Account takeover fraud – what are the key drivers, risks, and what can be done to prevent it

Account takeovers are becoming more pervasive, costly, and common. In this blog, we’ll explore the key drivers behind ATO attacks, what makes financial institutions higher risk, and what can be done to prevent attacks before it’s too late.

According to data from Sift, account takeover (ATO) attacks rose a staggering 307% between 2019 and 2021 – with the majority of these attacks stemming from compromised login credentials.

Keyless protects against identity fraud by authenticating the real person with facial recognition biometrics instead of passwords, making it much harder for bad actors to compromise accounts and commit fraud using stolen personal data – we’ll explain how in this article.

What happens during an account takeover attack?

Account takeovers occur when a bad actor gains access to a legitimate online account and performs benign actions, like making changes to a victim’s contact information, ultimately allowing bad actors to steal funds, or transfer the account ownership to themselves or someone else for a payout.

What do account takeovers look like across different industries?

For a bank, an example of a typical account takeover activity might be:

changing the address and phone number on an account and ordering a new credit card to a fraudulent address.

For an e-commerce platform, a typical account takeover might mean:

Logging in and using the victim's pre-saved payment details to make a purchase to a fraudulent address.

The key drivers behind ATO fraud

ATO attacks are being fueled by the sheer volume of compromised credentials and personally identifiable information (PII) available online that enable bad actors to commit identity fraud.

This, along with the accelerated pace of digital transformation, weak security, and legacy mindsets are creating a fertile environment for bad actors looking to exploit account security weaknesses that don’t adequately authenticate a customer's identity during high-risk activities.

Most ATO attacks stem from compromised credentials

Unsurprisingly, the root cause of most ATOs stems from compromised login credentials. Once bad actors have access to these, it’s relatively straightforward to launch further attacks against a victim and their accounts.

According to data, PayPal credentials sell for $161 on average on the dark web.

Passwords are most often compromised using the below attack methods:

Brute force attacks and credential cracking
Phishing attacks
Malware
Man in the Middle attacks
Accidental data leaks

Such attacks can and often do lead to serious financial losses as well as increased stress and frustration for victims – data from Sift shows that 45% of those who experienced an ATO attack had money stolen from them directly.

With switching providers being relatively easy nowadays, it’s important to combat ATO fraud before it has financial consequences for a victim.

Otherwise, brands risk losing customers to competitors with better reputations and more robust account protections in place.

70% would abandon a brand if they fell victim to fraud.

Because of this, removing credentials from the login equation seems like a sure-fire way to strengthen account protection and ensure customer retention.

Yet despite their obvious pitfalls, many websites and apps still use passwords and PINs as primary authentication methods. This is interesting as research shows that cybercriminals are more likely to follow the path of least resistance and move onto easier targets if an account has a more robust authentication in place – like facial recognition.

The growing ATO risk

ATO attacks against the fintech sector soared 850% between Q2 2020 and Q2 2021.

Beyond password insecurity, modern technologies are enabling bad actors to launch more scalable, under-the-radar ATO attacks that are increasingly difficult to detect without the right tools and technology in place.

For example, fraud syndicates are known to use bots to run automated scripts to launch credential stuffing attacks on masse – this is cost-effective for bad actors while posing a significant risk to victims and businesses.

“Fraudsters utilize automation to maximize profits at an inhuman speed. As these fraudsters continue to stockpile stolen account credentials, the potential for damage compounds, leaving businesses and consumers unaware of the true scope of attacks.

This delay in action is precisely why ATO can be so destructive, buying fraudsters valuable time to launch bots and credential stuffing as a means to infiltrate associated accounts and boost their gains.” – Sift

What can be done to prevent ATO fraud

Proper account protection requires a combination of technologies and solutions – but strengthening your first line of defense by replacing passwords with more robust authentication solutions can be the difference between a successful and unsuccessful attack.

By removing passwords from the authentication journey, it’s possible to make your brand immune to ATO attacks stemming from identity fraud and credential theft.

Some of the best means for ATO protection include:

Making multi-factor authentication mandatory (which financial institutions in the UK and Europe must do under PSD2-SCA).
Replacing weak authentication methods like passwords and PINs with strong methods like facial biometrics and device recognition that are much harder to fake or steal.
Having authentication integrated with an end-to-end intelligence engine that can detect high-risk transactions or actions and trigger step-up authentication in real-time.

ATO Protection with Keyless

Keyless helps prevent ATO attacks by authenticating the genuine user instead of a set of login credentials like passwords, PINs, or SMS one-time passwords (OTPs).

We do this by combining facial recognition with device recognition. When a user authenticates with Keyless, our technology ensures in real-time that a genuine user is logging in from a trusted device – leaving little threat surface for bad actors trying to breach an account using stolen or compromised credentials.

Keyless can be used as your first line of defense, or later on during the customer journey when a high-risk action is being taken on an account like changing an address.

Dynamic Step-Up Authentication for High-Risk Transactions

In order to strengthen authentication without hurting customer experience, we need to choose authentication methods that are most appropriate to the level of risk, and that won’t drive away and frustrate genuine customers.

For example, a customer logging in from a recognized device may not need to be authenticated via biometrics to view their balance.

If however, a customer attempts to add a new payee or order a replacement card after changing their address, it makes sense to authenticate that user using something more reliable than passwords or PINs.

Step-up authentication with Keyless

If your fraud solution detects unusual or high-risk activity on an account, Keyless can be dynamically deployed to initiate a seamless step-up authentication flow to ensure it is in fact the genuine account holder attempting the activity.

Our facial recognition technology will quickly detect whether it is a genuine customer (the same person who originally opened the account) or a bad actor – stopping identity fraud in its tracks while offering a seamless authentication flow for genuine users.

Summary

By making it harder to get into a user’s account in the first place, you can dramatically reduce the scope of an ATO attack.

The threat of ATOs is real. Identity fraud is becoming more sophisticated and pervasive. Without the right tools and solutions in place, ATOs attacks can lead to immense frustration and financial losses for customers – damaging brand reputation and hurting customer retention.

Luckily, the majority of ATO threats can be prevented simply by replacing passwords, PINs, and OTPs with more robust authentication methods like facial recognition.

Doing this can stop customers from falling victim to fraud caused by ATO attacks, while also offering seamless authentication journeys for genuine users. In other words, the key to stopping ATO threats is to change how we authenticate users.