Title image

How to Secure Business from Account Takeover Fraud

The massive security breach in Twitter forced businesses and individuals to review their account takeover prevention methods and security measures. On Wednesday, July 15, about 130 of verified Twitter accounts were hacked and were further used in the cryptocurrency-related scam scheme. An early investigation showed the presence of social engineering fraud attack on Twitter employees. At a first glimpse, this entails just a Bitcoin scam. However, the consequences and purposes can be very different: stolen private data, reputation damage, blackmailing, etc.

Although Twitter does not yet know the real purposes and ways of account takeovers that happened a few days ago, sure enough, it is a moment to refresh knowledge about account takeover fraud and its prevention.

Account takeover explained

Account takeover (ATO) is one of the most spread fraud types.  According to Forter’s Fifth Annual Fraud Attack Index, account takeovers increased by 31% YOY in Q3 of 2017. Javelin reports the tripling of the cost of account takeover fraud to $5.1 billion in the USA in 2018. Account takeover occurs when someone not authorized gets access to the legitimate user’s account. The general purpose of ATO is usually the same – to obtain an account and make a profit.

Worth mentioning, account takeover is not identity theft, whereas they seem to be similar. Identity theft or synthetic identity happens when fraudster creates an account using someone’s details, usually name, last name, date of birth, address. 

Both of these fraud types exist to steal personal data; however, both demand different fraud prevention methods. The thing is, account takeover fraud gives fraudsters unlimited capabilities in the development and implementation of other fraud schemes: money laundering, bonus abuse, identity theft, phishing, loyalty programs exploiting, reputation fraud, etc.

The consequences of ATO

The results of ATO are apparent when it comes to users. It is usually a painful loss of personal data, money, credit charges, loss of trust in business, and stress. The aftermath for businesses can be very dramatic: chargebacks increase, huge chargeback fees, frequent transaction disputes, and a decrease in customer satisfaction, customer lifetime value, brand damage, and revenue loss. As of today, chargebacks for specific industries can be “life-changing”, especially for e-commerce. When the chargeback rates are over the limit, processing companies raise fees for each transaction, causing drastic revenue losses. Account takeovers in the FinTech industry can be a bad sign of money laundering activities that are restricted and can even lead to the loss of license.

If you ask what account takeover is used for, here is the answer:

  • unauthorized transactions
  • fraudulent orders
  • bonus and loyalty points abuses
  • credit card purchases and credential thefts
  • account and data resell
  • refund and chargeback claims

Account Takeover schemes

Typical account takeover attack looks almost the same in all cases: fraudsters access an account with stolen credentials. They change account details, reset the password and almost instantly resell account or order goods and later resell. Where do they get the user’s credentials?

Actually, there are multiple ways to access user credentials that require a different amount of time and resources. The two most known and most spread methods are credential stuffing and phishing.

Credential stuffing is a method of account takeover that requires specific scripts and programs to logic into the stolen account. These tools test thousands of possible password combinations with a username on a login page and find matches. Credential stuffing is a relatively low-cost and fast method of account takeover.

Phishing is a fraud method of access to user credentials and sensitive data using trusted emails, calls, and messages. Usually, the fraudster sends the user an email with signs of urgency and some kind of alerts: “Please, update your personal information”, “Someone is trying to steal your account, please update your password here…”, etc. Phishing emails and text messages contain links that lead users to fake websites.

Phishing can lead not only to fake websites where fraudsters post forms that collect user data but also to links that download malware programs to your tools that spy your activity, record your screens, etc. This type of credential theft is known as spyware.

The other way of user credentials obtention is data leakage or data breach. Lists of usernames and passwords are quickly sold and promptly bought on sales in the dark web, which means that many fraudsters can obtain access to the same accounts. The extra-advantage of this method is that fraudsters can try to apply user credentials to different platforms and services and obtain access to more than one account.

There are also physical methods of stealing credentials, and yes, they still are on stream in 2020. The best known is skimming. Skimming requires special tools to be installed on ATMs, card, and cash machines. These tools steal account numbers. Later on, fraudsters guess passwords using brute force attacks or credential stuffing.

Unsecured wifi is another type of nasty surprise. Free wifi usually is unprotected and can become an excellent opportunity for fraudsters to expose your information.

Why is it hard to spot an account takeover?

Fraudsters hide behind a customer’s positive purchase history, so they seem to be trusted. In most cases, the seller is blind in the detection of account takeovers at the stages after the login. Fraudsters always try to look like a genuine customer. Thus they do not cause over trafficking and usually choose regular time spots to login to the stolen account. Most companies do not use fraud prevention tools on all product pages, only on conversion destinations. Thus they do not see the whole account takeover process.  Unfortunately, some companies do not pay attention to account fraud prevention at all because they have not met it before and do not know how to deal with it, and it’s results. They do not connect increased chargeback ratio with account takeover fraud.

