Guide to Account Takeover Fraud (ATO)

What is ATO Fraud?

Account Takeover (ATO) fraud begins as theft of consumer account information/credentials, such as username and password, which criminals then use to log in to online accounts and conduct a variety of illicit activities to steal funds or information.

Theft of login credentials and taking over accounts is one possible end “goal” of cybercriminals who breach company networks and databases. Hackers will also sometimes seek to implant malware that can spy on and covertly collect privileged information or even lockout a company from their own network and operations infrastructure.

Whether initiated by a lone individual or a rogue nation-state, hackers today conduct industrial-scale data mining and social media phishing operations to acquire consumer login credentials en masse, leading to a host of direct losses as well as long-term investigation and remediation costs.

The emergence of unindexed and unregulated segments of the internet (aka “Dark Web”) has made ATO fraud even easier and thus accelerated its practice. Fraudsters no longer need to bother with hacking in and stealing credentials directly from users. Instead, they simply navigate those virtual dark alleys, use cryptocurrencies to purchase scads of valid account passwords and go to work on our accounts.

As fraudster’s jobs get easier, our (consumers) “attack surface” grows larger with every successive digital account we open – at banks, e-commerce sites, utilities, apps, schools, government, and so on. While it is now common knowledge to NOT share passwords among our ever-growing digital footprint of dotcoms, many of us still leave common password and pass-phrase crumb trails for hackers to follow and use on the multitudes of sites that contain our funds and personal information.  

ATO fraud is recognized as a top threat to financial institutions and their customers due to the major direct financial losses experienced, as well as the lengthy and costly post-incident mitigation efforts required.

Typical ATO Fraud Scenario

Once a fraudster succeeds in acquiring a consumer’s login credentials and gains access, he will attempt to compromise the account as quickly as possible, given alerting safeguards now widely put in place:

• Change account ownership information, shipping address location

• Change the password

• Change the backup multi-factor authentication (MFA) credentials

• Change security questions

• Log out and lockout the account from all linked devices

The fraudster is then free to conduct a variety of activities:

• Steal money directly from a bank account by making payments to a fraudulent company or wire unrecoverable funds to other parties

• Access bank funds indirectly via stolen payment services (e.g. Venmo / PayPal) credentials or from sites that contain stored user ACH information (gas/electric /water utilities)

• Unauthorized shopping / credit card usage

• Open new bank accounts, credit cards, or large loan and mortgage accounts

• Modify account information such as beneficiaries

• Pose as the consumer and solicit money from unsuspecting family and friends

ATO Fraud Methods

Phishing

Within a corporation’s multi-layered security walls lie its biggest weakness and liability – the workers / users themselves.

Breaches aren’t always attributable to external hacker malice or infrastructure weakness. Rather, and undoubtedly depressing to the CISO and IT staff charged with protecting the castle, internal employee mischief or incompetence can just as easily lower the drawbridge, exposing the protected, privileged access space within.

Hackers have exploited our tendency to blindly trust and instantly click as we do our best to just make it through our busy days of emails and phone calls and meetings and presentations, ad nauseum. In this multi-tasking mode, we too easily trust the named sender or company in a legitimate looking email, and then too quickly respond to these impersonators by clicking on malicious links that can install ransomware or send money or sensitive information to scammers.

These social engineering “phishing” attacks have been wildly successful and have spawned a diverse array of forms, with specific targets and goals in mind:

Email phishing: Most common method, with emails widely blasted to a large respondent base

Spear phishing: Emails sent to a targeted individual or group

Whaling: Phishing attack specifically aimed at high net worth individuals

Vishing: Voice/phone fraud where a fraudster impersonates a bank employee under the pretext of calling to warn about account access issues

Smishing: SMS text messages containing a link to a fake banking portal; can also take the form of a messenger-based scam

Beyond Phishing attacks, hackers are armed with many other offensive tools that are increasingly effective in gaining access to our private information and accounts.

Credential Stuffing

As mentioned earlier, fraudsters can easily buy vast lists of stolen credentials off the Dark Web, likely the ill-gotten gains from a data breach. They then use self-running programs (bots) to automatically and rapidly log into (stuffing) websites using those stolen credentials.

Credential Stuffing can be made even more “effective” by our tendency to re-use passwords or recovery credentials across multiple websites / accounts – after all, just how many favorite pets, childhood street names, or first grade teacher names do we really have at the ready?

Similarly, “brute force” credential cracking is performed by a bot that repeatedly attempts to log into your account by guessing / cycling through all of our passwords and secret terms that were vacuumed up in a mass data breach.

