By Brett Johnson, keynote speaker and consultant on cybersecurity, cybercrime and identity theft
Account takeover (ATO) fraud, defined
Account takeover (ATO) fraud is a crime committed using stolen or counterfeited credentials to assume control of (usually) an online account. The primary purpose of this type of fraud is to assist in monetary or credit card theft.
ATO can affect many types of accounts
ATO affects all manner of accounts: Email, merchant, bank, credit card, financial services, credit report, tax documents, social security profiles, entertainment services and more.
Taking over what cybercriminals consider low-level accounts (merchant logins, email accounts, streaming services) rarely involves more than using stolen credentials and signing into the account. Depending on the website, the crook may act immediately or might wait in an attempt for the takeover to be considered legitimate after a certain amount of time passes.
For higher level accounts (financial services, government benefits), a thief needs the complete identity profile, called a “Fullz,” among cybercriminals.
- Fullz: The victim’s name, address, phone number, SSN, DOB, MMN, DL#, background check, credit report and any social media information which might be interesting or helpful.
Once the identity profile of the victim is purchased or built, an identity thief can use the information to defeat a knowledge-based authentication system. Higher level targets often require identity documents.
The thief is usually unable to obtain the real driver’s license of the victim or a snapshot of the real ID. As such, a fraudulent ID must be used. The fraudster can create his own template for the ID, but usually opts to buy one from a criminal marketplace or use a variety of fake ID services which cater to identity thieves. The ID will have the correct DL information of the victim on it, while the picture is of the fraudster if it’s a physical ID or of someone else if it’s a virtual ID.
Here are the types of identity documents criminals can use to commit ATO:
- Physical driver’s license with the victim’s information on it, but the face of the fraudster. A fraudster will use this type of document when a physical appearance is necessary; to pick up items, on certain applications for credit, or to withdraw money, for example.
- Online driver’s license photo, scan and selfie having someone else’s picture on the document with the synthetic identity’s information on it
Identity thieves rely on poor security, manual-only inspection of the documents by untrained humans, and the hope of simply getting lost in the traffic of legitimate customers for their fake ID to pass.
(You can read Brett Johnson's entire whitepaper on different types of fraud here.)
Proper security, digital identity verification and expert manual review deter criminals and reduce fraud
Advanced algorithms and artificial intelligence can accomplish what many in-house employees simply aren’t equipped to catch. Fully automated machine learning techniques applied to document capture, biometric facial comparison, liveness detection, document authentication and classification and data extraction deliver near instant identity verification with outstanding results — with minimum friction for customers and the business. It works. In fact, the technology is so effective that fraudsters have started gravitating towards targets where they know only humans are examining documents, or where they know the verification company at hand isn’t effective enough to recognize the quality of fake identity document in their possession.