The balance between consumer convenience and security is a delicate process, especially in a competitive, high-value market. For example, when banks and credit card companies provide online loan applications, they make it convenient for potential customers to get a loan. Still, they also make it convenient for identity thieves and hackers.
In 2021, the National Mortgage Application Fraud Risk Index increased by 15% between the 2021 first quarter and the first quarter of 2022. Credit card fraud also skyrocketed by the last quarter of 2021. Fraud affects everyone, from consumers to the banks that approve applications. The amount of money lost may vary, but it raises costs to consumers and leads to hefty monetary losses for financial institutions. The biggest channel for fraudsters is the mobile market as more financial institutions continue to provide services using apps.
How Does Loan Fraud Work?
The start of loan fraud begins with the consumer. The many ways attackers can obtain personal information depend on their vectors. Some attackers use phishing emails and malicious websites. Others use a variety of ways to install malware on a targeted user's local device, and some local thieves steal unshredded paperwork from garbage cans to collect private information.
In most cases, an identity thief targets a large number of consumers to collect as much information as possible. Their goal is to sell the data, not use it themselves. With enough personal data, an attacker can make a seven-figure return on their investment. Experian estimates that a social security number is worth $1, but online banking credentials are worth $20-$200 each. As you can probably guess, tricking a few thousand consumers will provide a nice payout on darknet markets.
After a nefarious buyer obtains personally identifiable information (PII) obtained on darknet markets, the actual loan application fraud begins. Using a combination of bots, VPNs (virtual private networks), and proxies, the attacker submits loan applications using a victim's information. The fraudster might be outside of the victim's country, so they get an unsuspecting co-conspirator to use their local country address to have credit cards sent. The co-conspirator then uses the cards to buy products to send to the attacker. The attacker might use the credit cards to purchase products and send the stolen products to a local co-conspirator's address so the co-conspirator can forward the stolen goods to the fraudster.
Credit card fraud isn't the only version of loan fraud. Fraudsters also target mortgages, bank accounts, payday lenders, car notes, and other "buy now pay later" agreements. Because loans often work with larger amounts of money and expensive products, it's a high-risk issue for lenders and a long-term credit report issue for consumers.
Bot Attacks and Account Takeover
To take it a step further, some attackers use scripts to test credentials purchased on darknet markets automatically. There are two reasons an attacker uses bots:
- To verify stolen credentials and sell them to fraudsters or
- To authenticate a victim's financial accounts and use them to open loans, transfer money, or purchase products using the victim's credit cards.
Every online entity experiences bot traffic, but recent research shows that about 28% of bot activity on the internet is nefarious. Bots work faster than humans so that attackers can cover many more sites and target victims in a short amount of time. Specific factors signal that traffic is bot activity, such as unusual user agents, missing headers, and high-speed web activity. However, a good bot creator designs scripts to factor in human elements to bypass simple fraud detection.
We recently published a guide to bot attacks and protecting against them: Bots Are Taking Over The Web - Here’s How to Fight Back.
Take a look at a popular account takeover tool called Sentry MBA. With software like Sentry MBA, scammers can test millions of usernames and passwords on a targeted site, and because of its availability and ease of use, it’s become incredibly popular.
Source: F5 Networks Sentry MBA PDF
The attacker can add timeouts to avoid too many requests in a short time. Custom HTTP headers can be added to look like a human user, and various password rules can be set to collect as many cracked accounts as possible. It even can upload driver's license images to a target website. The software is built to commit account takeover fraud, including financial targets.
To combat bot activity, financial institutions need sophisticated bot detection. Determining activity is a bot and not a human user will significantly reduce risks. However, this won’t stop manual fraud, it will help stop more sophisticated collaborative financial fraud efforts by cyber-criminal groups.
Preventing Loan Application Fraud
It's impossible to expect every consumer to avoid identity theft. Human error is always an issue for any business, so it leaves financial institutions with the responsibility to stop identity theft and fraud. Whether it's bots or human fraudsters, financial institutions or those offering loan application services can take steps to minimize risk.
Third-party identity validation services
Using artificial intelligence and video analytics, users take a picture of themselves or upload a driver's license image. An identity validation service will verify the information's authenticity using various public databases and machine learning systems.
For online banks using credit card validation, send two small amounts to the applicant's bank account or a credit card, such as $.01 or $1.00. Then, the applicant must enter both amounts correctly before verifying their account.
Multi-factor authentication (MFA)
Multi-factor authentication can block the completion of the login procedure stopping the account takeover. As a result, attackers can no longer access an account from a simple credential list and bot program, so they cannot open loans or order credit cards using a stolen consumer account.
Push notification authentication
Instead of relying on credentials, push notifications are sent to the account holder's phone. Then, the account owner taps a button to verify that the authentication request is valid. This method stops bots and human attackers with stolen credentials.
Video call verification
Some companies use video calls where the user holds their government document (e.g., passport or driver's license) for identification in front of the camera so that the user's face can be compared to the submitted official government documentation.
Using Fingerprint to Detect Fraud
Common fraud prevention methods have various bypasses, so just one strategy isn't enough to stop a sophisticated and determined attacker.
Fingerprint is a device identification solution that uses machine learning to detect returning users with 99.5% accuracy. Each visitor receives a visitorID, generated using various device and browser elements such as the specific browser (e.g., Chrome or Firefox), screen resolution, operating system, and browsing patterns.
With the Fingerprint VisitorID, your developers can associate previous fraudulent activity with a current session, even when the attacker attempts to conceal their identity. With this information, developers can block loan applications, send a loan application to the fraud department, or display an error message to the viewer. In addition, using Fingerprint, your developers can customize the loan application process should an ID come up as duplicates or utilize our bot detection solution, BotD, to better detect bot activity.