In the ever-evolving risk environment associated with the theft of personally identifying information (PII) there is a new target fraudsters are beginning to prefer to exploit.
As society moves more and more of its daily activities online, the criminals are following us. Account takeover (ATO), which allows ID thieves to reap greater returns than traditional identity theft related activities, such as credit card fraud, is on the rise. ATO causes more damage to the victim because the fraudster is able to act as though they are the account owner and transact within the unsuspecting victim’s genuine existing accounts.
ATO is the inevitable long-term effect of what has been an alarming rise in massive data breaches and phishing attacks. Criminals have easy access to billions of credentials, which they systematically test on sites and apps until they find a match.
The result? 48% of online businesses saw a rise in ATO attempts last year.
As fraud evolves and becomes more sophisticated, the legacy systems many businesses have in place are not sufficient to detect today’s fraudsters. Faced with this growing threat, organizations need to ask themselves some hard questions: What are we doing to prevent our users’ accounts from being hacked and do we even know how much we are losing from this activity?
To combat ATO, we developed the FraudFighter ID Document Authentication Suite to provide greater certainty of identity without negatively affecting the convenient consumer experience our customers demand. The FraudFighter Suite works to enable your organization to authenticate client identity credentials real-time, during the transaction, to ensure that the person is, in fact, who they claim to be.
ATO attacks can be much more damaging to the victim than other types of ID fraud because this type of activity targets accounts that are created by real users. Unlike fraudulently created accounts, they contain genuine information such as bank account data, health insurance benefits or access to existing credit.
Because ATO is defined by the ability to access existing, genuine accounts, ATO activities are less likely to be caught by the array of security solutions that look for fraudsters attempting to open new accounts. One recent report detailed the higher value of single compromised account – which can sell for more than $3 on DarkNet markets. That’s many times more than the average price of a stolen credit card number, which is only $0.22.
Contrary to popular belief, ATO activity is not centered solely on obtaining currency or merchandise. Nor are ATO attacks limited to victimizing accounts at retailers or financial institutions. Many different types of “valuable goods” can be stolen and exchanged for real money, including reward points that can be converted into merchandise, flights, hotel stays, and gift cards, virtual items in online games that can be sold, and social reputation that can be exploited to boost business sales or ad revenue. Essentially, almost any consumer-facing service can be a target of ATO attacks.
The involvement of organized crime rings in the identity theft “industry” is well documented. In many ways, it is the participation of international organized crime rings that have driven much of the innovation in identity theft. ATO is no different, as US and European law enforcement agencies have indicated that organized crime families and rogue gangs have been performing ATO in massive scale by leveraging “bot armies” to attempt password-cracking attacks on various consumer-facing websites.
Just how extensive can a bot army attack be? In a mass ATO attack discovered in 2016 at a large retailer website, bot armies made more than 300,000 login attempts from thousands of IP addresses in the course of a single day. Each IP address was used to attempt logins to approximately 100 distinct user accounts, with a different browser cookie used for every login, in order to skirt security solutions based on device tracking.
Most of the ATO attempts involved attacks that had valid email addresses registered at this particular retailer. The success rate of the login attempts was not very high - only 8% - indicating that the attacker was likely using credentials obtained from third-party data breaches. Under this type of scenario, users who have weak passwords or reuse passwords they also use for other services are especially at risk.
Once the perpetrators successfully completed the ATO breach, the same attackers immediately put the authenticated credentials to use. In the attack at this online retailer, the company discovered that the hackers attempted to validate stolen credit card numbers by testing them within the compromised users’ payment profile page - an attack referred to as an “oracle test.”
If the credit card was invalid or known to be compromised or stolen, the site would reject the card and display a warning message. This feedback essentially turned the retailer website into an online credit card “oracle” where fraudsters can verify their bulk card purchases from the underground market. This is similar to the attack technique used by botmasters to query public IP blacklists to check whether their spamming bots are blacklisted.
Much has been written about the need for consumers to be more diligent about how they choose passwords and to not reuse passwords at multiple properties. However, among security professionals, it is already a given that the time of consumer generated passwords as a primary security measure is passed – or will be soon.
Many more proactive sites have, for several years, instituted dual factor (or multi-factor) authentication - meaning that the user must authenticate themselves using more than one method. The common structure for this type of login protection is to allow the use of a personal password or pin, followed by a confirmation code that is sent to a mobile device or e-mail address registered by the owner of the account.
However, cellular spoofing has circumvented even this method – allowing hackers to intercept the security messages and use the unique one-time login credential themselves.
Many digital tools have been developed in an effort to identify a hacking attack on individual accounts. Some of these solutions are centered on device tracking and geo-location analysis to determine whether the current login session appears to be within the norms of the individual who owns the account. However, as with other security measures, these solutions have been circumvented through cookie emulation (for device tracking) and the use of VPN’s (virtual private networks) to hide actual geo-location.
Some of the more widely-used solutions involve behavioral analysis – e.g. does the current behavior match the past behavior of the client, and if not, does the current behavior vary enough, or does the current transaction provide sufficient risk to trigger a more formalized transaction review process, which typically might involve a human risk analyst. This “manual review” process has proven effective; however, as the volume of online transactions increases, the cost of doing manual reviews has proven to be increasingly prohibitive.
A new method for preventing ATO and other forms of identity-theft related fraud involves requesting the individual to authenticate their identity – by presenting their government-issued identity card. This type of authentication can happen either for in-person transactions occurring at the store or branch location – something the above-mentioned solutions mostly fail to provide. ID document authentication can also be conducted as part of an online process, where the client will use their mobile device to “self-authenticate” the ID document.
An add-on benefit of this new technology allows the ability to, first, authenticate the ID document, then, compare, via facial authentication software, the person presenting the document to the person pictured on the document. This gives a closed-loop system that does not require manual review to become involved.
Forward-looking organizations can use this “biometric authentication” process to create a permanent biometric login-engine that will allow clients to access their accounts using physical attributes unique to their own body, such as facial recognition, voice-print analysis and iris-scanning.