regular workout class at her gym, criminals had already succeeded in resetting her email, online banking, mobile and Apple Pay security details and emptying her savings accounts. This was all possible because they were able to intercept the 2FA methods she had set up on her phone.
This is a growing problem. Over 60% of respondents in a 2021 study had security questions, two or multi-factor authentication, or both set up when their accounts were taken over, implying that these measures do not guarantee identity fraud protection.
Protecting your customers and your business from ATO
So what can you do to protect your users and your organization from ATO risks?
Identity thieves rely on poor fraud detection processes, weak security measures, untrained employees manually inspecting the bogus documents, and/or the hope of simply getting lost in the flow of legitimate customers. Proper security, digital identity verification, and expert manual review help identify suspicious activity.
Preventing account takeover fraud is a balancing act. On the one hand, you need to be able to prevent fraudulent transactions from taking place. On the other hand, you want to ensure that the vast majority of your customers, who have legitimate reasons for wanting to access and manage their accounts without undue friction and inconvenience, are not frustrated by processes that slow them down and place them under unnecessary scrutiny.
So you need to be able to work out who is an authentic customer and who is impersonating an authentic customer. And you need to be able to do this in real-time because fraudsters work fast and consumers will not be forgiving if your lenient security measures are the reason they fell victim to account takeover fraud.
Know how to spot red flags
Businesses that do well at preventing ATO fraud have systems in place that ensure vigilance and aid early detection. That means knowing what the red flags are and being able to spot them quickly.
Account takeover red flags can include:
- Multiple login attempts
- Notifications being switched off
- Requests for changes to contact details, or email addresses where OTPs are sent
- Requests to set up a new payee or authorized user
- Changes to the address registered to the account followed by requests for new payment cards or checkbooks
While no single red flag will reveal everything needed to determine if an account has been compromised, taking a risk-based approach ATO attacks enables systems to flag transactions that could be fraudulent more effectively and allows agents to then consider the context around that request.
Of course, reminding customers to take measures to protect themselves is also crucial in creating a defensive wall against ATO. Users should be encouraged to practice good password hygiene. That includes changing passwords regularly and making them sufficiently strong and complex, not sharing passwords with others, and not using the same passwords across multiple accounts. Customers should also be encouraged to switch on multi-factor authentication where possible because it might not be impassable, but it does add an additional burden for criminals to overcome.
Have the right tools in place
Minimizing identity theft and recognizing the threat of fraudulent transactions requires advanced algorithms and artificial intelligence.
The most effective approaches deploy customer identity verification journeys at scale, verifying the identity of a user at onboarding and then authenticating them every time they attempt a high-risk transaction. These digital tools recognize malicious and suspicious activity employees simply cannot detect. Fully automated machine learning techniques applied to document capture, biometric facial comparison, liveness detection, document authentication and classification and extraction deliver near-instant digital identity verification with outstanding results and minimum friction for customers.
Mitek’s Verified Identity Platform enables organizations to detect and prevent identity fraud in real-time, providing results businesses can depend on at speed, and help cut the costs associated with fraud. But detecting and preventing fraud must be balanced with user experience, so the right tools should also simplify the customer journey, helping you convert more high-quality customers, increase approval rates and reduce false negatives.
Biometric software uses biometric markers such as face and voice recognition to capture the biological input that a user provides. Sophisticated software then measures the capture to create a baseline data point template or the ‘lock’ that will be the determining data point for future uses.
At a time when ATO rates continue to skyrocket, biometric tools such as MiPass from Mitek are proving themselves to be highly valuable with many benefits over traditional identity verification techniques. They cannot be shared or stolen by fraudsters, are highly accurate, and provide a quick and simple user experience.
Of course, different circumstances and situations call for different account takeover prevention techniques and tools. Mitek software allows customers the option of configuring varying functions and layers of protection – from rapid automation to forensic checks – to match different use cases and risk levels, all while providing an intuitive and smooth customer experience without unnecessary friction.
Legacy Solutions: Examples: PINs, passwords, and KBA
- Strengths: Familiar and easily understood by clients. Most helpful at login or when no other risk signals are present.
- Weaknesses: Easily shared, often exposed in data breaches, or used in multiple accounts.
Tokens: Examples: physical tokens and device tokens such as OTP
- Strengths: Constantly changing information makes it difficult for fraudsters to guess or for consumers to share
- Weaknesses: Physical tokens are easily lost or stolen. In the case of devices, hacking/sim swapping presents a significant vulnerability.
Behavioral Biometrics: Solutions that use passive authentication methods to determine whether a user is genuine. These are typically separated into two categories: how a consumer interacts with a given device or how they behave on that device.
- Strengths: passive authentication provides a great UX for the consumer
- Weaknesses: This method often struggles to identify separate users on a given device or to transfer new behaviors when a device is replaced or purchased.
Morphological Biometrics: measurement of biometric traits including face, voice, palm, eye, veins, etc.
- Strengths: measurable biometrics have several strengths, they are unable to be shared or stolen by fraudsters, are highly accurate, and provide a robust user experience
- Weaknesses: Acceptance and privacy concerns remain the top concerns for collecting and storing measurable biometric qualities
Involve experts to stay ahead
Understanding ATO fraud risk means understanding how fraudsters operate. And that changes over time. What was once sufficient to provide adequate protection may no longer be enough as criminals adopt increasingly sophisticated and novel approaches to overcome barriers to fraud. That means it is vital to have access to up-to-date intelligence and insider-level insight on current and emergent fraud trends.
For more than 20 years, Mitek has employed AI to develop industry-shaping image recognition and digital identity solutions. With backgrounds at Interpol, the FSA, EU border patrol and military intelligence, our in-house document experts and scientists build patented technology that adapts to the ever-changing identity fraud environment.
To have a conversation with the fraud prevention experts at Mitek about how our solutions can help you protect your business and your users, contact us.