August 19, 2016
Taking Account Takeover Protection to the Next Level
By Garient Evans, Director of Identity Risk Solutions, ID Analytics
A consumer’s email address, phone number and home address associated with their credit-card account just changed in your processing system. Did the consumer initiate the request or did a criminal just take over their account?
Unfortunately, your organization may be the last to know. The 2012 “Faces of Fraud” Survey conducted by Information Security Media Group showed that in 82 percent of cases involving identity fraud, the consumer uncovered the theft before the issuer or processor.
Account takeover is a persistent issue that costs companies millions each year. It will continue to grow with the proliferation of publicly available personal information, the increasing number of data breaches and an increasing number of online black markets for private data. Moreover, the increased adoption of EMV payment technologies intended to thwart card-present fraud at the point of sale is expected to actually accelerate the migration of fraud activities towards exploiting weaknesses associated with a company’s e-commerce and other self-service offerings.
I n an account takeover scheme, cybercriminals may assume control of a consumer’s account, order physical goods using the debit-card number on file, ship to an alternate address and subsequently sell the stolen goods on another Website, pocketing the proceeds. Fair or not, consumers often view the organization that allowed the fraudster access to their account to be at fault. Many account holders will move their business to a competitor despite the best efforts of the company to repair the damage.
Account takeover (a.k.a., account hijacking) is often described as synonymous with account compromise, but they are different ways of committing fraud and violating a customer’s privacy. While related to the account takeover problem, account compromise is a fraud scheme that focuses on obtaining access, as opposed to control, of an account through the online channel. Typically, account compromise (or hacking) occurs when a fraudster has obtained an accountholder’s login credentials and is able to access the account online.
Given the inherent differences between account takeover and account compromise, fraud detection tools typically cannot address both types of fraud. The following overview of traditional fraud detection and prevention tools details their strengths and weaknesses, and consequently their ability to detect account takeover related activity:
Device Recognition – Companies use device authentication solutions to compare a laptop, desktop or mobile phone’s electronic signature to a database of devices previously associated with online fraud. However, device recognition only works for online transactions and may not flag a device that is clean with no previous connections to online fraud.
Malware Recognition – In theory, devices attempting to log into an account are examined for the presence of malware which might indicate remote control of the device by criminals. However, malware prevention and virus detection solutions have a limited shelf life as providers are in a never ending race with cybercriminals to combat the latest threats.
Voice Recognition – Voice recognition software attempts to study the conversation for signs of deceit as well as to determine a match to a previously captured sample of the consumer’s voice. In most cases, it requires integration with a more comprehensive suite of fraud solutions. While these solutions can be effective on their own, companies often spend considerable resources to integrate them into the enterprise’s risk controls. Other drawbacks are that voice recognition applies to a single channel and focuses on preventing access to an account rather than evaluating account changes.
Knowledge-Based Authentication (KBA) – KBA requires consumers to provide answers to questions that, theoretically, only the actual customer knows the answers to, and is again focused on restricting unauthorized account access. Unfortunately, criminals often use social media sites to gather “secret” data that they can use to access the consumer’s accounts. Also, news of recent security breaches at several major data brokers—including Dun & Bradstreet and LexisNexis—indicates that a trove of information used as the basis of KBA questions has been compromised.
Anomaly Recognition – In general, anomaly detection software attempts to detect unusual activity in a sea of apparently benign transactions. Anomaly recognition software’s primary limitation is the lack of a cross-industry approach, as most solutions primarily utilize data internal to the organization. . Even if the technology allows for cross-company comparisons, much of the information used in anomaly detection solutions is rendered anonymous, making it more difficult to track the same consumer across clients.
With more fraudsters determined to commit account takeover, and a growing availability of sensitive data to perpetrate the crime, organizations are looking for ways to shore up the gaps in their account takeover defenses. Today, risk managers are cobbling together account-takeover solutions by threat, by customer care channel and by business area. Device recognition, virus detection, voice recognition, KBA quizzes and anomaly recognition can all play a role in preventing fraud, but they can’t singlehandedly prevent account takeover.
Combatting account takeover starts with preventing unauthorized account access and subsequent, malicious account changes. If access controls are defeated, however, the methods detailed above are limited in their ability to prevent unauthorized changes to account profile data.
Companies must adopt a new approach that requires a comprehensive, real-time understanding of normal and abnormal account maintenance activity across the organization’s channels and product areas. Activities that carry a high risk of account takeover fraud, such as changing the email and mailing address associated with an account, take place millions of times a day. How can companies stay ahead of fraudsters while minimizing customer friction on the millions of legitimate account management activities that occur daily?
Organizations should assess the legitimacy of requested account changes through real-time, cross-industry data that incorporates consumer behavior across every channel in the organization. This approach enables enterprises to evaluate a requested account change in several ways, including:
- Has the account holder made similar changes at other organizations?
- Holistically, does the full set of requested account changes match a pattern of account takeover?
- For changes to personally identifiable information (“PII”), does the new information being added to the account (e.g., new address or phone) have a history of high risk behavior?
- For PII changes, does the comparison of old and new information reveal a high-risk behavior?
Risk managers have an increasing set of options to combat account takeover fraud, but all too often these options focus only on restricting account access, are channel specific, and lack a cross-organization and cross-industry perspective. Given the damage that account takeover fraud can cause, and the likelihood that these problems will continue to grow, investing in a real-time solution that incorporates identity-based data makes sense. Solutions based on real-time, identity-based, cross-industry predictive analytics have been proven to demonstrate a quick return on investment by avoiding losses associated with fraud and preventable customer attrition.
Garient Evans is director of identity risk solutions for ID Analytics , a provider of consumer risk management solutions with patented analytics, proven expertise and real-time insight into consumer behavior.