Petabytes of compromised personal information and card data are being commoditized for sale on the dark web, ushering in an era of what’s being called “industrial-scale account takeover” (ATO). The problem is growing as more commerce moves online — and is exposed.
According to PYMNTS’ July 2020 FI Fraud Decisioning Playbook sponsored by Simility, a PayPal service, “This fraud type occurs when bad actors seize control of victims’ bank or online merchant accounts and spend ill-gotten funds, and it is likely to become more frequent until FIs can demonstrate that their defenses are strong enough to deter criminals’ attempts.”
“Those that cannot adequately detect and thwart ATOs cannot safely serve the many consumers who need smooth financial support during the COVID-19- related economic downturn, and attempted attacks can be deeply damaging to consumers and banks’ brands alike.”
Strategies to combat the advancing ATO threat are core content in the latest FI Fraud Decisioning Playbook, which also contains valuable use cases for recovering businesses.
Tricks Of The Trade
Monstrously clever cybercrooks have favored tricks of their trade which come and go almost seasonally. ATO is immensely popular with baddies right now, and they’re not polite about it.
“A popular brute force method used to accomplish [ATO] is credential cracking, which involves fraudsters using bots to automatically plug potential usernames and passwords into login screens in the hopes of stumbling across the correct credentials,” per the new Playbook.
“A more focused ATO attack type is known as credential stuffing, which is typically conducted by hackers who possess customer login details that have been exposed in data breaches. Hackers attempt to find victims who have used the same usernames and passwords that were exposed in breaches and input these details into victims’ accounts at other companies, and they often leverage bots to plug this login information into many websites.”
Whatever their preferred poison, fraudsters can be stopped with the right tools. Increasingly that points to biometrics, artificial intelligence (AI) and machine learning (ML), often synchronized in cloud platforms for faster processing of larger datasets.
Orchestrating The Answer
“Efforts to make authentication more difficult for fraudsters and quicker for legitimate users has led some FIs to adopt biometric authentication methods. Customers using mobile banking apps might scan their fingerprints to confirm their identities, for example. Such tools enable users to log in using few steps, and bots are unlikely to be able to fake credentials that depend on unique physical traits,” according to the July 2020 FI Fraud Decisioning Playbook.
“Many [banks] are leveraging ML- or artificial intelligence (AI)- powered tools to analyze customers’ behaviors for unusual activities that could indicate fraud. Deviations in normal transaction behaviors, such as large payments being sent to accounts with which customers have not previously transacted, would be red flags, for example. Significant differences in behavioral biometrics — details such as users’ typical keystroke patterns or how they usually navigate banks’ websites — could also indicate that fraudsters have compromised accounts.”