Account takeovers (ATOs) are a growing source of pain for financial institutions (FIs) and their customers, with losses from these attacks rising 164 percent in 2018.
This fraud type occurs when bad actors seize control of victims’ bank or online merchant accounts and spend ill-gotten funds, and it is likely to become more frequent until FIs can demonstrate that their defenses are strong enough to deter criminals’ attempts. Those that cannot adequately detect and thwart ATOs cannot safely serve the many consumers who need smooth financial support during the pandemic- related economic downturn, and attempted attacks can be deeply damaging to consumers and banks’ brands alike.
FIs must adopt fraud-fighting measures that are robust but do not create so much friction that legitimate customers find it difficult to access needed services. This means banks need to carefully consider how to maximize their defense strategies while presenting minimal interruption to customers and enabling secure, smooth engagement.
This Deep Dive examines how ATOs are launched and what FIs are doing to better identify and stop such attempts while safeguarding customers’ experiences.
Understanding ATOs
Bad actors attempting ATOs seek to gain control of victims’ bank accounts without alerting FIs, and they therefore aim to obtain the login credentials necessary to smoothly move through FIs’ authentication measures.
A popular brute force method used to accomplish this is credential cracking, which involves fraudsters using bots to automatically plug potential usernames and passwords into login screens in the hopes of stumbling across the correct credentials. Some of these attacks see bots entering random words and numbers, while others involve entering common usernames and passwords. The malicious programs can work continuously and rapidly, which boosts the possibility that they will eventually hit the correct combinations.
A more focused ATO attack type is known as credential stuffing, which is typically conducted by hackers who possess customer login details that have been exposed in data breaches. Hackers attempt to find victims who have used the same usernames and passwords that were exposed in breaches and input these details into victims’ accounts at other companies, and they often leverage bots to plug this login information into many websites.
FIs can struggle to detect such attacks because fraudsters provide the authentication details necessary to access the accounts. A survey published in 2019 found that 96 percent of FI respondents relied on username- and password-based authentication, and 44 percent struggled with issues in which bad actors used legitimate, stolen credentials to conduct ATOs. This is a serious problem, as ATOs reportedly led to $4 billion worth of losses in 2018. FIs have therefore been working to upgrade their defenses against such attacks.
Detecting And Thwarting Attacks
FIs have adopted numerous security methods as they seek to protect customers’ accounts from falling into the wrong hands with the right login details. A popular protection method involves requiring users to present more information to confirm their identities, which raises the number of details that bad actors must input. Sixty-five percent of FIs in a 2018 survey said they ask customers to answer security questions based on personal information, such as the names of their pets or the streets on which they grew up, as part of their authentication procedures. This method has downsides, however. Determined fraudsters can find many of these answers online, and some consumers find filling out such details to be tedious.
Another common security step entails requiring customers to make their passwords long and complex. This approach can make it more difficult for bots to rely on random guesses to crack into accounts by simply plugging in common password and username combinations. Many FIs are also adopting multi-factor authentication (MFA), which requires customers to confirm their identities in several ways, such as by entering login details and keying in a one-time code sent to their smartphones via text. This can bolster security but can still fall short if bad actors have already taken over mobile phone accounts and can intercept codes. Each additional security measure FIs apply — even if it has weaknesses — still makes it more challenging for cybercriminals to access victims’ accounts.
Efforts to make authentication more difficult for fraudsters and quicker for legitimate users has led some FIs to adopt biometric authentication methods. Customers using mobile banking apps might scan their fingerprints to confirm their identities, for example. Such tools enable users to log in using few steps, and bots are unlikely to be able to fake credentials that depend on unique physical traits. Consumers also appear to be open to such methods, with 53 percent of credit card holders surveyed in 2019 saying they would change to banks that offered biometric authentication.
Banks working to make logins seamless are also tapping behind-the-scenes solutions to assess whether accounts have been taken over or when attacks could be underway. Many are leveraging machine learning (ML)- or artificial intelligence (AI)- powered tools to analyze customers’ behaviors for unusual activities that could indicate fraud. Deviations in normal transaction behaviors, such as large payments being sent to accounts with which customers have not previously transacted, would be red flags, for example. Significant differences in behavioral biometrics — details such as users’ typical keystroke patterns or how they usually navigate banks’ websites — could also indicate that fraudsters have compromised accounts. A 2019 report found that 71 percent of respondents felt more confident in FIs that used behavioral biometrics to safeguard their funds.
ATOs can put FIs and customers at serious risk of losses, but banks are looking to strengthen the strategies they use to separate fraudsters from legitimate customers. Robust security measures need to be coupled with convenient customer experiences to ensure that defenses do not prevent genuine users from accessing their accounts. Banks are now adopting powerful biometric authentication and behavioral analysis approaches to strike this balance as they strive for seamless ATO prevention.