Account takeover fraud (ATO) happens when an unauthorized person takes over a normal user bank account. Fraudsters take every measure to try and control an account. Once they have an account under control, fraudsters apply for a new card or change basic account information. In this guide, we’ll be talking about account takeover fraud, and how big of a threat it is for financial service providers.
Most of the time, individuals are the victims of account takeover fraud. Sometimes, fraudsters take over the business and small business accounts as well. Compared to 2019, 2021 saw a 21% increase in account takeover fraud. Out of all types of fraud, three-quarters of cases are account takeover fraud.
Old and New Ways of Account Takeover Fraud
Account takeover fraud is one of the oldest types of fraud. In the past, criminals relied more on manual ways to collect enough knowledge about a victim to access the account and eventually take control.
They could access this information by going through people’s trash, stealing mail, and bribing or blackmailing. In today’s time, the way of accessing information has changed completely. Cybercrime has become the primary method of acquiring information for account takeover fraud.
Moreover, fraudsters can buy information for dirt cheap from the dark web to allow them to take over financial accounts.
The dark web has multiple marketplaces that specialize in selling personally identifiable information (names, account numbers, addresses, social security numbers, national IDs, and more).
As most people reuse their passwords for multiple accounts, it makes it easier for fraudsters to take over multiple accounts at once.
When fraudsters have access to this much data with ease, they test it out. There are both old-school, and new-age methods to try these techniques. They can use automated tools to mount mass attempts to access these accounts with credentials stuffing.
There are other ways. According to reports, around 44% of account takeover fraud instances happen using telephone channels. This suggests that call centers are the weak link in the process.
What Do Fraudsters Do With Taken-Over Accounts?
There are multiple parties involved when it comes to fraud. The criminals that commit data breaches to access accounts, are not the same criminals to use the data to determine if it’s usable. When accounts are found that are vulnerable, they’re sold to other fraudsters that actually take over the account.
When an account is taken over, some fraudsters just want to make quick money. They simply transfer the available amount to some other account. Some fraudsters use these accounts to use them for money laundering.
Other fraudsters play the longer game, they use the account to get as much monetary gain as possible. This is done in several steps:
- Fraudsters gain long-term control of the account. They change core account information such as an address, mobile number, and date of birth.
- Fraudsters issue a new card for the account with the new details (new address, new mobile number, etc).
- They keep using the account to maximize the funds available. They increase credit card limits or use the account as a gateway to getting more funds, such as a loan. Once a fraudster has maximized the amount they can obtain before the risk to them becomes too high, they cash out of the account under their control.
When this happens, it’s extremely difficult for the financial institutions to find the legitimate account holder from the fraudster, or which activity was done by whom.
How do Financial Institutions Handle Account Takeover Fraud?
To stop account takeover fraud from happening, financial institutions need to both prevent it and also detect suspicious activity so they can intervene. This can be done by employing multiple techniques:
1. Strong Customer Authentication
ID authentication is a major part of the account protection process. Several banks and financial institutions pay huge attention to the ID verification process. In the EU, PSD2 regulation is used more for checking a customer’s identity when they make a payment. That’s now all, PSD2 also includes authentication of account holders when they access or use payment accounts.
Any activity on a payment account that increases fraud risk requires strong customer authentication. Financial institutions have multiple methods to verify if the account holder is a legitimate user or not.
To meet the requirement of PSD2, financial institutions have to cover 2-3 categories:
- Knowledge authentication – Something only the user knows (password, PIN, etc).
- Possession – Something only the user possesses, such as a token, mobile, card, etc.
- Inherence – Something that the user himself is (fingerprint, facial recognition, etc).
2. Customer Communications for Confirmation
Once a fraudster has access to an account, it’s not all over. The more details the fraudster may change on the account, the more control they have, but before they make changes the bank has the contact information for the real account holder.
As well as authenticating customers wanting to make changes. To prevent account takeover fraud, banks can use real-time automated, and two-way communications with their customers to confirm, such actions are needed.
For example, if a change of address is needed, then a text message can be sent to the mobile phone number on record to confirm if this action is legitimate.
3. Understanding Criminal Networks
Organized crime usually happens on a larger scale. Fraudsters try to take over as many accounts as they can. While this is a threat to financial institutions that have bad defenses, it can also be an opportunity to identify accounts that have been taken over.
With application fraud, criminals have limited contact information that they can use to manage accounts. They recycle mobile numbers, emails, and addresses using the same contact information for multiple accounts.