Preventing Account Takeover Fraud

Account takeover (ATO) fraud is becoming an increasingly common and dangerous threat in the banking, finance, and fintech industries. Even biometric authentication methods once considered secure are now being compromised by fraudsters. According to Onfido’s Identity Fraud Report 2024, biometric fraud rates in 2023 have doubled compared to 2022, highlighting the need for advanced security measures, such as liveness detection, to counter evolving fraud tactics.

Technologies like AI and advanced computing are making it easier for cybercriminals to automate credential stuffing, data mining, phishing, and social engineering attacks. If you’re keen to learn more about how your organization can protect itself and its customers against account takeover fraud, this article is for you. 

In this article, we will walk you through how ATO fraud happens, its impact, and how you can use cutting-edge security solutions provided by Keyless to protect your company. Let’s start with the account takeover definition and how it happens. 

What is Account Takeover?

Account takeover is a type of cybersecurity threat where attackers gain unauthorized access to a user's account. Access to user accounts is often gained through stolen credentials or exploiting security vulnerabilities in the system. After gaining access, attackers can perform various fraudulent activities, such as transferring funds, making unauthorized purchases, or extracting sensitive information. ATO attacks can affect various types of accounts, including banking, email, social media, e-commerce, and more.

The Capital One Data Breach in 2019 is among the most well-known ATO attacks in recent history. In this attack, hackers gained access to more than 100 million customer accounts and credit card applications. The attackers could view and exfiltrate sensitive information, leading to significant financial and reputational damage for Capital One. As a result of this breach, the organization was fined $80 million and made customer settlements of over $180 million. 

Overall, account takeover attacks can have a huge financial impact on the affected organizations and their customers. The 2024 AARP & Javelin Fraud Study revealed that account takeover fraud resulted in over $13 billion in losses in 2023 up from $11 billion in 2022. In addition to financial losses, these attacks also lead to reputational damage to the affected organizations. 

How Account Takeovers Happen

Before diving into the solutions to account takeover fraud, it is important to first understand how these attacks are executed. So, let’s discuss the common methods that enable account takeover fraud:

• Phishing: With phishing, attackers create deceptive emails, websites, or messages that are aimed at tricking users into revealing their login credentials. For instance, an attacker can send an email that seems to be coming from the victim’s boss, which may trigger them into sharing the information they are requesting. When the victim shares their credentials, the information is captured by the attackers, who then use it to gain unauthorized access to their account.

• Credential Stuffing: This method involves using automated tools like Sentry MBA to test large volumes of username and password combinations on different platforms. The credentials used to do these tests are often obtained from previous data breaches. The most common victims of credential stuffing are those who use the same login credentials across multiple accounts. Users who don’t change their credentials after a data breach also have a high chance of being victims of credential stuffing.

• Social Engineering: With social engineering, attackers use techniques such as impersonating customer support or sending urgent-sounding messages to convince users to share their credentials. If the victim shares their credentials, attackers can then use them to access the victim's account and carry out fraudulent transactions.

Account Takeover Fraud Prevention

Now that we are familiar with ATO fraud, let’s walk you through some of the effective prevention strategies you use to protect your organization and users from being the next victim. 

Multi-Factor Authentication (MFA)

MFA is one of the most effective ways to prevent ATO attacks as it adds an extra hurdle for attacks to skip before gaining access to a user account. With MFA, a user is required to provide more information about themselves than just the password and username. Some common methods used include sending SMS and email codes, authenticator apps, biometric verification, passkeys, and more. However, for more effective security, it is best to use phishing resistant methods such as passkeys, authenticator apps, and biometrics. More about these later. 

Behavioral Analytics and Monitoring

Organizations can use AI and machine learning to detect unusual activities in their systems. By analyzing user behavior patterns, these technologies can identify anomalies that may indicate account takeover attempts. For instance, if a user's account suddenly logs in from an unusual location or tries many login attempts, the system can flag this activity or require MFA before proceeding. Early detection of these anomalies can help prevent attacks or minimize their impact by enabling a quick response to potential threats.

User Education and Awareness

Even with all the security tools and technologies in place, user education and awareness remain one of the most important strategies for preventing account takeover fraud. Organizations need to educate their internal users and customers about the risks associated with ATO and what they should do to avoid being victims of these attacks. Having an educated user base makes it harder for attackers to execute threat activities like phishing and social engineering. 

Keyless as a Solution for ATO Prevention

Using MFA methods like biometrics can effectively prevent ATO attacks by adding an extra layer of security. However, some of these methods are not convenient, expensive, or raise user privacy concerns since they involve collecting and storing sensitive personal data. This is where Keyless authentication solutions come in. Let’s explore the Keyless solutions to authentication that can effectively prevent ATO attacks without compromising the user experience and privacy.  

Keyless Biometric Authentication

Keyless uses proprietary facial biometrics that can be used on any device with a front-facing 720p camera. Our facial recognition technology involves capturing and analyzing the unique features of a user's face and then creating a mathematical representation of their facial characteristics for authentication. 

The facial biometrics pipeline includes liveness checks, face detection, and face recognition to ensure a high level of accuracy and security. Keyless’ biometrics are also certified to FIDO Alliance’s biometrics standards, which gives an extra layer of assurance regarding the reliability and security of our biometric authentication methods.

To ensure user data privacy, Keyless uses secure multi-party computation (MPC) to process biometric data securely and privately. In MPC, multiple parties can compute a function over their inputs without revealing the inputs themselves. This simply means that neither the cloud service provider nor Keyless can access a user’s raw biometric data.

Multi-Factor Authentication (MFA)

Traditional multi-factor authentication (MFA) methods, such as SMS and email OTPs, have several vulnerabilities that attackers can exploit to take over user accounts despite having MFA enabled. That’s why some organizations are resorting to using more secure MFA methods like hardware tokens in their systems. However, using hardware tokens is expensive and inconvenient to the users despite being very secure. Keyless solves these two problems using its secure, convenient, and cost-efficient MFA solution

We offer a modern solution by providing strong passwordless MFA through a simple selfie combined with device authentication. Unlike traditional methods that rely on shared secrets or hardware sensors, our technology verifies a user’s identity without requiring the use of local biometrics hardware like FaceID. Instead, we use passive liveness detection and independent verification of the user’s device and facial biometrics. This method ensures that both authentication factors are distinct and effective, without relying on device-specific hardware or sensors.

That means even users who don’t have access to expensive devices with sophisticated Face ID technology can still use our facial recognition solutions without compromising their security. By combining device and facial recognition in a single action, Keyless reduces the friction associated with traditional MFA methods and eliminates the need for costly MFA methods like hardware tokens.

Key Takeaway

Account takeover fraud is a growing concern, with cybercriminals now using increasingly sophisticated tactics that may be hard to detect by unsuspecting users. To deal with sophisticated ATO attacks, organizations must implement robust security measures. Multi-factor authentication, particularly phishing-resistant methods like biometrics, is essential. Behavioral analytics and user education are also crucial components of a comprehensive defense. 

Keyless offers innovative solutions, including advanced biometric authentication with privacy safeguards, continuous authentication to prove user identity, and modern MFA for enhanced security. By combining these strategies, organizations can significantly reduce the risk of ATO fraud and protect both their business and their customers. 

You can reach out to our support team if you have any questions regarding how to integrate our account takeover fraud solutions into your system.