Online banking has helped both accountholders and financial institutions communicate more efficiently, but it has also had a negative impact on fraud detection and prevention. With more account management tasks and transactions taking place online, the opportunity for fraudsters to impersonate legitimate customers
has grown exponentially.
With so many new technologies available to predict and prevent fraud, why is account takeover still on the rise? Simply put, fraudsters always take the easiest and most profitable path. If a financial institution puts controls in place to close one vulnerability, then the fraudsters will try and get past it. If bypassing the new control proves more difficult or not cost-effective, then they tend to migrate to other schemes. For example, implementation of EMV chips for U.S. credit and debit cards helped diminish point-of-sale fraud. Fraudsters simply moved on to ATO and new account fraud, aided by data breaches. Online banking is a lucrative channel for criminals as tighter controls eliminate or complicate other options.
Once a criminal obtains access to – and control of – an online account, complete account takeover (ATO) is imminent. How can banks distinguish legitimate customers from fraudsters before they gain control of an account? First, it’s important to understand how an online ATO scam works. We’ll also share a real-world example to help illustrate the strategy behind the scam.
Step One: Obtain Stolen Information
This is perhaps the easiest part of the scam, since millions of identities – including SSNs, DOBs, addresses, phone numbers and email addresses – have already been exposed by high-profile data breaches. Particularly troubling is the availability of “fullz” – complete sets of identity information – on the dark web. In our example fraud scenario, the perpetrator obtains the stolen information and credentials required to establish online banking as if he were the real customer.
According to a 2017 article, a typical fullz record sells for just $30, making it highly affordable and cost-effective for fraudsters. If criminals purchase 100 fullz for $3,000, they only need to be successful with just three out of those 100 identities to make a profit. According to Javelin Research, the mean fraud amount per victim is just over $1,000. It’s a numbers game for fraudsters – if a fullz identity lacks certain criteria (high credit score, no credit monitoring, etc.) then it’s easy for them to write off less-than-ideal fullz records
while profiting off only the most vulnerable identities.
Step Two: Change Contact Information
Once the fraudster has a full set of contact, identity and user login credentials (often obtained by other fraudulent means) for the victim’s account, they log in and change the mailing address, phone number and other contact details. This ensures that any fraud alerts, wire transfer authorizations or direct communications from the financial institution go straight to the fraudster. The goal at this stage is for the criminal to get between the legitimate customer and the bank. In our example, the fraudster requests checks from the victims’ home equity line of credit. The bank sends a text message to the fraudster, who verifies the request and confirms the address change.
This is a point at which the financial institution could have caught the fraudster – a comparison of the addresses could have flagged the address change as out-of-pattern behavior. The legitimate customer lives in a large executive home in Scottsdale, AZ but the address change shows the customer moving to a rented mailbox storefront in Northridge, CA. Taken at face value, the change looks legitimate, but after further analysis, more suspicions arise. Not every customer information change can be verified manually, but an automated solution using multiple sources of data could have helped detect account takeover fraud in the making.
Step Three: Cash Out
Now that the fraudster has successfully impersonated the customer, the payoff begins. In our example, the bank mails home equity line checks to the new address (the rented mailbox) after confirming the address change with who they thought was the legitimate customer. The fraudster then cashes in more than $250,000 worth of checks before the bank catches on to the scam, while the perpetrator moves along to the next opportunity.
Detection and Prevention
Preventative measures that take an automated and predictive approach to detection, including monitoring for non-monetary transactions, are one way to curb account takeover fraud. With some large financial institutions investing heavily in processes and solutions to stop both ATO and new account fraud, organized fraud rings will begin targeting organizations that have not shored up their defenses. The criminals will quickly find the most vulnerable mark and – like a wild animal stalking its prey – will persist until their goals are met.
The entire financial services industry – especially smaller banks, community banks and credit unions – must take note of the rise in ATO fraud and begin plugging holes in their fraud defenses. Online banking is rapidly becoming the path of least resistance for fraudsters, and while better controls will not eliminate fraud completely, they will make the cost and effort involved too rich for criminals that are seeking an easy score.
Learn more about how to prevent account takeover fraud.
Wow! On January 3 of this year, ID Insight celebrated its 15-year anniversary. Fifteen years ago, identity theft was not quite front-page news, the U.S. had not yet invaded Iraq and President Bush was just completing his second year in office.
I was in my mid-thirties and embarking on a journey that I could never have imagined. Through the first 13 years of my career, I followed the corporate route, progressing from a computer programmer to a data scientist (before we called it that) to running an information-based analytics business. While I enjoyed that period of my career, by 2002 I was ready for a change. I had always wanted to start my own business and the need to scratch that entrepreneurial itch was growing. I didn’t realize how badly I wanted to scratch that itch.
