Account Takeover 2012 and Beyond
Over the past few weeks, we have been at a variety of conferences and events and the one common trend we are hearing about is the increasing threat and losses associated with account takeover. By itself, this is not necessarily surprising as we know that fraud ebbs and flows. According to Javelin’s 2012 Identity Theft Survey Report, identity theft is up by 13%. More specifically, the Financial Services Information Sharing and Analysis Center recently reported that account takeover continues to grow at over 150% per year.
In addition to some of these reports of account takeover on the rise, we are also hearing more topical stories about some of the recent account takeover trends. One large banking institution reported that they are seeing the fraudsters migrating ‘back’ away from the online channels to more traditional channels such as the phone center to change addresses and other account access information.
We are also hearing that the account takeover patterns are becoming more complex. We are now seeing them change not only the address from the victim to the fraudster, but they are also changing the phone, email and other contact info. Once the fraudster has siphoned the funds from the account – they then change all contact information back to the victim’s correct information??
While we are hearing and seeing these recent trends, the more interesting question is to consider whether this is the normal ebb and flow of fraud or if there is something more systematic going on. Is it a trend and if so – what is the longevity of the trend? From everything that we have looked at we believe that we are entering a period where we will see a steady trend of substantial increases in account takeover that last for years to come.
As we sometimes say “when you shut one type of fraud down – it’s not like the fraudsters go out and get day jobs”. While we never completely know how many fraudsters are in our midst at any given time, we don’t see this total number decreasing any time soon. Nor do we see their “take-home pay” falling below the consumer price index.
One major factor we see contributing to this trend is bank consolidation. As banks (and banking accounts) become more consolidated, the average account balances are rising. We have already seen this in the U.K. where account takeover is historically a much higher percentage of overall fraud than in the U.S. In the U.K., the top 4 banking institutions account for 73% of all bank accounts in the country.
The typical Brit will tell you that they opened their accounts as teenagers and now have multiple accounts with the same institution. The more accounts associated with the same institution, the higher the “switch-cost”.
Historically, bank consolidation in the U.S. has not been nearly as top-heavy as in the U.K. But that is rapidly changing. In 1998, the top 4 banking institutions in the U.S. accounted for 15% of all bank account. As of 2009, that number had grown to over 37%. When accounts are consolidated, balances grow and account takeover fraud becomes more lucrative.
Access to Credit
With the economic downturn of 2008, access to credit dried up. While this has gotten better over the past couple of years, it is still down significantly resulting in substantially less new account activity. Because credit risk thresholds are much tighter – much of what used to show up as fraud is being stopped during the application process as credit decline.
As new account identity theft declines, the bubble will most certainly push back out on account takeover.
A decade ago, about the only way you could commit account takeover was to either change the address or change the phone number from that of the victim to that of the fraudster. By changing the address from the victim to the thief, the thief can the request new credit or debit cards to be sent to this new address where they can access the victim’s money. By changing the phone number, the thief then requests a large ACH transfer out of the victim’s account. When the bank calls the customer to confirm the request, they end up calling the thief.
While that is still happening and in some cases increasing, the rapid increase in other ways to access bank accounts has increased the exposure to account takeover. Online banking systems have been under attack over the last few years, leading to many developments such as two factor authentication and now out-of-band authentication. With the initial online banking fraud systems becoming a bit more stable, we now need to gear up for mobile banking and that access path.
The most interesting new account takeover problem we have heard over the past few weeks is to gain access through the SIM card on your phone. The thieves are obtaining phone information of the victim and then calling the victim’s mobile carrier to request a new SIM card. Because these cards are backed up at the carrier, the carrier then sends the card to the thief. Many times, these SIM cards will contain sensitive bank access information.
When we create more ways to access our banking account information the more ways we need to secure these additional paths. The ways in which we can access our banking accounts is greater and less “personal” than ever before which makes account takeover an even better target.
We hope we’re wrong, but I wouldn’t bet on it.