September 20, 2016
By Roberto Valerio, CEO, Risk Ident
Account takeover fraud is one of the fastest-growing problems in the CNP world today. Over the past year, we at Risk Ident have noted up to a 300 percent increase in account takeover attempts on our customers. Recently, a big case of account takeover was made public when it was reported that O2 customer usernames and passwords had been obtained by fraudsters. And that’s just one example.
But, what exactly is happening when fraudsters take over user accounts? Let’s start at the beginning: personal data theft is a very common strategy among online fraudsters. Once they have stolen identity data, they can create new accounts on, for example, e-commerce sites and then begin ordering merchandise, often making a profit by reselling the delivered items.
While names, addresses and phone numbers can often be found in phone books or online, fraudsters will even go as far as to take data from announcements of death. Sometimes fraudsters will also go for the easy option and simply buy details from the dark corners of the black market online where they can find everything they need. All these techniques can give fraudsters what they want—instant access to easy, lucrative rewards. And, they can be off before anyone even knew they were there.
Hijacked User Accounts
However, account takeover attacks go beyond mere stolen identities. Fraudsters hijack existing user accounts, masquerading as legitimate users. Fraudsters can obtain usernames and passwords through several different approaches:
- Emails and passwords can be bought online, with fraudsters then targeting online businesses including e-commerce Websites, telecoms businesses and online banking portals.
- Once fraudsters gain access to an email account, the danger levels increase dramatically. Email accounts often bring other online accounts together. If passwords match with other accounts, fraudsters can make financial transactions while also intercepting the email confirmations. For the real account owner, it is almost impossible to realize the threat in time and take steps to limit the damage.
- Many people still use easy-to-guess, unsafe passwords, despite warnings against them. If a fraudster has the customer’s email address and can guess a simple password, it is easy for them to gain access.
- Cyber criminals can also obtain usernames and passwords through phishing attacks: a Google study showed that well-designed phishing Websites have a success rate of 45 percent. In this way, fraudsters gain access to login details on a specific site, and those often match the login details for yet another site.
- Finally, let’s not forget malware, which can also be used to spy on a computer and intercept login credentials.
Once a fraudster has access to a user account, they can easily change the password and block the original user.
Why are account takeovers so dangerous?
Quite simply, account takeovers can give fraudsters everything they need for CNP fraud, saved in existing customer accounts, including addresses, birthdays and payment information. But most importantly, an existing user account offers one major thing: trustworthiness.
Businesses put a lot more trust in existing customers with years of good experience behind them. So-called conspicuous behavior, like changing passwords or shipping addresses, does not necessarily count against them and may be seen as innocent action from genuine customers. Even if there are clear signs of account takeover activity, businesses are careful of triggering false alarms: a false positive fraud alert can not only cause a loss in revenue, it might even dissuade the good customer from returning ever again.
Spot Fraudsters, Prevent Damage
Today’s fraudsters are keen to stay invisible as long as possible, but it is possible to spot them early and prevent irreparable damage. Indicators of account takeover can include:
- Conspicuous behavior during the login process, like an unusual number of failed attempts
- A password change followed by an unusual behavior for the customer
- A change of address just before ordering
- Deviating from demonstrated customer behavior, like purchasing an unusually expensive item or a high volume of goods
- Login attempts from different devices and places
- Suspicious device configurations that try to hide actual whereabouts
- Change of operating software and/or switching to an older browser version
- Login via a proxy server or VPN
- Login with an already-known suspicious device
CNP merchants have two options to handle these indicators.
The first option is the rule-based system, assigning a specific score to each perceived threat, which get added together to create a total risk score. Companies then use this score to make an informed estimate about whether something is likely fraudulent or not.
The other option is machine-learning technology that recognizes patterns and regularities in datasets, and is then able to learn from that. New models are continually created and better algorithms are constantly evolving to perform link analysis and make accurate decisions about fraud, including a combination of factors that could indicate account takeovers.
As fraudsters develop their techniques, machine-learning algorithms evolve in response to the changing threats, constantly learning from additional information. Thus, the algorithms get better and better, creating more precise probability calculations.
Despite the different approaches, rule-based systems and machine-learning technology have one thing in common: no human being with years of experience fighting fraud can simply be replaced by technology. Besides, that’s not what modern fraud prevention systems should be about. The two entities—man and machine—can complement one another perfectly. This strategy is the best way to fight back against account takeovers and the fraudsters who wish to make profit and therefore ruthlessly damage businesses’ profits and customers.
Roberto Valerio is founder and CEO of Risk Ident. Risk Ident is a software provider that offers antifraud solutions for European companies within the e-commerce, telecommunication and financial sector. The company uses data analytics and machine learning in solutions for payment fraud, account takeovers, fraud within account and loan applications.