Account Takeover

What is Account Takeover and Why Should I Care?

By Lisa Baergen, NuData

Account takeover (ATO) fraud is a fast-growing form of identity theft. An account takeover is the malicious access of an online account by a fraudster or bad actor posing as a genuine customer, gaining control of an account, and making unauthorized transactions. Fraudsters may take over an account by attacking password forms in an automated fashion, using a phishing attack on a user or even trying a horizontal attack – buying stolen login credentials from a previous database hacking and test them against other web services. Any company that has a user account or membership system is at risk of ATO.

When setting up a new account, security measures such as password strength indicators and security questions are provided as standard, and make us feel secure in the knowledge that our accounts are safe. However, in the age of ever-increasing cybercriminality such as data theft (and subsequent sale on the Dark Web), sophisticated and targeted phishing emails and malware, it seems increasingly naïve to think that a password comprised of your first pet’s name and first school is going to keep your accounts safe. Many single point security solutions can be programmed with algorithms capable of guessing basic password combinations.

The second wave of security measures addressed this basic incompatibility between our connected world and simple password authentication; physical biometrics. Defined unsurprisingly as a biometric that is based on the physical trait of an individual, from fingerprints, hand geometry, retinal scans and even DNA. Surely, one would be forgiven for thinking this kind of personalized authentication- based on things that are a physical part of you – would be enough to keep accounts safe from malicious actors? Think again. As recently as this month, a US payment vendor Avanti was stung by a piece of malware that stole thousands of fingerprint details from their corporate lunch room’s system. Having physical biometrics stolen could have a serious impact on Avanti customers. Now that this information is in the hands of fraudsters, and likely for resale on the dark web, it will be very easy to breach and take over more accounts, create synthetic identities, and more. So, while undoubtedly providing an extra layer of security when compared with password-based authentication, it is far from comprehensive – on its own.

While the theft of someone’s finger for the purposes of account access has thankfully stayed in the realms of television, there are a plethora of ways that malicious actors could gain access to things that account holders may not even consider. One of the most high profile examples of this is a terrifying reminder of how technology interacts with criminality. It was reported earlier this year that the innocuous and until recently, though harmless ‘peace sign’ often used in selfies could actually be used to steal biometric data from people in photographs. If criminals were to zoom in on the fingerprint with a HD camera, they could recreate it and gain access to a multitude of accounts that are protected by physical biometrics (the most popular of which being mobile phones, which can often be unlocked with a thumbprint. Once biometric data is stolen and resold on the Dark Web, the risk of inappropriate access to a user’s accounts and identity will persist for that person’s lifetime.

So, if even this personalized form of authorization, anchored in the physical realities of a user, can be hacked, where on earth can we go from here? The answer, many think, is in a combination of the two techniques already discussed, when combined with passive and behavioral biometrics.

Using passive biometrics and powerful behavioral analysis, it is possible to analyze hundreds of behavioral data points to determine if it is the genuine account holder or an imposter. You can then cross-references this to a trust consortium of behavioral events monitored annually to determine if the user is behaving like other human users in the same situation and provides a highly accurate confidence rating to enable companies to make the best decision. All of this can occur in real-time with no added inputs and no friction for the customer. Learn more here.

Want to read more about how to combat account takeover? Access this Aite Group report, Combating Account Takeover here. You can also learn more about NuData’s product, ATO Protect, which helps organizations stop account takeover before it starts with the power of behavioral analytics and passive biometrics. You can also access our exclusive webinar recording: The art of stopping account takeover before it starts, to delve deeper into the world of account takeover.