Account takeover occurs anytime someone gains access to a victim’s online account and uses it without the owner’s knowledge. Also known as an ATO, or ATO attack, it’s a common type of online fraud that is often used to steal either money or personal data, and it’s becoming more and more frequent.
Research found that account takeover accounted for 54 percent of all fraudulent transactions in 2020. In a multi-billion dollar cybercrime industry, that’s a significant value being defrauded. It also means that having a good account takeover prevention strategy can dramatically decrease the risk of doing business online.
Bank account takeover represents a huge reputational risk for businesses in the finance industry. Customers need to be able to trust that their money is safe. If they don’t, they’ll simply go to one of your competitors who they feel they can trust.
How does account takeover in banks and fintechs take place?
There are a range of techniques that fraudsters can use to obtain the login credentials of your customers:
- Credential stuffing. Using automated bots to rapidly enter different combinations of usernames and/or passwords until successfully accessing an account.
- Phishing. Contacting customers and deceiving them into revealing their login information.
- Hacking. Accessing networks to obtain usernames and passwords, or purchasing such information from data breaches on the dark web.
- Weak passwords. Customers with passwords that are easily guessed are at greater risk of bank account takeover fraud. This includes those that reuse usernames and passwords on multiple accounts.
- Spyware. Criminals can install programs on victims’ networks that observe and record their activity, such as their login credentials.
What can fraudsters do with a successful bank account takeover?
1. Account draining
This doesn’t take too much imagination - once criminals are inside a victim’s account, they often look to transfer all available funds elsewhere. They may also conduct multiple transfers to make the money harder to trace.
Many banks and financial institutions now require authentication steps for large transfers, but sophisticated criminals can get around these security measures.
For example, fraudsters in the United Kingdom utilized a loophole where there was no authentication required to pay previous payees to steal more than £8,000 from an account holder. Once they’d made the transfers, they contacted the payees asking for a refund to be paid to their own account.
2. Money laundering
Criminals that earn cash from illegal exploits are forever searching for ways to launder their money. When they have access to a victim’s bank account, they can deposit dirty money as part of a series of transfers, or ATO payments, that disguise its criminal origins.
A victim may not be too worried if they notice an unexplained deposit in their account. However, they may not know that a fraudster has access to their account, and they’re using it to launder that money. They may also drain the victim’s account in the process.
3. Money muling
Money muling is a form of money laundering, where criminals use legitimate bank account holders to clean their dirty money. It’s the same concept behind the term ‘drug mule’, except with cash instead of narcotics.
Criminals use these accounts to clean their money by quickly transferring money in and out with ATO online payments. Once they’ve done it, the money appears legitimate.
Money muling often targets young people, and it’s expected that the number of people under 30 will rise dramatically by nearly 80 percent from 2020 - 2021.
4. Credit applications
Bank account takeover allows fraudsters access to more than just money. Online accounts often have a treasure trove of personal information, such as birth date, social security number, and other data that enables identity theft.
Criminals can use this stolen data to make fraudulent credit applications, racking up debt in a victim’s name without them even knowing about it.
They may even hold on to the information for a few months before using it, making the source of the breach harder to find.
What are the consequences to banks and fintechs?
1. Lost revenue
Banks and financial service companies are seen as lucrative targets by fraudsters, because of the potential for a big windfall. It’s not just customers at risk - finance companies are often required to reimburse fraud victims.
Aberdeen research found that companies in the finance sector can lose up to 8.3 percent of annual revenue to one single ATO attack. With many companies reporting tens of millions of dollars in revenue, that represents a significant loss of business.
Significantly, the report stated, “The financial consequences of successful account takeovers have grown to a level that goes beyond a mere ‘cost of doing business,’ to become a material business risk.”
2. Brand reputation damage
As a business that is responsible for holding on to customers' money, not being able to do so is a fundamental problem. Customers who are victims of account takeover fraud naturally talk to people they know, which creates a huge reputational risk.
This means that online security should be at the forefront of business priorities for banking and financial organizations.
EY Global research found that trust can be destroyed by a cyber attack. It also uncovered worrying revelations for the finance sector, which is that only six percent of financial services companies believed their data security was fit for their needs. 65 percent said they were planning improvements in the coming years.
