Every day, fraudsters use specialized software, or bots, armed with compromised usernames and passwords from data breaches, in hopes of finding a “match” that unlocks someone’s online account for their own profitable gain. This type of attack is commonly referred to as an account takeover attack (ATO) – a sophisticated scheme where fraudsters look to gain unauthorized access to, or “hack” an account. How can you prepare your company with account takeover protection? Consider starting with these three questions:
Customers provide your brand with their personal information, and in turn, expect your company to protect it.
1. Can a new account be created using compromised credentials?
Breached data can be used not only to take over existing accounts, but also to initiate new accounts in someone’s name. Compromised identity information, PII and various sites’ usernames and passwords all can be purchased on the dark web. This information can be used to create new accounts or to access existing accounts. One way companies can identify new-account fraud is by monitoring the account-creation process. By looking at other clues, companies can understand how a good customer behaves, versus a fraudster, when setting up an account, interacting with certain types of organizations, and ultimately completing a transaction.
2. Is it a human or machine?
Bots and free automated software have made it even simpler for fraudsters to execute credential stuffing attacks. Credential stuffing attacks occur when fraudsters access millions of compromised username/password combinations, and overrun a company’s site by trying to login using hundreds of possible credentials. They can churn through tens of thousands of username/password combinations quickly identifying which credentials are valid. A key measure to guard against account takeover identity theft like these is for organizations to be more observant. Like a good doorman or security guard, pay attention to anomalous behavior: Are multiple accounts being accessed from the same device, IP address, or location? Are successful logins quickly followed by a logout without any other activity? Knowing what is normal can quickly expose what is not.
3. Are account changes starting to tell a story?
Much like a puzzle, you need to see the full picture to understand how the pieces come together. One change to an account may not raise suspicion, but when viewed holistically, they may be telltale signs of an account takeover. Fraudsters often attempt to “replace” email addresses and phone numbers with ones they control in order to circumvent two-factor authentication measures and prevent the legitimate account owner from receiving alerts about their account status. By looking at all of the different pieces and clues, we can institute account takeover fraud prevention measures to more accurately understand what’s legitimate from what’s fraudulent.
With security breaches targeting some of the largest brands, companies need to not only have a sophisticated fraud strategy in place to protect their brand, but one that identifies and protects their best customers – all without disrupting the user experience.
Accertify can help. Our Digital Identity solution is an account takeover fraud prevention solution that helps eliminate potential threats by providing a platform that features machine learning armed with billions of data points, advanced behavioral analytics and device intelligence technology. In turn, calculating a single trust score and associated reason codes empowers organizations to trust and verify who is on the other side of a digital event.