How to detect an account takeover?

Fraudsters hide behind the accounts of best users, so it is hard to spot their steps on an early start.

Although, there are some signs that can point at account takeover.

  1. Abnormal change of account details. User changes account details, and during 24 hours makes a login from the previously unseen device.
  2. Accounts that are not connected update account details with the same phone numbers, email addresses, etc. almost simultaneously.
  3. User changes delivery addresses after the change of personal information like phone number and email.
  4. Device, browser, operational system change within the one account simultaneously.
  5. Multiple country IP addresses within one account.

How to prevent account takeover fraud?

The first thing that businesses need to remember is that account takeover is a type of fraud that almost invisibly happens but can be detected right on the earliest steps of fraudulent “customer journey”. Thus, it is crucial to set up fraud prevention tools on each step of the sales funnel. Track of login attempts will show credential stuffing attempts.

Login information that updates from time to time with different device information, IP address, browser, OS, or screen resolution can be a sign of account takeover. Therefore, it is essential to track this kind of data in databases and cross-reference each login with existing information to spot unusual behavior. 2-Factor Authentication helps to decrease the number of account takeovers.

Some databases track user reputation within various industries and can provide business with an evaluation of user profile. Thus you can spot synthetic identities, compromised accounts, stolen data, etc.

The biggest problem of today’s services, however, yet the best thing for customers is simplified procedures. Password change is available within two clicks, and account details change does not require any identity verification. 2FA available within one device does not solve a problem of account takeover. Identity verification can become of great help in account takeover prevention.

Fortunately, the financial industry has PSD2 and SCA, which are a real solution.

SCA is a new requirement of PSD2 that will make online payments more secure for both customer and bank or payment service provider.

Currently, all the e-commerce transactions are authenticated with 3D Secure 1.0. With 3D Secure 1.0, banks or payment service providers ask only a password to confirm the user. Passwords quickly become forgotten. SCA will require a new way of authentication — 3D Secure 2.0.

SCA transactions cannot be approved with a password only.

PSD2 requires at least two or more authentication factors (from mentioned below) to be present:

1) Something the only user knows: Password, PIN, Signature

2)Something only the user has: Card, Mobile phone, Wearable device

3)Something the user is: Facial recognition, Fingerprint, Iris scan

Although PSD2 requires SCA for all online transactions, there are some exceptions to making the lives of consumers and acquirers easier. It will help ensure high customer satisfaction rates and save customer lifetime value.

Low-risk or low-value transactions

The SCA will not be required for transactions under 30 EUR. However, if the total amount will be higher than 100 EUR, or every five transactions of 30 EUR, the SCA will be asked to be done by the issuing bank.

Subscription

Transactions charged continuously for subscription purposes won’t require SCA if they are always of the same amount. Only the initial purchase and subscription transaction amount change will need to be verified.

Whitelist

All the customers recognized as “trusted beneficiary” of the business and maintained by the bank will be exempt from SCA.

Mail Order and Telephone Orders

These types of transactions will be exempt from SCA. That’s because MOTO is not considered as “electronic” payments.

Non-European transactions

Or “inter-regional transactions”, type of the deal when the issuer or the acquirer of the payment card is not based in Europe.

Which anti-fraud tools and techniques will help to spot account takeover?

There are plenty of fraud prevention tools with different names within various providers, but usually, they do the same things.

There are three most spread terms that you’ll probably find while searching for fraud prevention solution for account takeovers:

  • Device Fingerprinting: tracks user device information (device, OS, screen resolution, etc.)
  • IP screening: tracks user IP information (country, IP, city, etc.)
  • Machine Learning models: help to detect fraudsters and their evolving fraud schemes faster than rule-based scenarios (but better use them in combination).

What to do after the account takeover breach?

The best thing is to be prepared, even if you have a trusted anti-fraud provider. Prepare scripts with possible problem-solving schemes: temporary account freeze (how Twitter made it), new password reset notification for user, additional questions for account recovery etc. And always remember: you have no chance to be silent, you must communicate with your customers and make all actions that will make them feel supported and secured.

Takeaway

Account takeover is an underestimated type of fraud that, in reality, does not require overwhelming actions to be taken to beat it. Today’s main task is to spread awareness about this problem and make account takeover prevention comprehensible for everyone. 

Tagged with:
Posted in:
Author: Pavel Gnatenko


Product Owner at Covery, Head of Risk at Maxpay. Pavel has a master's degree in intelligent systems for decision-making. He is a risk management expert with more than seven years of experience in the FinTech. Currently, Pavel is focused on developing Covery – the next generation of risk management platforms.