The latest annual figures show Account Takeover Fraud costing victims an average of $263 out of pocket.
Account takeover fraud cases increased by 45% in just the second quarter of last year, according to a study from October 2017. What exactly is account takeover, and why does it suddenly seem to be the favorite tool of fraudsters?
What is Account Takeover Fraud?
How does this happen? In an increasingly connected world, both merchants and consumers benefit from streamlined access. Unfortunately, the shift to digital communication and recordkeeping also gives fraudsters multiple entry points for potentially gaining access to users' personal information.
At least 15.4 million consumers were the victims of identity theft in 2016; that represents a 17.5% jump from the year before. And while exact figures are frustratingly hard to pin down, one survey suggests that account takeover fraud in particular had a year-over-year increase of more than 45% in the second quarter of 2017. That translates to $3.3 billion merchants lost to ATF in only a 3-month window ... and experts believe it will get worse.
Finding the Weak Link
Unlike other types of account fraud, account takeover doesn't necessarily have to start with what is traditionally considered highly sensitive information, such as a social security number or PIN. Account takeover can potentially be started from nearly any scrap of personal data: an email address, a full name, a date of birth--any identifier entered during the validation process can work. Criminals simply look for the weakest link in the chain, and build the takeover from there.
Historically speaking, banks and card providers have been the main targets of account takeover fraudsters. As credit card security methods have improved, however, e-commerce and card-not-present retailers are seeing more attacks, as well.
The fact is, any company that offers a user account or membership system is at risk of giving fraudsters a foothold. All that's really needed is the ability to connect account information--card number, user name, password, etc.--with a piece of personally identifiable information. Of course, for it to work, fraudsters must first have the PPI ... but there are a number of ways to obtain it.
How Do Thieves Steal Account Information?
Procuring personal information is not always a professional process: it can happen on a very small scale. For example, a college student knows his roommate’s email address, guesses the password, logs into a site, and makes purchases.
More seasoned fraudsters often operate on a larger field. To steal the information they need, they might employ anything from a simple phishing scheme to a highly sophisticated botnet (a network of computers surreptitiously infected by malicious software). The latter is especially dangerous, as the bots can plug in commonly-used passwords and usernames to perform high-volume, rapid attacks and take over the maximum number of accounts.
Some types of information are simply gleaned from public accounts or online profiles. For instance, a fraudster might troll social media sites to acquire basic information like a first and last name, location, or phone number. That data is then matched to a Social Security number or account numbers obtained through deceptive practices. Armed with this small amount of data and a carefully concocted story, a fraudster can potentially convince a helpful customer service agent to "update" account information.
By hijacking the primary contact channels--phone and email--the fraudster can effectively lock out the true owner and take over the entire account. Once inside, they can change everything: security questions, passwords, the works. In an ironic twist, this makes the actual cardholder appear suspicious for attempting to resolve the problem (particularly when the victim now doesn't know the password, user name, security question, or even the phone number).
So What is the Draw of Account Takeover?
The rapid growth of these types of attacks--combined with the overall unpredictability of account takeover fraud--makes for a very alarming trend. But why is account takeover such a popular approach? Simply put, an account takeover offers fraudsters a better return on their investment.
A stolen credit card isn't as valuable to thieves as it once was. With physical payments becoming more secure through chip technology and other upgrades, account takeover fraud has become more lucrative than stealing physical cards.
More Ways to Profit, Lower Risk
When fraudsters gain access to an account, they can profit from it in a number of ways. They may choose to open (and max out) new credit card accounts based on their stolen information. Or they may quickly transfer funds from the victim's account to one that can be accessed by the fraudster. Perhaps they will attempt to use the compromised account information to make a different type of credit purchase--a vehicle, for example.
Having multiple avenues to monetization means that account takeover offers more value than simply a stolen credit card: in a sense, the fraudster is getting “more bang for the buck.”
And, too, banks and cardholders tend to notice credit card fraud comparatively quickly, often leading to the card's cancellation. With account information in-hand, however, fraudsters can simply change the user’s profile upfront, rerouting communications sent to the account holder and thereby preventing suspicion.
Also, criminals who commit account takeover fraud typically don’t steal the personal information themselves. More often, an identity thief will steal data in bulk, then sell it on the black market. That puts more distance between the customer and the fraudster, giving the latter maximum ROI with minimal risk of discovery.
Risk Factors and Consequences for Victims
While the benefit-to-risk ratio works to the fraudster's advantage, the consumer is in the opposite position. Having a fraudster gain access to a user’s account is bad enough, but it can also make all their other accounts vulnerable, too, for one simple reason: consumers tend to reuse the exact same login credentials for an array of accounts. Using the same password for a bank account, credit card account, and PayPal account will leave all three vulnerable, even if only one is breached.
