Don’t Let Account Takeovers (ATO) Take Over Your Business

A long time ago (in the early 2000s), I was playing games online. One of my accounts was compromised – the password was changed, and multiple “high-priced” items I had earned were “traded” without my knowledge, to the account of another player. One could easily blame my simple password at that time when there were no rules around password strength. 

Regardless of the reason, what happened was one of the earliest versions of an account takeover (ATO) attack. Thankfully, the points I earned were merely “Points” with no value to the real world, and of course, cryptocurrency didn’t exist back then. One could say it was simply a simulation to prepare me for what was to come in the future of the Internet.

What Is Account Takeover Fraud?

Account takeover fraud (ATO) is a type of fraud when a criminal gains access to an individual’s login credentials with the intention of stealing funds or personal information. Cybercriminals have a variety of techniques at hand to take over bank accounts and use the data for future malware, phishing, and man-in-the-middle attacks, among others.

Due to the potential financial losses, recovery, and mitigation efforts involved, ATO is one of the top threats to financial institutions and their individual and business customers, as shown in the stats below:

  • The FBI estimates that Account Takeover Fraud (ATO) have cost businesses $12.5 billion dollars globally — including 41,058 victims in the US who lost nearly $3 billion. – Bank Info Security
  • Additionally, companies themselves lost more than $9 billion dollars to data-stealing phishing attacks worldwide, highlighting the need for merchants around the world to remember that even low-tech methods of fraud remain popular and effective. – Website Magazine

Personal information such as email addresses, passwords, date of birth, credit card and social security numbers are all valuable pieces of the puzzle for thieves. ATO is often referred to as “identity theft” or “identity fraud”. Theft of personal information can be used for many types of fraudulent attacks, including “Credential Stuffing” and “Password Spraying”.

The threat of ATOs is constant as new tools are constantly being developed to buy on the Dark Web. That’s where machine learning and risk scoring, combined with a continuous fraud detection system that uses fraud rules, can help.

Fraudsters can gain access to various personal information through data breaches or purchasing them with cryptocurrency through the Dark Web. Fraudsters can also use the Dark Web to buy new tools specifically designed to be used to perform ATO attacks, using the latest scenarios. To anyone who has accessed the Dark Web, it might be fairly obvious that an account takeover is something almost anyone with basic computer skills can achieve, as long as they have enough Bitcoin. Temptation to act on this increases when major events occur, such as COVID-19 which forced millions of people into shocking financial despair and uncertainty.

Below is an example of a marketplace where one can buy credit card numbers and other account information:

As the world becomes more technologically advanced and connected, so do fraud tactics, and account takeover fraud is continually evolving as a constant threat. 

Account Takeover Fraud Examples & Impact  

According to an interview with an ex-fraudster from PYMNTS, payment fraud is relatively “easy”.  

“Banks and merchants know they have a fraud problem, but they don’t understand how organized it is – The Dark Web communities allow people to network. All they need to do is spoof a call to the lowest-educated member of the organization — typically someone on the customer service team — and convince them to change the phone number on the account.”

These comments go hand-in-hand with statistics from a recent study from Aite Group (2019), regarding digital fraud and call center data.

  • 24% of respondents said between 50-80% of their digital fraud cases involve a call center component,

and in the same study:

  • 29% of respondents reported that the above is true for 25%-50% of their digital fraud cases.

Fraud executives were also asked if digital fraud attacks are creating cost and/or volume pressures on other channels, specifically the contact center, where 65% of respondents answered Yes.

The same fraud executives were asked if they attribute an increase in digital ATO to expansions of their FIs digital services, and if yes, to which digital services?

  • 61% reported P2P (Peer-to-Peer financial services)
  • 33% reported Payment Aggregators
  • 28% reported “Self-service change of credentials/email/address/phone number, etc.”
  • 11% reported “Mobile Wallet”
  • 22% reported “Other”

(Source: Aite group Interviews with 20 fraud executives from 18 large North American FIs, July to October 2019)

In addition:

  • Losses from account takeover fraud (ATO) were $5.1 billion in 2018, suggesting that businesses must do a lot more to protect themselves against this kind of attack. – Javelin
  • Similarly, over $16 billion was stolen in the US via identity theft fraud attacks in 2017 — proof companies need to do more to prevent data breaches as well. – Life Lock
  • Children are increasingly the victims of identity fraud.

