Account Takeover Fraud: Are you being “set-up” to fail?

According to a report published earlier this year by Javelin, account takeover attacks are on the rise. Another survey published by Bank Info Security suggested the same, and went on to report that the industry has increased its spending on account takeover controls. To boot, the industry migration to EMV is expected to prompt a migration to account takeover, one of the fraudsters’ soon-to-be favorite replacements to the old card fraud attacks.

Huh? How could this be? Does this mean account takeover prevention is a bad investment?

Hardly. What the numbers suggest, and what the team at ID Insight has focused on for years, is that when it comes to really stopping account takeover – the “set-up” event is the key. Historically, most of the investments made in preventing fraud have either been directed towards controlling access (authentication), securing data (encryption), or watching the ledger for risky money movement. Our view is that there is another vulnerability that sorely needs controls, the set-up event.

When we say the “set-up” event, we are referring to the critical step in any account takeover scheme. Account takeover takes many forms, but when broken down, it really only takes three ingredients to cook up a pungent account takeover scheme. Historically, the set-up event has been the secret ingredient. At the risk of exhausting this food analogy, let’s chew this up a bit.

  • The Compromise
    The first step in committing account takeover is to compromise some form of sensitive information – information that only the true account holder (the victim) should hold. Depending on the scheme; this could involve account numbers, passwords, PINs, or PII such as social security numbers. As most secure financial systems use some type of information-based access controls, this data is currency for the fraud element, and there are lots of ways to get it.
  • The Set-Up
    Once the fraudster has the requisite compromised information in hand, their next required step is to perform the “set-up” event. Defined as a non-monetary event, the set-up usually looks benign at first. A routine address change, an updated phone number or email address, an added signer to the account – what could be the harm? Because these events don’t involve any movement of funds, they often have little or no anti-fraud controls in place. The unfortunate truth is, these set-up events are the secret to committing account takeover, and are exploited by fraudsters all too often. The good news is that in these seemingly benign and routine events, the account takeover fraud attempts frequently reveal themselves – presenting a ripe opportunity for early detection and loss avoidance. We will come back around to this point later.
  • The Cash Out
    For the fraudster, now comes the easy part. The victim’s account information has been compromised, and that information has been leveraged to access the account and set-up the fraudster’s payday. The only thing left to do is to “cash out” and actually get the money out of the account. This could take the form of credit or debit card payments from a card shipped to an address controlled by the fraudster. It could take the form of a large on-us check with a confirmation phone call routed to a number controlled by the fraudster. It could take the form of a draw from a home equity line of credit. With today’s “bank from anywhere” paradigm, there are a multitude of ways to drain the account.

Why the fraudsters are winning:
For one, they continue to get their hands on information they shouldn’t have. There have been multiple high profile data breaches occurring in the past year, and more are being reported each week. Aside from these large scale compromises, there are thousands of small scale, under-the-radar compromises that happen every day. Phishing, man-in-the-middle, brute force password cracking, insider or employee collusion, and the list goes on. In spite of the industry’s best efforts to secure account and personal data, there will always be compromises. Furthermore, by the time the scheme reaches the cash-out event, it is often too late to avoid the loss. To truly prevent losses, earlier detection is needed, well before the cash out is even attempted.

How the industry can win:
For these reasons stated above, the set-up event is the critical gap in the industry’s efforts to thwart account takeover. Simply put, not enough attention has been put on the common setup events that drive most account takeover attacks. Address changes, phone changes, and other account profile changes. There are some financial institutions that have deployed anti-fraud strategies around these events, and in doing so, have put themselves in position to detect account takeover attacks long before any losses can occur. In future blog posts, we will go into more depth on tips, strategies, and tactics for preventing account takeover fraud at the set-up stage.

Final thoughts:
When it comes to fraud prevention, a layered approach always wins. When put into the context of account takeover, a strong layer of controls is needed for each of the three stages described above. Adding urgency to this point is the industry shift to EMV next year, and the resulting storm of account takeover attacks. In times like this, I am reminded of advice my mother gave to me countless times as a kid (and occasionally as an adult) growing up in wintery Minnesota: “before going out into that storm, better put on another layer or two!”

Written by Matt Schraan
Vice President, Product Development and Client Solutions
Matt has dedicated his professional life to building products that reduce fraud risk, meet compliance requirements, and maximize value from fraud detection techniques. He has presented at numerous industry conferences on counter-fraud topics such as account takeover, application fraud, identity verification, and compliance strategies.

Date Posted: October 29, 2014 Author: Matt Schraan Category:   Featured, IDI Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.