NuData: Countering Account Hijacking With Behavioral Analytics

Justin Fox

With so much of life lived on devices, those devices are where hackers are finding what they need to hijack user accounts and do the most damage. The entire process of account hijacking, or account takeover — in which bad actors steal identities by gaining illegal access to user accounts – has spiked with the digital-first economy.

A recent report shows the activity and potential damage. Of all login attempts measured by Security Boulevard so far this week, 33.8 percent came from bots attempting to take over accounts. On average, websites were under an account takeover attack 16 percent of the time.

It is a constant battle that becomes more urgent by the day. Justin Fox, DevOps director at Mastercard’s NuData Security, told PYMNTS in an interview that passive biometrics –and a layered approach to protecting and analyzing consumer-level data – can be among the first and best lines of defense.

At a high level, Fox said, “one of the biggest misconceptions is that all that matters is the most common form of account takeover.” But enterprises and consumers must be vigilant about data breaches, which seem to occur with almost daily frequency, using complicated methodologies that expose sensitive account information – especially through social engineering and phishing.

A proactive strategy lies with making sure the large amount of data that has been exposed (and has yet to be exposed) can be rendered valueless. On the consumer side, Fox said, “we need to stop using the same credentials on every single website.”

The email account may still be the sweetest target for maximum damage, Fox said — as many use a range of mail clients attached to their devices, especially mobile phones. If attackers can compromise an email account, they gain the keys, realistically speaking, to their victims’ everyday lives.

The urgency is there, as hardware and software are used against us, especially amid the pandemic. Experienced attackers are trying to use malware — embedded in infected apps, or in phony apps that  “dupe” legitimate ones — to convince unwitting victims to download and install it on their devices, all in pursuit of the functionality tied to that app (such as a flashlight).

“Mobile games are proving especially attractive to fraudsters, as younger users are particularly vulnerable to downloading them, especially when they are free,” said Fox. “All an attacker needs are internet and SMS privileges (common permissions when downloading and installing an app), and they can conduct a considerable amount of surveillance on compromised devices. And then when you click on the app, all of a sudden, you can be hijacked.”

Beware The Overlays 

Drilling a bit deeper, Fox said, “overlays” that impersonate apps’ login screens can trick users into providing information on what they think is a legitimate website or app. A user logs into their app, which has an invisible blanket (the overlay) that the bad actor uses to collect the login credentials.

If the app sends an SMS to the user to verify them, the bad actor, who already obtained SMS access rights through malware, can intercept this text and access the account. Meanwhile, the user only sees a fake page that says “loading,” and assumes it’s just taking longer than usual. Once the bad actor gets what they want inside the account (a purchase, a money transfer, etc.), they leave the app and remove the overlay. Then, the user is finally inside their account without realizing what’s happened.

The ubiquitous nature of cell phones – and the fact that so much of daily life is lived without face-to-face interactions (i.e., banking) – means that fraudsters can get away with a lot, and quickly. Fox recounted a personal story where a relative was called purportedly by Microsoft’s call center, from a U.S. number that seemed legitimate, and handed over her payment credentials. The fraudster ran up several charges from Uber before being caught months later.

“Fear, greed, curiosity, urgency and helpfulness are all commonly used emotions to exploit us. A lot of online services have us provide our data or metadata as part of our payment for using that service,” explained Fox. A single breach can turn that data into the gift that keeps on giving — for the bad guys.

Passive Biometrics – And Beyond 

To thwart these rapidly evolving schemes, advanced technologies can be used to detect behavioral anomalies, including passive biometrics. The behavior of a fraudster is different from that of a legitimate user, Fox said. “The behavioral data, such as the speed, pattern or browsing cadence, will be different from the user’s expected behavior. And that can be a red flag for the service provider, the bank or the eCommerce site.”

Those behavioral analytics can be gleaned from how a user browses the web or app, whether the consumer is swiping or tapping, how often they might visit a particular site or how long it takes them to finalize a transaction. By way of contrast, a bot controlled by a fraudster will likely, in Fox’s words, “go straight for what they are after a lot of the time,” which highlights this different behavior.

NuData has other layers of security and analysis that focus on device intelligence, Fox said. “Device intelligence often tells us: If you’re an Android user and suddenly somebody is using an iPhone to access your account, we can pinpoint that. We can also tell as you upgrade and change the device between software updates, even when resetting the device, that that device is still yours, and can recognize your usage.”

The company also has the eponymous Trust Consortium, which monitors hundreds of billions of events globally — anonymized and aggregated, from its clients —and sends the information to the consortium for more context.

“You’ve got to make sure you are deploying a multi-layered strategy, and that you are not breaking accessibility for sensitive populations that all of a sudden will no longer be able to access your service,” noted Fox.