When a consumer is notified their bank has suffered a data breach and their personal data has been exposed, they typically shrug it off. Many of us have received such notices in the past and we’ve all witnessed the continuous barrage of media coverage on large scale breaches. However, when that same customer learns their account has been taken over by a fraudster, according to Aite, they often feel the bank has not taken the requisite precautions to safeguard their assets. The consumer is more likely to reduce their engagement with the bank or, worse, simply end the relationship altogether. At this point, a data breach registers little if any negative impact on the banking relationship, while an account takeover (ATO) indelibly damages a customer’s trust.
Until a few years ago, the volume of ATO attacks was relatively low due to the high barrier of entry for launching attacks. An ATO attack involves the unauthorized access to an account by a fraudster which requires a lot of planning. Fraudsters need to gain access to a viable identity, then locate and break into their accounts which may include speaking with a call center agent to change the email or phone number to one they control. Another hurdle involves maintaining a mule account to receive funds from the compromised account. There were easier ways for fraudsters to make money, so they had little incentive to attempt ATO attacks.
That all changed around April 2016 when chip and pin cards reached a critical mass, with 70% of U.S. consumers carrying an EMV card. Before the days of chip and pin credit cards, fraudsters could make a great living manufacturing counterfeit cards. The cards were used to buy expensive consumer items that could be easily resold, or extract cash at ATMs. The advent of EMV brought the whole card counterfeiting industry to a grinding halt, wiping out huge revenue streams for the criminals involved. Coincidentally, at about that same moment in time, large scale data breaches created a lucrative new industry for the sale of identity information coupled with automated hacking tools on the deep web. This terrible convergence of unemployed fraudsters, new access to authentic identities, and off-the-shelf hacking technology ushered in an industrial-sized wave of account takeover attacks.
The ease with which ATO attacks could be carried out created a massive incentive for fraudsters to redirect their efforts to this newly available attack vector. In 2019, the average cost for stolen bank details on the dark web was reportedly $259.56. Using the identity information from the data breaches, fraudsters could now both compromise legitimate accounts and open mule bank accounts to receive stolen funds at scale. With consumers moving to online channels to manage accounts, hijacking accounts became even easier. Furthermore, the introduction of automated tools to hack into accounts enabled an individual criminal to quickly discharge thousands of account takeover attempts versus launching one offs.
According to a May 2020 Javelin report, online ATOs have increased a staggering 72 percent over the prior year. “This is due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information, while making it harder to detect account takeovers without additional security infrastructure.”
The Socure Approach
Once an attacker has breached the account login process, they will attempt to gain control over the account by updating the contact information with a phone number or email address in their control, or adding themselves or a cohort as a co-owner of the account. That change process is often secured through out-of-band-authentication, such as a one-time-password, sent by the institution’s customer support team via text or email. The attacker makes the change online, then clicks the save button. When this happens at a Socure customer, saving the updated contact information automatically triggers an API call to Socure ID+ which then determines and returns a risk level.
Socure can thwart the ATO attack at this juncture by assessing risk and correlation models via email, phone, address and Alert List checks to determine quickly and with high accuracy the risk of those attributes and whether they correlate back to the account owner at origination. For example: Is the email address risky--was it established very recently or used to commit fraud in the past? Or, does this phone number or device belong to the account owner? If it turns out multiple attributes have been involved in fraudulent activity in the past, the Socure ID+ API response guides you on your next step, running an industry-leading Sigma Identity Fraud and new Sigma Synthetic Fraud check to gauge if that person is who they say they are.
When an end-user is still deemed a potential fraud risk, even after passive checks, Socure’s automated document verification service, DocV, can be introduced as a step-up. DocV is the most scalable, accurate, and customer experience-centric document service available. A fully-automated, omnichannel solution, DocV authenticates users with minimal friction by guiding them through a user error-proof verification process right from their phones. DocV applies advanced analytics to quickly confirm the authenticity of almost any government-issued document in circulation, including more than 3,500 identification types from around the world. An additional layer of accuracy enables matching a photo of a consumer’s identification with a selfie in under 15 seconds. This entire process can be conducted within Socure ID+ adding in additional dimensions to provide an improved document verification decision. And because the service is 100% software-driven, no manual reviews are required.
Socure ID+ is a real-time, predictive analytics platform that provides fraud prediction through a single, modular API that is in use by major banking institutions today to prevent account takeover attempts. The platform includes Sigma Identity fraud and Sigma Synthetic fraud, along with Email Risk Score, Phone Risk Score, Address Risk Score, Device Risk Score, DocV and the Alert List, Socure’s database of first- and third-party identities.