3. Increased number of chargebacks
Chargebacks are a form of fraud prevention afforded to debit and credit card holders. It often applies in ecommerce, where cardholders can seek a refund if items they purchase don’t arrive in working condition, never arrive at all, or if the purchase wasn’t authorized by the cardholder in the first place.
Chargeback fraud is increasingly common, where customers take advantage of the protection this system gives them to buy items, claim they never arrived, and enlist the help of their card issuer to force a refund from the merchant.
This impacts financial organizations because of the sheer time spent investigating chargebacks. It takes time to process disputes between customers and merchants, and implementing systems that prevent these transactions in the first place is a much more efficient approach.
How can banks and fintech safeguard against account takeover frauds
1. Limit login attempts
Limiting the number of times a user can attempt to log in helps to stop account takeover from automated attack bots. These bots rapidly test different usernames and passwords, and inevitably have several failed logins before they eventually succeed.
By having a stand-down period of 12 or 24 hours, or requiring further verification when a user exceeds a certain limit, financial organizations can prevent these types of frauds from happening.
Plainly, these limits shouldn’t be so strict as to lock out users after the first failed attempt - people can forget passwords, or enter typos, so there needs to be an allowance for that. Having a limit of 3-5 failed logins in a row is relatively common.
2. Device tracking
Knowing where your online users are can really help to prevent fraud. Banks and fintech companies tend to know where customers live, so detecting a login attempt from another state or country could be suspicious.
Banks are beginning to use cellphone tracking technology to monitor where transactions are originating and using that data to successfully reduce fraud. IP addresses in particular have been used by sites for years to estimate the geolocation of a visitor. The site can then cross-reference the IP address location with the billing address associated with a credit card or account.
It doesn’t mean you have to automatically block logins or transactions from new locations, but it can warrant closer investigation, such as multi-factor authentication.
For example, you might detect a cell phone transaction originated in another country. You could send an SMS or email to the account holder to verify the transaction before processing it.
3. Creating a list of blocked IP addresses
Many fraudsters are repeat offenders, so it helps to permanently disable the people behind fraud attempts. If your organization is the victim of fraud or attempted fraud, there’s a good chance the person behind it will try again.
With that knowledge in mind, it makes sense to block the IP addresses of known bad actors. You can even share data with a third party to collaborate with other businesses and block other fraudsters before they target your financial organization.
Fraudsters often use techniques to hide their IP addresses using a VPN. Legitimate customers can do this also, so it’s not a smoking gun for fraud, but it may warrant further investigation if a customer’s location is constantly changing.
Sandboxing refers to separating different business applications so that if one is compromised, the others remain safe.
This technique is like the security equivalent of the Titanic, which was designed so that if water flooded one section of the ship, it could be shut off from the rest and the boat would remain afloat. Plainly, that didn’t work as intended, but it’s a very effective online security measure.
For banking and finance, sequestering areas for programs that run online help to protect the rest of your business. It minimizes the security risk by compartmentalizing vulnerable, valuable, or high-risk business networks so they are completely separate.
5. Level up your account takeover prevention workflows
The best way to limit the damage of account takeover fraud is to prevent it from happening in the first place. Most banks and fintechs will already have account takeover prevention systems in place that attempt to identify patterns of fraud and take action as needed. However, it is all too easy for fraudsters to slip between the cracks if they cannot be tracked over time.
Fingerprint Pro is an API that provides a unique visitorID for every visitor to a website or mobile application. As most fraudsters are repeat offenders, Fingerprint Pro makes it easy to associate any future activity with past suspicious behavior, even when they attempt to conceal their identity or location. The VisitorID remains the same even if the user clears cookies, uses a VPN, or uses incognito mode in the browser.
Customers are becoming increasingly aware of the threat of bank account takeover and other online security risks. There is also a growing risk of security breaches being picked up in the media, which means even greater reputational damage if it does happen to you.
This means that financial organizations need to protect themselves. Not only that, there is a genuine business opportunity for banks and fintech companies to distinguish themselves from their competition by illustrating their dedication to online security.