The advent of COVID-19 prompted a rapid acceleration of digital transformation, leading to a significant increase in consumers adopting mobile banking. Unfortunately, as consumers embraced this convenience, fraudsters adapted their strategies and introduced account takeover attacks. So, what steps can organizations take to thwart financial criminals and ensure the protection of consumers?

Since April 2020, there has been a remarkable surge in the use of mobile banking. However, research shows a corresponding rise in account takeover attacks.

These attacks are executed using various methods, including brute-force attacks, credential stuffing, phishing, and social engineering. To mitigate the threat of account takeover attacks, all departments within an organization must take stringent precautions, starting with the enhancement and optimization of authentication processes.

In April 2020, the world’s largest banks witnessed a staggering 200 percent increase in new mobile banking registrations. Peer-to-peer payment companies celebrated record-breaking transactions and dollar volumes throughout 2020, reflecting a substantial rise in the adoption of digital accounts and payments. As a result, more consumers than ever rely on digital accounts for their everyday transactions.

Regrettably, this surge has not gone unnoticed by fraud operators who have intensified their attacks on existing accounts in the form of account takeover (ATO) attacks.

Account takeover, defined as the unauthorized takeover of a legitimate existing account, has become increasingly prevalent. According to an Aite Group report underwritten by GIACT (a Refinitiv company), over one-third (38 percent) of U.S. consumers have experienced ATO in the past two years.

Types of ATO attacks

Fraud operators exploit personally identifiable information (PII) exposed on the Dark Web, as well as information readily available through social media and online searches. Over the years, fraudsters have honed their techniques, employing both traditional and evolved tactics, such as:

  1. Brute-force attacks: Cybercriminals use automated scripts to cycle through password combinations and validate login credentials.
  2. Credential stuffing: Similar to brute-force attacks, this involves “educated guesses” using exposed PII.
  3. Phishing: An email tactic to trick victims into clicking on malware or disclosing PII on a convincing-looking domain.
  4. Social engineering: A broad range of tactics that involve fraudsters posing as legitimate entities to manipulate victims into providing information or transferring funds.
  5. Synthetic identity fraud: Combining real and fictitious PII to open or access an account.
  6. Friendly/family fraud: Unfortunately, a common tactic where fraud is committed by someone known to the victim.

Best practices for ATO prevention

Given the proliferation of digital communication and cloud data storage, fraudsters have multiple potential entry points to access PII. To mitigate the risk of ATO fraud, organizations must proactively upgrade their current authentication methods.

Weak passwords, long favored by hackers and a constant challenge for security professionals, are increasingly being bypassed by fraud operators. They are also targeting non-financial accounts (email, social, mobile) to obtain sensitive data that can be used for ATOs.

Organizations can mitigate ATO risk by implementing a comprehensive system that protects customers from payment and identity fraud. This approach should include:

  • Positively identifying consumer and business accounts using multiple data sources to enhance underwriting and risk management.
  • Real-time account verification and authentication prior to customer enrollment or ACH payment processing.
  • Real-time identity verification and authentication of scanned IDs and check payments.
  • Adoption of advanced authentication methods like single-sign-on (SSO) and password managers, along with password sanitization.
  • Utilization of physical and behavioral biometrics, digital identities (including device recognition), geofencing, and other advanced technologies for more reliable consumer authentication than traditional passwords.
  • Implementing two-factor authentication (2FA), knowledge-based questions, AI-based third-party database trackers, and educating customers and employees about scams, as well as family and friendly fraud.