Account Takeover and Data Breach
As we have talked with many banks over the past few years, I continue to be surprised at the inconsistency amongst banks regarding account takeover fraud. Most banks as a rule have expressed that they have observed very little account takeover, while for others – they are seeing an epidemic of takeover fraud. This is counter-intuitive to most fraud types that tend to hit the industry as a whole (eg. phishing, new account fraud, etc.)
We believe that the culprit responsible for this level of inconsistency is due to “internal compromise”. To commit account takeover typically requires the thief to not only have the identity credentials, but also bank specific information such as PINs and account numbers. Gaining access to both identity data and bank specific data is not trivial, with the best source being the bank itself. I was speaking at a recent conference, and a top 10 retail bank described how they had recently been compromised by an internal employee – who sold the information to another entity who then took over the accounts by changing address and requesting new cards.
We see that tightening up internal access to confidential data, as well as monitoring being extremely critical to stamping out account takeover fraud.
If anyone has any thoughts or experiences on the subject – we’d love to hear from you.