People told me I was crazy; in hindsight, I think they were right.
Over the next few weeks and months, an idea took shape: creating a fraud detection engine that could stop identity theft in its tracks. On January 3, 2003, ID Insight incorporated with a few bucks in the bank and an optimism that we were on to the right thing.
During the next two years, it was the proverbial “two guys in a garage,” building ID Insight by day and consulting by night, all the while trying to convince somebody, anybody to buy the solution we were selling. We had a blueprint for how to build the engine, but the engine was just that – a blueprint.
Those early days were both exciting and maddening – extreme optimism countered with a realization that I still had to pay the bills. I had never felt that vulnerable and exposed – yet never so excited and happy with my work life.
Whether it was divine intervention or just persistence, we finally got a prospective customer to say “yes” in late 2005. They bought our blueprint! While this was terribly exciting, they said it needed to be up and running in six weeks. We had no idea how to do that, nor did we have the money to do it. Thankfully, with help from our technology partners and sacrifices from all of us, we pulled it together and somehow brought our first satisfied customer aboard.
This created a new problem. Now that we had our first large customer, we needed capital to build a data center. Never having raised capital before, I remember asking people “how do you raise money.” The response I got was “just start calling everyone you know.” Over the next few weeks and months, we had raised enough capital to fund the data center expense as well as hire our first employees.
Things progressed, albeit slowly, until 2007 when the FACTA Red Flag mandate was finally published. The new FACTA regulations required financial institutions to screen address changes and new account address discrepancies for the likelihood of identity theft. That was it! This is what we had invented; this was our patent. Our special sauce. With this news that our solution would be mandated by November 1, 2008, the window was now wide open.
We needed to get the word on the street. ID Insight was the company that invented the technology to optimize the screening of address changes and address discrepancies. To do this, we would have to raise capital again. We went back to the well and raised a second round of capital. Per our plan, we quickly built the team to run for the finish line. The only problem was (hindsight 20/20) we only had 12 months to do it. So we began to sprint.
Over those next 12 months, we went from a handful of clients to over 300. While we were happy to add all of these clients, they were mostly smaller institutions that did not generate a lot of volume. I vividly remember November 1, 2008 – two things happened almost simultaneously around that date. First – all financial institutions had carved out their FACTA plans and on that day – our sales “flat-lined” as all financial institutions had made their plans. Second – there was this pesky thing called the “economic collapse.” I remember calling on prospective customers only to be told “Adam – we will be lucky to have the doors open at the bank over the next few months.”
By 2010, this “never say die” attitude and culture resulted in establishing our base. We had become a battle-tested group of fighters that believed they could withstand any storm and anything thrown their way. We had pulled every rabbit out of every hat. We had created new ideas that brought in revenue. And now, financial institutions were coming out of the economic collapse of 2007-2008. They were spending money again and realizing that our solutions were needed to stamp out identity theft.
Over the next seven years, we began to grow and expand our solutions and customer base. Suddenly, we were finding success in other markets such as e-commerce, health care and mortgages. Today, we are serving more than 2,500 customers and recognized as a leader in identity theft detections solutions – especially in the retail banking industry. We serve customers ranging from the top five banks in the country to one-branch credit unions in some of the smallest towns in America.
What I am most proud of is our employees, our shareholders and our board members. While we faced our share of adversity over the years, no one ever lost hope and never stopped believing. We never gave up. We all hung in there and kept on fighting. We are still innovating and still fighting!
I do believe in the adage that “what doesn’t kill you makes you stronger.” That persistence and the culture that has emerged continues to impress me. It makes me realize how fortunate we all are to have been a part of this great experiment.
As Ralph Waldo Emerson once famously said “it’s not about the destination – it’s about the journey.” And what a journey it’s been – here’s to the next 15 years!
The energy of innovation crackled throughout the WeWork co-working space at Capella Tower last night as ID Insight joined 49 other Twin Cities companies being recognized for high growth in AmericanInno’s inaugural 50 on Fire awards.
50 on Fire recognizes companies, organizations and people having a banner year across a variety of categories, including technology, agriculture, civic engagement and more. ID Insight’s year included business growth, new product development, staff expansion and multiple awards and honors, including a Eureka! Award for Innovation from the Minneapolis/St. Paul Business Journal.
The Twin Cities is home to hundreds of hard-working startups and technology companies. Being recognized as one of the most innovative is a testament to ID Insight’s never-ending pursuit of new technology solutions to help banks prevent fraud. We’re proud of the recognition, but even more proud of our customers who challenge us every day to solve their most pressing problems.
Here’s to another year of incendiary innovation!