It doesn't help that so many consumers operate with passwords that are embarrassingly simple to guess (see below). The stakes are exceptionally high for account takeover fraud when it comes to bank customers. Imagine an individual with the same login information for both credit card and checking account. A successful account takeover attack on either one would expose both.
No matter how much was charged to the card by the fraudster, the customer in this situation would be accountable for no more than $50 in liability, as guaranteed by federal law. If the fraudster were to clean out the person’s checking account, however, that money is gone ... and unfortunately, there would be no way to recover it.
Merchants can be victimized, as well, even if they conduct transactions with these fraudsters unknowingly. Once a cardholder discovers account takeover fraud, the merchant can expect to see a number of chargebacks. And again, because the takeover often involves multiple accounts, merchants may even get chargebacks from more than one card.
What Can Be Done?
While account takeover fraud is a serious and growing risk, potential solutions are already being developed. Promising solutions include biometrics and tokenization.
A biometric security solution uses physical or behavioral traits to authenticate--and allow access to--an account. The process evaluates an individual’s bodily elements--such as face, fingerprint or iris--to verify identity. To date, it has proven to be the most foolproof physical security tactic used for identity verification.
A variation of this process is behavioral biometrics, which assesses specific metrics like keystroke dynamics, voice ID, or mouse use, then compares them to a baseline measurement entered by the user. Because the process is totally software-based and requires no new hardware such as scanners, behavioral biometric security is both less expensive to install and less intimidating to consumers.
With tokenization, personally identifiable information is replaced with a non-sensitive equivalent, commonly called a token. From the consumer's perspective, transactions appear to be normal. Anyone trying to hijack the data, however, will only be able to access the token, which has no extrinsic or exploitable value.
Essentially functioning as a “digital signature," tokens can be assigned to a merchant, a bank, and/or a card. They can also be assigned to a single specific transaction, or even an individual device, adding an additional layer of fraud prevention that is virtually impossible to bypass.
Consumers and Merchants
There are also steps both consumers and merchants can take to minimize their risks of becoming account takeover victims. For consumers, mitigation revolves around protecting every part of their identity data; for merchants, it involves making an extra effort to verify that shoppers are who they claim to be.
Steps for Consumers:
- Use Unique Passwords for Each Account: This is the most protective measure consumers can take. If all accounts have different passwords, even a successful takeover attack will be limited to that one specific account.
- Change Important Passwords Frequently: Like the previous recommendation, this is a hard but crucial habit for consumers to take up. Passwords should be changed every four to six weeks for any account which carries sensitive information. This includes banking and credit accounts, as well as any eCommerce sites or social media profiles to which payment information is saved.
- Limit Public Access to Information on Social Media: Fraudsters love social media sites; consumers frequently offer up personal data without even considering the possible consequences. Access to information like birth dates and phone numbers should be limited to friends and family, if possible.
- Balance Accounts Regularly: Credit card statements and bank balances should be checked as often as possible. Any suspicious activity should be reported immediately.
- Use a Password Manager: Products like LastPass, Dashlane, and other comparable services will generate complex usernames and passwords, then store them securely for users. Consumers get the benefit of unique, impossible-to-guess passwords for each account, but the convenience of only having to remember one main login.
Steps for Merchants:
- Use AVS and Delivery Confirmation: Address Verification Service (AVS) compares the delivery address’ zip code against the billing address supplied by the issuer, while Delivery Confirmation offers proof that the package was delivered to the shipping address.
- Ask for the Card Security Code: If the consumers can provide the three-digit code from the back of the card, it's a good indication that the card is in their possession.
- Take Advantage of 3D Secure Technology: Essentially a PIN for card-not-present transactions, 3D Secure asks the cardholder to create a passcode, which must then be entered for any online sale. Merchants as well as cardholders can opt-in to this automated program.
- Turn to Third-Party, Multilayer Solutions: In-house fraud prevention can rarely compete with outsourced resources. However, just one service isn’t enough, since account takeover isn't the only type of fraud. Merchants should make sure they have solutions for other threats, as well--including other criminal fraud attack sources like affiliate fraud and friendly fraud.
None of the above are foolproof plans, of course. Both merchants and consumers can still be vulnerable to the consequences of an account takeover, so vigilance is required by everyone involved.
By applying due caution, however, anyone can significantly reduce the risk of being victimized by account takeover fraud. Chargebacks911® offers services that can help merchants avoid all types of fraud, reduce overall chargebacks, and recover lost revenue. Contact us for more information.