Account Takeover

Peter Taylor Reports for Phronesis Technologies

The ‘new’ kid on the block?

Lets be clear, account takeover (ATO) fraud is not new – ATO fraud has been a concern for companies, particularly online retailers for over a decade. Simply put, ATO is essentially online identity theft – cybercriminals gain access to an account that does not belong to them, before using this unauthorised access to carry out illicit transactions. For example, they may use your account to purchase items, or lock you out of your account before selling it on to other fraudsters.

However, having recently released their 2020 Digital Trust & Safety Index, Sift, the payment fraud solutions company, have revealed that instances of recorded ATO attacks have vastly increased – by 282% between Q2 2019 and Q2 2020. Largely believed to be due to a rise in digital business and online shopping since the COVID-19 outbreak. Similarly, the number of stolen credentials for sale on the dark web has increased by a huge 300%.

Committing the Fraud

Numerous methods of obtaining personal details exist. Fraudsters can hack computer systems, breaching their defences to steal data, use malware to obtain vital information or coerce a potential victim into directly providing the information needed, through social engineering. Even simpler, many cybercriminals simply purchase already stolen credentials, from an insider, or on the dark web.

Once credentials have been obtained, a document known as ‘fullz’, also available on the dark web, is utilised. Fullz (full or partial) can enable fraudsters to input the data they are currently in possession of and search both illegal and legal websites to find any missing information. Social media sites are among those scoured – highlighting a sinister significance to the various data-input activities regularly undertaken by its users. Details in high demand include mother’s maiden name, commonly used aliases, vehicle details, previous addresses, driving license details, national insurance/social security numbers, pay slip data, and of course passwords (particularly banking). These crucial snippets greatly aid would-be fraudsters circumvent in the best additional security checks. Fullz documents can even be purchased with an included credit check on an intended victim. This small upgrade increases a fraudsters chances of being accepted for credit on behalf of a potential victim.

Once in possessing of various personal details, fraudsters can undertake various types of illegal activities. For example, they could impersonate their victim to open a new line of credit. Thorough criminals will change account details, e.g., address and email address to delay detection. During this window of activity, most fraudsters open numerous accounts, also likely undertaking other types of fraud using the same identity. If a card has been stolen, but the PIN is not known, fraudsters will make use of online retailers. Providing they have the billing address, most retailers will not stop such transactions until the card is reported lost or stolen. To combat this, multi-factor authentication and ‘Verified by Visa’ are now in common use as second tier authorisation. However, if, through methods previously discussed, the criminal has identified the password or even the victims D.O.B, they can often still circumvent 3D secure or be granted permissions to change aspects of the account they do not have access to. Furthermore, I have it on good authority that a large proportion of the public have not actually set up multi-factor authentication. As a result, criminals exploit this gap and continue to make fraudulent purchases, some even going as far as to setting up the service themselves, on behalf of the victim. This facilitates large purchases, easily passing the second-tier authorisation and providing access to services such as transferring money.

Fighting Back

Organised fraudsters use strict controls, enabling them to hide in the shadows. Often using permanent locations, operating out of sight, they have clear goals and organised, ever-evolving strategies. To combat fraud, I suggest focusing on four key areas:

  • Prevention – ensure your organisation is committed to the fight against fraud, with a reputation of zero tolerance
  • Detection – have the capability to identify attacks as they happen, utilising manual and automated processes, as well as other resources, designed to spot fraud
  • Containment – respond appropriately when fraud is committed or attempted
  • Learning – learn from pervious instances of fraud and review systems regularly to improve prevention, detection, and containment

In addition to the financial cost of ATO fraud, it also presents a real threat to brand loyalty. Over 56% of customers surveyed by Sift said that if they discovered that their personal data had been compromised, they would stop doing business with the breached site and choose another provider.

Fraud prevention and early detection is paramount – ATO criminals are educated, organised and experienced, and are as focused on ROI as any other revenue generating business. However, if an organisation presents robust systems, a zero-tolerance policy and regularly rebuff criminals fraudulently obtaining money or other assets from their customers, they will likely move on, to a target who is easier to compromise.

Peter Taylor is an accomplished and distinguished fraud expert and investigator. He begun his career with Greater Manchester Police, before obtaining the position of Head of Fraud for Major Loss Adjusters. Since founding a consultancy firm, Peter has expanded his areas of expertise and is a cross-industry specialist in and cybercrime and counter-fraud measures.

As Phronesis continues to expand, now offering our Mobile Identity and Fraud Prevention services directly to enterprise, we wanted to commission research into cybercrime, and the many facets within, to both add to our understanding, and to share with our growing network of partners, clients, followers, and of course to those who generally operate in the sector.

Sponsored by Phronesis Technologies Limited.

Edits and afterword by Toni Pickering

References:

https://pages.sift.com/cs-2020-the-paypers-digital-trust-and-safety-fraud-index.html
https://www.theabi.org.uk/news/account-takeover-fraud-losses-total-billions-across-online-retailers