There’s a war going on in the digital world, one that most consumers are unaware of, despite the impact it could have on their money and their privacy — a battle between fraudsters and security providers over account takeovers.
Just a few ago, it seemed that the “good guys” had the upper hand on fraudsters when it came to the account takeover battle. Both the number of incidences of account takeover and the amount of money lost to fraudsters using the method hit a low point in 2014. But in the years since, hackers and other bad actors have developed and begun using more intelligent and sophisticated techniques and methods in order to penetrate databases and gain access to user credentials. As a result, account takeovers have steadily been on the rise since, and it seems fraudsters have begun to win back ground when it comes to account takeovers.
Account takeovers accounted for more than $2.3 billion in losses last year. That was a 61 percent increase in the money lost to fraudsters using the method compared to 2015, while there was a 31 percent increase in the amount of account takeover incidents compared to 2015.
As the fight rages on, PYMNTS recently caught up with Angel Grant, director of global market strategy for RSA’s Fraud and Risk Intelligence solutions, to find out how frauds are getting access to users’ accounts and how they’re using them to wreak havoc, what the latest defenses are and who’s winning the account takeover battle.
Smarter fraudsters, smarter protections
Grant told PYMNTS that as cybercrime and fraud have become more profitable enterprises, cybercrime has truly become a business — hackers and other criminals are looking for the weakest links in order to get the biggest return on their investment of time and effort.
She noted that account takeovers have become more appealing to these bottom line–oriented fraudsters for a few reasons. Most importantly, she said, these fraudsters are looking for ways to make money fast, and account takeovers, while they may be relatively simple attacks, allow them to move quickly, while still bringing in plenty of rewards. That’s because these attacks go after human errors, such as mistakes in website code or a consumer’s mistakenly sharing their log-in credentials with fraudsters.
“Even with all of the fancy, high-tech attacks and methods that have been created and are out there, the number one vulnerability in any system are still humans,” Grant explained.
Grant also pointed out that in order for account takeovers to be effective and worthwhile attacks for fraudsters, they must be able to collect large numbers of credentials as quickly as possible. In order to do this, fraudsters largely either take over legitimate websites that users already trust, stealing the information users share with the trusted site, or establish fraudulent websites, built for the explicit purpose of gathering credentials.
But this need for a high volume of credentials also gives security providers a tool in their fight against fraud, Grant said. Because hackers must determine how many credentials can be stolen and whether the credentials are active, they often use bots or credential stuffing tools to test stolen credentials as quickly as possible. She pointed out that there are a range of approaches IT security professionals can use to identify these active bots in their database, alerting them to a security breach before the credentials are stolen.
“Credential stuffing tools are pretty successful and pretty inexpensive for criminals to acquire via the underground,” Grant said. “But what someone can do to help identify this credential testing, which is often a precursor or warning sign for pending account takeovers, is to invest in their own tools that detect robotic behavior in a website. That way, they can trigger an alert and attack a potential weakness when those tools show that something is up.”
Account takeovers have also begun to affect the mobile world. Grant pointed out that as the usage of mobile devices like smartphones or tablets has risen, so have instances of mobile fraud, and she said that cybercriminals with their sights set on a mobile target have begun to attack weaknesses in companies’ mobile websites or smartphone apps.
“We are definitely seeing fraud in the mobile channel spiking and increasing faster than fraud attempts for the web channel,” Grant said, noting that RSA’s research has found that roughly 60 percent of fraudulent transactions originate from a mobile device.
Specifically, fraudsters have started to build apps that pretend to be legitimate apps for a smartphone from a certain company but are really imposter apps, built for the express purpose of stealing account credentials.
“Organizations should really be monitoring mobile app stores to make sure that these fake mobile apps for their company are not out there, because those can cause lots of brand damage,” Grant said. “These companies also need to educate customers on where and how to appropriately download mobile apps, because they want to reduce fraud, not the number of customers they have using their mobile apps.”
Grant also recommended that companies consider security when building their mobile and smartphone strategy. For example, companies and their security professionals should be investing in mobile-optimized authentication methods, including risk-based authentication processes, biometric options like fingerprint or retina scanning, many of which are already familiar to customers, in order to provide a more complete security solution for their mobile apps.
Who’s winning the account takeover battle?
While fraudsters may be getting their hands on more account credentials than ever before and using those to commit more fraudulent transactions, Grant said that there was reason to believe that security providers are winning the account takeover fight.
She noted that advanced security features, such as biometric authentication devices, are being built directly into the smartphones that consumers use every day, giving companies new tools in the fight against fraudsters. She also pointed out that companies and their leaders are taking security more seriously than they have before, investing in cutting-edge solutions and methods to beat fraudsters at their own game.
“It’s definitely going to be an epic battle to defend the digital universe,” Grant said.
The account takeover battle rages on.
To download the February edition of the Digital Identity Tracker, click the button below …
The PYMNTS.com Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.