During the turn of the century, account takeover became front-page news and a particular scheme ultimately led to the development of the Fair and Accurate Transactions Act (FACTA) Red Flags Guidelines in 2008. The scheme, which created the fallout, was simple and relatively slow; fraudsters were committing takeover by changing a legitimate accountholder’s mailing address to an address they controlled and then following up soon afterwards with a new credit or debit card request. This was a slow-moving (but effective) scheme that forced banks to put fraud controls in place to try to ensure that cards were being shipped to the legitimate customers.
Because the scheme took time to unfold and the issuer had to produce the physical card, the procedures put in place to prevent fraud losses had to be actionable before the card was in the hands of the fraudster — typically 3-5 days. Manual procedures and batch processing fit the bill and satisfied the regulators because the “speed” was not an issue.
New Schemes are Faster
With the advent and proliferation of online banking, account takeover schemes have emerged where the victim’s accounts are drained in a quicker, tighter timeframe than ever before. After the fraudster compromises the victim’s online banking credentials, they can move funds in near real-time. Unlike changing the address and requesting a new card, once the fraudster begins an online banking session, they can transfer tens of thousands of dollars immediately from the victim’s account to an account the criminal controls.
The scenario above seems very straightforward: the fraudster gets the online credentials, logs in and moves the money. Thankfully, the process is not quite that simple. As an example, let’s say the fraudster logged in and attempted to transfer $40,000 to an account at a different financial institution. The bank would typically flag this as a “high risk” transaction, and reach out to the customer to make sure they really wanted to move that much money. Of course, the fraudster understands that the bank will try to reach out to their customer. To fulfill their fraudulent money movement, they will first change the phone number on the account and then move the funds. That way, when the transaction request trips a flag, the bank ends up contacting the fraudster (not the victim) to confirm the transfer of funds. In a similar way, the fraudster will change the email addresson file, and then request the funds ensuring that all email notifications go to the fraudster and not the victim.
Scrutinize Non-Monetary Transactions
Much like address changes, the reason fraudsters change phone numbers and email addresses on the customer file is to intercept any and all communications by the bank to their legitimate customer. By taking over the communication channel, they can effectively carry out the account takeover. To combat account takeover fraud, financial institutions need to screen various non-monetary transactions, specifically those that involve changing customer communications credentials such as mailing address, phone number and email address. By scrutinizing these changes as they happen, banks can thwart potential account takeover attempts. As a simple thought exercise, consider the following questions:
- Why is my customer moving 1,500 miles away to a mail-forwarding facility in a high-crime area?
- Why is my customer changing their phone to a prepaid line whose area code is 100 miles away?
- Why is my customer changing their email address to an email address whose server domain is located in Belarus?
These simple questions have an obvious answer: if you knew these were actual cases associated with a large funds withdrawal, you’d want to make sure the customer and the request were legit.
While extraction of the funds can happen over a matter of days, or as soon as real-time, financial institutions need to manage to the lowest common denominator of real-time. Years ago, when the predominant account takeover scheme was an address change followed up with a card request, the bank had days before the funds left the institution. Given the new and varied paths to commit account takeover – and the increased complexity – it is paramount that you now look to screen these non-monetary events in real-time.
When you go back in time to the original FACTA language, banks were instructed to take action on certain high-risk events. Specifically, banks needed to screen address changes for the likelihood of identity theft, which all banks are now doing in some fashion. However, there is also a provision that states that if banks understand there are other observed events indicative of identity theft, then the bank must document and specify how they are addressing these events in their plan. We have spoken with many bankers who recognize that phone changes are a significant leading indicator of account takeover; however, it is rare to find financial institutions that have made this a part of their FACTA plan.
Screening changes to customer contact information is a critical element in a comprehensive enterprise account takeover prevention program – especially these days when it can happen in real-time. Essentially, the speed of fraud prevention and detection must match or exceed the accelerated speed of fraud today.