As Financial Institutions (FIs) are all too aware, fraud remains a multi-billion dollar issue that impacts their business, their reputation and their customers. In 2016 alone, fraud impacted 15.4 million consumers, with approximately $16 billion stolen by fraudsters.[i] FIs are seeing steady increases in both loss volume and incidence as fraudsters refine their tactics and approaches.
There are many fraud channels, including existing card fraud (ECF), existing non-card fraud (ENCF), new account fraud (NAF), card-not-present fraud (CNP) and account takeover fraud (ATO). In this blog, we’re looking at Account Takeover Fraud and its impacts on FIs and consumers.
What are the implications of ATO fraud and what can FIs and consumers do to tackle it?
Account Takeover Fraud – Rising Incidence, Increasing Costs
ATO is a type of fraud in which the fraudster takes ownership of a victim’s account(s) through various means. Typically, a fraudster will need account information (number, user name, password/other credentials) in combination with personally identifiable information (PII) or details gleaned from social media to gain ownership of an account.
Often, fraudsters will obtain basic PII such as First/Last name, address and phone from social media, while Social Security Number or account numbers can be acquired through data breaches. Alternatively, they can purchase information from hackers on the Dark Web that ranges from log-in credentials to sensitive PII.
Once fraudsters have this initial information, they will try password attempts through bot networks, social media data mining, and social engineering to access those accounts. A fraudster, armed with an account number, a first name and a sense of urgency, can potentially convince a customer service representative to update the phone and email information for a given account. Once those primary contact channels are sending communications to the fraudster, they can effectively take over the account.
Once the fraudster gains access to an account, they can monetize it in a number of ways. Whether they are opening new credit cards and maxing them out, transferring funds from the victim account to one accessible to the fraudster, or making purchases using the compromised account information, the ultimate goal is to derive profit from the compromised account.
ATO fraud saw an increase in 2016, both the incidence (31% increase) and actual losses (61% increase). Additional impacts included the increase in resolution hours, resulting in more than 20 million hours dedicated to resolving ATO fraud instances.[ii]
Longer to Detect, Harder to Resolve, More Expensive
ATO fraud recognition and prevention is of particular importance for both FIs and consumers. ATO fraud takes longer to detect than many other types of fraud, meaning the criminals have more time to profit from their activities.
Compounding the impact of a lengthy ATO discovery cycle is the actual consumer cost. According to the Javelin study, victims of account fraud payed $263 on average, which is 5 times higher than other types of fraud.[iii] Not only are consumers taking longer to find ATO fraud, they’re paying more when the fraud happens.
Financial institutions feel the sting of ATO as well, particularly when it comes to customer service time. Resolution hours for ATO were near-record levels in 2016. The reasons for increased resolution times center around the fact that the fraud amount tends to be much higher, and ATO can be more difficult to confirm as fraudulent activity.
ATO Fraud Detection and Prevention
ATO fraud detection is very difficult. Once an account is compromised, FIs and consumers alike are often alerted only when an adverse event occurs, such as a maxed out credit card, an empty bank account balance, or a collections notice for an unpaid balance.
Because detecting ATO fraud is so challenging, consumers and FIs both benefit from robust prevention tactics. One approach both FIs and consumers can employ is an identity protection service. ID protection services help prevent breaches and can provide rapid notification of any potentially fraudulent activity.
From the FI perspective, there are other specific initiatives and technology solutions available as well.
FIs and ATO Prevention
Two primary ways FIs can combat ATO fraud are increased use of biometrics (both behavioral and physical) and tokenization.
Biometric security solutions can be an excellent way for FIs to combat ATO fraud. When combined with primary security measures like username/password combinations, challenge questions and PINs, biometrics can effectively arrest ATO in its tracks.
Biometric solutions can be applied in a number of ways. Face, fingerprint and iris recognition methods are all excellent options and are difficult to compromise. Overcoming consumer reluctance to adopt these methods is one of the primary challenges facing FIs, as requiring in-depth biometric verification increases friction for consumers and makes it more difficult for them to conduct their legitimate business.
Behavioral biometrics can be a powerful prevention measure as well. Behavioral biometrics can include quantifiable items like the amount of time it takes an individual to log into an account, on-screen mouse behavior, the language used on a computer/tablet/phone and how an individual keys in information. All of these behavioral patterns can help protect consumer assets and effectively halt fraudulent activity without impacting the day-to-day activity of legitimate customers.
Tokenization allows FIs to build specific profiles for individual consumers by replacing sensitive and personally identifiable information (PII) with randomly generated substitute values. Tokens can be specific to a merchant, lender, card, individual transaction, or device.
Tokenization is an appealing prevention method for ATO because it is not exposing sensitive information to fraudsters. It can function as a “digital signature” for a specific device, account or individual that is virtually impossible to replicate and authenticate, creating an excellent layer of fraud prevention. It is often running behind the scenes and generally does not impact consumer experiences as they conduct their financial business.
Consumers and ATO Prevention
Consumers must also play an active role in preventing ATO fraud. From the consumer perspective, the top tactics are vigilance and improved password development.
Being aware of the potential for ATO fraud is one of the keys to detecting if it happens. Consumer vigilance is also critical to quick detection of fraud. Consumers should actively monitor their credit scores and accounts, as well as sign up for account alerts. Keeping a finger on the pulse of account activity has become more important as fraudsters are aggressively targeting digital channels.
Finally, consumers need to get in the habit of creating complex, unique passwords for each of their financial accounts. Fraudsters will often test lists of passwords they have stolen against other consumer accounts, so having a unique password for each account can help consumers prevent ATO. Consumers can also set up two-factor authentication (for example, a username/password and a one-time PIN sent to your authenticated mobile device) to help combat ATO fraud.
A Multi-Pronged Approach to a Complex Problem
Account takeover fraud is seeing an uptick in prevalence, increased time to detect, and higher out of pocket expenses for victims. The good news? Both FIs and consumers can actively take steps to combat and prevent ATO fraud.
For FIs, implementing biometric security measures and instituting tokenization elements for account management can help cut down ATO. For consumers, strong password creation, education and vigilance are the keys to keeping accounts out of fraudster hands.
[i] Identity Fraud Hits Record Number of Americans in 2016, NBC News (Herb Weisbaum)
[ii] Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent According to New Javelin Strategy Research Study, Javelin Strategy & Research (Press Release)