Account-takeover (ATO) fraud is an identity theft strategy whereby a bad actor obtains the legitimate details of a person’s online account and uses it, impersonating that person, often to make credit card transactions or to transfer money under false pretenses.
Obviously, every business wants to guard against account-takeover fraud.
In the past, an account-takeover scenario could be prevented by assessing identity risk when the user opened his or her account. Identity risk was confined to a single event, and exposure to financial loss was limited. A criminal might spend the credit available on a fraudulently opened retail card or make bad deposits into a bank account and then spend the deposited amount before it was returned — but the damage was minimal.
However, what worked yesterday won’t work today. Once confidence in a consumer’s identity is established, risk moves away from identity fraud toward transaction-oriented fraud. A card or checkbook might be stolen, but the consumer’s identity wasn’t considered a factor subject to compromise. Today, with digital commerce, the individual’s identity and online credentials are the primary means of accessing deposits, borrowing money, and making purchases. Consumer identity is now a vulnerability. Criminals don’t need to steal a debit card if they can log on to an account and transfer funds.
The world has moved from single transaction fraud to identity-centric fraud — and the damage is far from minimal. In fact, existing non-card fraud affected more than twice as many consumers in 2017 as in 2016, increasing at a record high incidence rate of 2.52%.
In 2017, there was $5.8 billion of existing non-card fraud.
Personal information is now at risk
Historically, there was some level of secrecy around our personal information. Not just the details that make up our identities — addresses, Social Security numbers, email addresses, phone numbers, etc. — but where we bank, where we borrow, where we shop, what we like, and who we’re connected to.
However, mass data compromises have exposed much of our personal information many times over. For many, their complete identities are known — with online activities monitored and mined. The places where our identities are relevant — as customers, depositors, borrowers, investors, friends and family — may be accessible.
In 2017, 61.1 million people learned that were victims of breach or fraud.
Criminals don’t need to steal every detail of information for data theft to be useful. A vast network of hackers and thieves collaborate to buy, sell and share personally identifiable information which becomes powerful when combined.
In 2016, 4.2 billion personal records were fraudulently breached – more than four times the previous record.
Below the surface of the visible web (the internet as we know it), there lies an unindexed “dark web” which hosts 95 percent of the content and an enormous amount of data that keeps illicit activities thriving.
Currently evolving account-takeover (ATO) fraud schemes
1. Cross-account takeover
This happens when fraudsters take over someone’s account with a financial institution, and elsewhere, such as via a mobile phone or email account, they are able to steal funds from those compromised accounts even in the face of sophisticated anti-fraud solutions. It’s a huge problem. In 2017, fraudsters increased their cross-account takeover efforts, leading to nearly three times as many consumers being affected by ATO in 2017 than the previous year. Losses grew to $5.1 billion, a 120% increase from the previous year.
2. Intermediary new-account fraud
The most significant shift in fraudulent tactics during 2017 was the growth of intermediary new-account fraud. This happens when criminals monetize a compromised existing account by opening one or more fraudulent accounts to take money from the victim. In 2017, the prevalence of intermediary new-account fraud rose abruptly, reaching 1.5 million victims—more than 2.5 times the previous peak of half a million victims in 2015.
Security is a continuing proposition
Controlling identity risk is no longer a one-time event. One right decision doesn’t ensure that your organization and customers are protected.
Identity risk accumulates through small, seemingly benign activities — a call center interaction that adds a new account holder, a change of a phone number or other contact information, a phishing email that collects one more piece of the puzzle. While you are looking for one big, verifiable fraud event, criminals take over accounts through a slow drip of details.
Account-takeover fraud is a long game enabled by technology and known to criminals worldwide. You can’t assume that every presentation of an identity and credentials to access an account is being initiated by the identity’s owner.
At the same time, authentication can’t be overly disruptive to the customer experience. Compounding the issue is the fact that so many of the risk drivers, such as mass data compromise, overexposed data on social media, reused passwords, poor data security, and social engineering, lie outside of your customers’ control.
This is what identity risk management in existing accounts has become. The risk doesn’t end after an account is opened. It’s just beginning. Just like the customer relationship.
The better you know your customer, the better you can stop fraud.
A layered, proactive, and passive fraud prevention and identification program can provide constant monitoring of customer interactions. It can also reduce false positive rates and allow you to truly get to know your customers’ digital identities.
This whitepaper by Experian offers beneficial information on how to protect non-credit card customer data and address risk involved with the collection and transfer of data, all without interrupting the customer experience. Getting to know the digital identities of customers can help to reduce false positive rates and ensure proactive identification and appropriate fraud prevention functions are in place.