How Can Financial Institutions Put a Stop to Account Takeover Attacksby Greg Hancell, Director Product Management - Data Strategy, OneSpan November 29, 2021
Financial Institutions (FI’s) can detect and prevent account takeover attacks using continuous monitoring and adaptive multi-factor authentication.
Account takeover (ATO) fraud is one of the top causes of fraud losses for banks and financial institutions. An account takeover occurs when a customer’s bank account is digitally ‘broken into’ and acted on by an attacker.
The methods and techniques attackers use to fraudulently obtain access to a customer’s account credentials are continually evolving.
These include obtaining data from data breaches, malware, phishing, and other social engineering attacks such as phone scams (read more on common fraud techniques).
Account takeover is increasing due to lower barriers of entry, high rewards. lower risk of consequence and a fast movement by companies to try and offer digital services in reaction to the pandemic.
Additionally, attackers have more tools than ever available from the underground market.
They have more data to utilise, due to a record breaking 37 billion personal data records compromised in 2020 and more potential victims, companies and users that are new to digital services.
This results in personal data being available to attackers on demand, who can put it to use in an account takeover.
Attacks are becoming more advanced and automated, for example an emulation attack with malware which was executed in December 2020 resulting in millions of users accounts being attacked in hours, despite the bank using SMS one time passwords.
The attackers were able to perfectly emulate devices, breaking security relying on device fingerprinting and intercept the SMS OTP without the victim knowing.
These attacks can result in identity theft, credentials / OTP’s for attacking a login / recovery process and or personal information to increase the success of social engineering we cannot ignore the threat this poses.
From a user perspective, these attacks might result in fraudulent payments to new beneficiaries and thus the loss of their savings, losing access to the account, as the attacker changes the authentication method such as registering a new device or changing the password.
Also the attacker may apply for a new product using the customer’s personal data.
For financial institutions (FI’s), the impact of account takeover attacks can go well beyond financial losses.
The FI’s need to move fast to reduce the likelihood of the attack continuing / scaling and recover from the attack itself. The attack can lead users to lose trust in the FI and can impact consumer confidence and growth.
How Financial Institutions Can Get Better at Detecting and Preventing Account Takeover Attacks
Account takeover attacks cost FI’s billions in payouts and compensation to users. To reduce these losses, FIs must find ways to detect and prevent an attacker from trying to obtain access to an account, and when an attacker is attempting to carry out an action or transactions fraudulently inside a users account.
Preventing attacks relies on establishing trust with the user and determining their behavior. For example aside from the credentials / OTP being correct, is what they are doing typical for them.
Trust, is not static. Trust is fluid, everchanging and may increase or decrease based on interactions and outcomes, it is therefore crucial for trust to be determined in real-time.
In short, FI’s need to address the issue of trust– when can they trust that a genuine user is accessing and using their account, how can they determine if a genuine user is being socially engineered to make a transfer they should not, and how can they determine when an attack is underway?
To solve this problem, FIs need a profoundly innovative approach – one that enables the collection and analysis of vast cross-channel data to detect and react to attacks in real-time.
Continuous monitoring is the real time collection and behavioral understanding of users and devices.
Allowing the understanding of the ‘normal’ behavior of the user – such as the way they interact with the device, how they type, swipe and drag across a page, and how they typically establish and interact with sessions, the types of transfers they make and many more.
This creates a profile of their normal behavior.
Machine learning utilises 1000’s of features (intelligence points of a user their device and location) to contrast the normal behavior of the user against suspicious behavior, such as the behavior of a bot or attacker.
When suspicious behavior is detected, FI’s can react immediately such as request additional authentication from the user, change the authentication approach if a device is compromised and or challenge access or transactions taking place.
If the users authentication and behavior are deemed low risk then they can proceed. If not, the process is stopped and the attack is prevented.
The capability to learn from all attacks, indicators of compromise (known malicious data attributes) and fraud enables machine learning models to outperform typical rule sets optimising costs and reducing losses.
Why Financial Institutions Need to Make ATO Prevention a Priority
Static credentials such as usernames, email addresses and secret answers are vulnerable to attacks due to mass data breaches and users repeat credentials across multiple websites, social media profiles and sign-up accounts.
Authenticating users at login and using credentials alone is no longer an option.
Analyst firm KuppingerCole argues that only requiring a username/password for access to online or mobile banking systems is grossly insufficient for account security.
Financial institutions must continuously monitor the user’s actions and behavior to detect suspicious actors and challenge with setup-up security when risk is detected.
Additionally, the presence of malware on mobile devices makes users vulnerable to SMSishing attacks and SMS one time password (SMS OTP) interception.
The increasing sophistication of attacks utilising a blend of technology such as malware, device emulation and session simulation increases the scale of attacks meaning millions of users can be impacted in a day.
FI’s that use static credentials and SMS OTP are vulnerable to high scale, high impact attacks.
How Intelligent Adaptive Authentication Technology Can Stop Account Takeovers
Intelligent adaptive authentication (IAA) provides a secure frictionless experience for users to authenticate.
Continuous monitoring with contextual understanding enables real time decision making and provides the relevant authentication method(s) relevant to the risk and friction.
The technology uses real-time risk analysis to determine the most suitable authentication method(s) based on the level of risk derived from the context of what a user is doing and the environment they are interacting in i.e. device risk.
Tailoring the authentication flow to each unique interaction reduces friction and fraud. As the user’s particular contextual patterns and circumstances evolve, the technology is intelligent enough to recognise these changes and adapt.
OneSpan IAA enables FI’s to deliver digital experiences users love.
By understanding their behavior and intentions whilst automating authentication decisions resulting in greater UX, reduced operational costs and a reduction in fraud.
Featured image credits: Pixabay