ATO in Life Insurance

The life insurance industry is an especially big target for ATO attacks. According to a very recent report from Aite Group (2021), both identity theft and account takeover attacks are on the rise, and customers are experiencing the impacts. An Aite Group survey in 2020 found that 14% of life insurance policy owners experienced identity fraud and 11% faced ATO.

“Both insurer’s experiences and consumer data show that ATO fraud has increased in 2020 from 2019, likely due to increased digital and online activity.  A whopping 58% more people said that they had a life insurance account fraud incident in 2020 compared to those that occurred in 2019.” – Aite Group report, 2021.

Unfortunately, the same study indicated that more than 60% of these fraud cases were committed by a family member, a friend, a caregiver, or someone known. In 20% of cases, participants did not know who committed the fraud, which likely led to and recoverable financial loss.  Also, 10% of account-opening-related incidents and 13% of ATO incidents were discovered through insurance company investigations, indicating that more needs to be done to prevent and detect fraud.

Reduce the Risk of ATO Fraud With INTECO Insight

Adaptive Machine Learning and Risk Scoring

ATO is relentless because attack scenarios and tools are always evolving, making it harder for FIs to keep up and catch them. That’s where artificial intelligence, combined with a continuous fraud detection system that uses fraud rules, can help.

INETCO Insight continuously monitors and assesses individual customer activity and compares it to adaptive machine learning models and the behavioral analysis of every single card and customer in the database. INETCO Insight is designed to capture, decode, collate and analyze transaction data in milliseconds, rebuilding each customer model on the fly, and assigning risk advice for every transaction in real-time.

This results in more precise fraud risk scores and anomaly detection scores, reducing your organization’s chance of being “tricked” by an attacker using continuously evolving tools and behaviors.

Real-time Fraud Detection

Continuously screening for suspicious behavioral patterns or real-time anomalies is key to detecting ATO and other identity/credential-based attacks. INETCO Insight can detect and stop these kinds of attacks by:

  1. Immediately detecting anomalous transaction behaviour and rates based on the device fingerprint
  2. Identifying an abnormal increase in hits to specific login endpoints – which could indicate bot-related ATO attacks like Password Spraying
  3. Detecting login attempts or activity from anomalous devices (i.e. unique laptop, or smartphone) and IP addresses (locations the devices are used).

Transaction-level Event Monitoring

In order to have a real-time fraud detection and prevention solution, you need to have centralized real-time event monitoring across all channels and rails. INETCO Insight uses transaction-level event monitoring to screen each network link of a payment transaction as it is happening – as it moves along each customer journey endpoint, applications, and infrastructures. This makes it possible to continuously assess and react if there are any missing transaction links, transaction path deviations or any other suspicious transaction activity related to ATO-related attacks – potentially before the customer is even aware. 

As a result, financial institutions notice an improved customer service, time and budget savings, as well as greater resilience to cyberattacks.

According to a December 2020 report by Aite Group, fraud executives recognized a sharp increase in the amount of fraud from account takeovers, phishing, and other identity-based attacks in 2020 compared to the pre-pandemic period.

  • 32% of executives an increase of 10% or more ATO, compared to before the pandemic.
  • 29% of executives reported an increase of 10% or more Phishing attacks, compared to before the pandemic.

“Growth rates of identity-related fraud now outstrip instrument fraud, such as card and check fraud. Fraud attacks that stem from the compromise and abuse of consumers’ identities are among the things that keep more fraud executives up at night.” – Aite Group.

As businesses continue to tighten in the wake of the economic disruption of COVID-19, it is crucial that financial institutions are thinking of solutions to reduce costs, automate pain points or drive customers to more automated/self-service based channels. Customer experience should be weighted as a top priority, and data is repeatedly showing that investments in real-time fraud detection and prevention is one way to achieve this goal.

Learn more about INETCO Insight for fraud detection