Account takeovers are on the rise. While the methods and approaches in which they are carried out can vary, a few common account takeover scenarios are emerging. Understanding the nuances of account takeover attempts–the preliminary steps fraudsters perform to make the attacks successful and the first indications that an account may be compromised – can be the best way to prepare and try to mitigate them.
A string of data breaches has compromised millions of username/password combinations, which fraudsters then use to gain unauthorized access to users’ accounts.
What it is – Leveraging the dark web, fraudsters can purchase compromised usernames and passwords (credentials), which are typically available as the result of a data breach. Using free, automated software, they can churn through hundreds of credentials and determine which ones are valid and able to be monetized. From here, they can attempt to resell these “validated” credentials or exploit them by launching account takeover attempts to make unauthorized purchases, withdraw funds, steal loyalty points, or commit other malicious attacks against the account.
Why it works – Consumers often reuse the same credentials across multiple accounts. This means a breach at one organization can quickly cascade across a number of industries – financial services, retail, travel and entertainment, and more. This multiplies the problem for victims and, at same time, enables the fraudster to more easily monetize the data and use account takeover attempts to compromise more accounts.
Steps to mitigate – A key measure against these types of threats is for organizations to first observe baseline activity across all their digital channels. When armed with an understanding of normal user behavior, it can be easier to spot abnormal patterns. That unusual behavior can then be analyzed and detected. For example, in a typical account takeover scenario you would see unusual behavior could mean a series of successful logins where the user then immediately logs out of the account without any other activity. It could also mean a series of failed login attempts over a short period of time. Knowing what is “normal” can help you quickly identify account takeover attempts.
Malware is a malicious software program that an unsuspecting victim downloads and installs.
What it is – Malware can be spread in many different ways, the most common is through social engineering schemes, particularly phishing emails. The email will instruct the target to click a link or open an attachment, perhaps to verify their account information or confirm other personal details. Opening the attachment or clicking the link installs the malware where individuals unknowingly divulge passwords or other sensitive personal information that criminals can use to commit fraud.
Why it works – Despite many awareness campaigns, consumers continue to fall prey to these attacks. Equally, fraudsters have evolved and are adept at making phishing emails, attachments and fake websites look almost indistinguishable from the legitimate organization.
Steps to mitigate – Device intelligence software can be an effective countermeasure as it can detect malware on mobile devices. In addition, it can also discern if devices have been rooted or jailbroken, a telltale indicator that malware may be present. With insights to devices and understanding if malware is present, it can help prevent fraud attacks from originating.
Subscriber Identity Module (SIM) Swap
The SIM card inside your phone is a small plastic chip that tells your mobile device which cellular network to connect to and which phone number to use.
What it is – The criminal calls the cellphone provider purporting to be the legitimate owner. The fraudster has personal information about that legitimate person – including, date of birth, email address, mother’s maiden name, home address, etc. – that may have been deduced via social media platforms, phishing attacks, or other public data sources. Once the phone number is assigned to the new device (controlled by the fraudster), all of the legitimate owner’s incoming calls and text messages (SMS) are routed to the fraudster’s phone. At this point, the fraudster can intercept any one-time SMS passcodes or telephone calls made to the victim, thereby circumventing key security features of accounts (bank accounts, email accounts, social media accounts, etc.) that rely on SMS or calls as a second factor of authentication (2FA).
Why it works – The consumer does not know it is happening. Everything going on behind the SIM swaps are largely out of the consumer’s control. The only outward signs are their mobile device no longer has a signal or a brief pop-up notification indicating the SIM card has been assigned to a new device.
Steps to mitigate – First, consumers can employ some good hygiene practices. Don’t reply to calls, emails, or text messages that request personal information, limit the personal information you share online and set up a PIN or password as an extra measure of security on your cellular account. Second, organizations can employ a multi-layered defense strategy to detect unusual activity after a SIM swap occurs. These strategies help distinguish fraudulent or atypical activity from normal behaviors and legitimate customers. Another strategy gaining traction is to explore non-SMS communication methods for 2FA. Accertify has developed technology that binds to the physical device rather than the phone number, enabling secure, contextual 2FA messages delivered to that device.
Account takeover scenarios are complex and difficult to unravel. While many organizations may utilize a number of solutions to help prevent these attacks, juggling multiple vendors can present a fragmented risk picture and introduce unwelcome friction for your customers. Accertify can help you mitigate account takeover attempts with solutions across the entire customer journey from account creation, to account login, to transaction and even disputes. Our latest solution, Accertify Digital Identity, analyzes billions of data points using machine learning, advanced behavioral analytics and device intelligence technology empowering organizations to trust and verify who is on the other side of a digital event.