Stolen and manipulated user identities are powering account takeover attacks that have become a huge challenge for businesses across industries and geographical locations. To fight the growing menace of ATO, businesses must ascertain the true identity of incoming users with robust identity verification solutions
Digital identity is a hot commodity in today’s digital-first economy – businesses use them to personalize their offerings, while bad actors steal them for illicit monetary gain. Eventually, it is the consumers who suffer the consequences of stolen or manipulated identities and disruption to their digital lives.
An account takeover attack involves three key steps: namely, credential harvesting where fraudsters collate personal information of consumers. This is followed by account validation where fraudsters test the stolen user information to get valid username-password combinations. The third and the final step is account takeover, where these valid credential combinations are used to break into genuine user accounts.
Fraudsters also engage in several other activities namely: creating synthetic identities, phishing, data exfiltration, deep fakes, SIM swap, business email compromise, intercepting SMS OTP and using malware, to launch account takeover attacks.
Factors contributing to the rise in account takeover attacks
Low barriers to entry and easy access to commoditized tools are enabling even amateur fraudsters to launch account takeover attacks. Some of the other reasons behind the spike in account takeover attacks are:
- Data breaches: The frequent incidents of data breach provide bad actors with large volumes of fresh user data, which allows them to harvest new valid username-password combinations and keep stoking account takeover attacks. It is estimated that in 2022, the average cost of a data breach was US$4.35 million.
- Rise of digital banking and eCommerce: As more and more consumers use digital banking services and make digital payments for online shopping, the attack vectors have increased, which provide fraudsters with numerous opportunities to target users’ digital accounts.
- Use of mobile devices: Mobile devices are fast replacing desktops and laptops as the preferred device to access digital services and products. They provide users with the convenience of anytime anywhere access to digital platforms. However, mobile phones have weaker security and run the risk of getting stolen or lost. A bad actor can easily obtain personal information stored in the stolen device and use it to power criminal activities.
- Recycling and repurposing passwords: To avoid the hassle of creating and remembering unique passwords for ever-growing digital accounts, many users create easy-to-crack passwords or use same username-password combinations across accounts. If these credentials get stolen, fraudsters can easily access all the associated accounts. It is estimated that more than 24 billion user credentials were circulating on the dark web in 2021. Further, nearly 6.7 billion of the credentials on the dark web were unique username password combinations with no duplicity across databases.
- Easy access to tools and expertise: Fraudsters receive extensive support from a full-fledged cybercrime ecosystem, where stolen user data, attack toolkits, 24x7 support, evasion techniques, fraud expertise, and the ability to outsource crime are easily available.
- Automation: Cyber criminals are tech-savvy and extensively use automation to scale up the attacks. Again, they can tap into the cybercrime ecosystem to find botnets and scale up the attacks rather easily and cheaply.
- Social engineering: Fraudsters have evolved their social engineering skills to earn trust of the unsuspecting victims before extracting their personal and financial information. Seasoned cyber criminals are ready to invest more time in launching attacks when the monetization potential is higher, such as in the case of financial accounts.
- Subpar anti-fraud solutions: Traditional approaches and legacy solutions fall way short in fighting account takeover fraud. Instead, they add to the overall operational costs, add unnecessary friction and delay the approval process.
Account takeover attacks affect all industries
Fraudsters use stolen consumer information and combine it with automation to launch account takeover attacks at scale, which increases their ROI. Compromised accounts – especially banking, fintech, crypto and gaming – promise greater returns owing to the value attached to them. However, account takeover is a growing challenge for businesses across industries as described below:
- Financial services: Fraudsters use social engineering to elicit financial information from users since email IDs are generally not used as the username for financial accounts. Monetary gain is not the only motivation as the compromised financial accounts provide fraudsters with a wealth of information and the ability to redeem reward points, open new lines of credit, launder money, and engage in a plethora of other criminal activities.
- eCommerce: Along with the rise in commercial activity, eCommerce platforms have witnessed a spike in fraudulent activities owing to volumes of customer data that they store. In addition to the ability to steal this data, fraudsters can exploit the availability of multiple digital payment methods to make easy money. They are particularly targeting the latest entrants namely Buy Now, Pay Later (BNPL), Peer to peer (P2P) Payments, and Cryptocurrencies. In 2021, Australian eCommerce platforms were the most attacked at 86%, followed by Mexico at 78% and Canada at 74%.
- Social Media: These platforms are a happy hunting ground for fraudsters as there is a lot of personal information – names, addresses, phone numbers, birth dates, email IDs – that can be easily harvested. Further, the security for social media accounts is generally weak. In 2022, social media account takeover rose by a whopping 1000%.
- Gaming: Aged gaming accounts are particularly attractive to fraudsters as not only do they tend to have more virtual assets including gaming currencies, avatars, and accessories, but are also more credible which can prove useful in evading detection.
How businesses are fighting account takeover attacks
Account takeover attacks continue to plague businesses, despite investing in several anti-fraud solutions and conducting manual reviews. This is because manual reviews are slow and impact operational efficiency, which allows bad actors enough time to execute the attack and make an exit. Manual reviews are labor intensive, which means a lot of man hours are lost trying to differentiate between good users and fraudsters. Still, there is always a greater probability of false negatives and false positives, which degrades user experience.
A lot of businesses use free – or nearly free – anti-fraud solutions that fail to detect account takeover attempts. This not only negatively impacts fraud prevention efforts but also adds to the overall costs.
Legacy and point solutions tend to solve only a part of the problem. To tackle the overall problem, businesses deploy several such point solutions that work in silos and do not communicate with each other. This adds to the technical debt without providing an end-to-end solution that can effectively protect against account takeover attacks.
Given that digital identities today have been manipulated at scale and fraudsters are using synthetic identities for account takeover attacks, purely data-driven solutions cannot accurately assess the risk of an incoming user.
Digital businesses need robust, technology-driven identity verification solutions that can accurately ascertain the truth behind a user’s claim. Proof of life with liveness detection are a must to ensure that the person on the other side is genuine.
Prevent account takeover attacks
Caf combines the latest technologies – artificial intelligence, machine learning, facial biometrics, facial authentication, device fingerprint, OCR, computer vision, and more – in its ‘Know Your Everything’ identity proofing platform to deliver unparalleled protection against account takeover attacks. Our facematch with liveness technology is iBeta certified and extensively used by businesses to onboard millions of genuine users every year.
Our AI-enabled platform streamlines the identity verification process by eliminating unnecessary friction, without compromising on user security. Further, using flexible orchestration, businesses can create customized workflows aligned to their unique business needs for superior fraud prevention and personalized user onboarding experiences.
With the ability to continuously monitor user activities, our market-leading identity verification solutions enable our partners to detect anomalous behavior, initiate corrective action and prevent account takeover attempts in real-time.
Caf’s best-in-class identity verification solutions enable businesses to lower abandonment rates, improve conversions, and comply with prevailing regulations at lower costs, while elevating customer experience.
To learn how you can strengthen your defenses against account takeover attacks and scale up your business without impacting user experience, talk to a Caf expert and book a demo now.