Malware

Malicious software, or “Malware”, is a widespread and lucrative method for a hacker to take control of an individual’s bank account, the entire bank itself, or even shut down or damage an entire organization’s technology infrastructure.

As mentioned above, malware can be welcomed and walked into a company’s network via emailed phishing links, but can also be introduced via downloaded apps. Whether it is a disguised in weather or chat apps downloaded onto a user’s smartphone using company Wi-Fi, or a known plug-in mistakenly downloaded from an unsanctioned website, malware can be easily pulled in and wreak all sorts of havoc that might take weeks or months to recover from.

Overlay attacks

Fake screens created for smartphones or tablets, to impersonate legitimate banking/e-commerce sites and collect login credentials.

These fake screens are “Mobile Banking Trojan” malware that captures the victim’s authentication credentials and can remain active while other banking transactions are performed. The malware can then intercept a funds transfer and redirect the money to a fraudulent account. As our use of smartphones and tablets to conduct remote financial transactions grows, breaches and losses from these types of attacks are expected to skyrocket globally.

Man-in-the-Middle Attacks

In a Man-in-the-Middle attack, hackers exploit weak, unsecured Wi-Fi hotspots to monitor and intercept private data transmitted by users to their target website or financial institution. Using software obtained on the Dark Web, the coffee drinking customer next to you could be a hacker viewing all traffic on the Wi-Fi network, able to intercept, edit, send, and receive your data without being noticed.

Alternatively, he could also set up his own malicious Wi-Fi network/hotspot within the establishment, named “Joes Coffee2”, and unsuspecting but trusting users might log on and transmit private credentials through the fake network controlled by a bad actor.

SIM Card Swapping

A fraudster’s goal in SIM card swapping is to intercept/access the “one-time” recovery PIN texted to our phones in the event we cannot remember our login credentials. In fact, more and more websites are deploying texted PINs after every login, used as automatic 2FA (Two Factor Authentication) or MFA (Multi-Factor Authentication) identity verification security. Unfortunately, this system can easily be defeated by, again, human social engineering tactics.

In a SIM card swap scam, the fraudster contacts a customer’s mobile phone carrier and successfully impersonates the customer, using “knowledge data” collected from a data breach. He then convinces the call center agent to port the (real customer’s) mobile phone number to the illegal SIM card, which is then inserted and activated in the fraudster’s phone.

The fraudster is then able to receive the MFA authentication text messages transmitted from the victim’s bank, enabling the criminal to perform fraudulent transactions, add funds transfer payees, or perform other operations during an online banking session.

Crimes that Enable ATO Fraud

Remember that ATO Fraud, as big a problem as it is by itself, is just one odious outcome of the many cyber breaches that have plagued our technology-laden and dependent society over the past decade:

• October 2013. Adobe breach: 153 Million user records

• May 2014. eBay breach: 145 Million user records

• September 2017. Equifax breach: 147 Million consumer PII records

• November 2018. Marriot breach: 500 Million guest account and CC records

• November 2019. “Collection1” breach: 770 Million consumer PII records

• April 2021. Facebook breach: 533 Million user records

Beyond this list, there are many more multi-hundred million record breaches to cite, effectively accounting for untold billions of user profiles, passwords, PII, credit card numbers, etc. currently circulating for sale on the Dark Web.

Other breaches, such as the March 2020 SolarWinds hack was notable not for its wide-scale, but for its focus on very consequential victims: tech giants Microsoft, Intel, and Cisco, and federal government agencies such as the Treasury Dept, Justice Dept, Energy Dept, the Pentagon, and ironically the Cybersecurity and Infrastructure Security Agency within the DHS.

Security experts are still assessing the damage and long-term impact of the SolarWinds hack, and speculate that its scale could even exceed the 2017 “NotPetya” ransomware attack, considered to be the most destructive and costly cyberattack in history.

These cyberattacks “out there” in the world might seem vague and unimpactful, but it is no longer an exaggeration to declare that they pose an existential threat to our society. Organized and increasingly government-sponsored hackers steal vital intellectual property, destroy all manner of data, cause essential power utilities and infrastructure to crash, shut down hospital operating rooms, and returning to the focus of the article, directly steal your money.  

ATO Fraud Impact & Damages

Returning back to ATO fraud, specific segment definitions and dollar loss estimates vary by the researcher, but suffice it to say, it has been a multi-billion dollar problem for a number of years and is only expected to grow as our economy becomes ever more globally interconnected and reliant on digitized transactions.

Juniper Research stated that ATO fraud in the United States accounted for $5.1 billion in losses to consumers and businesses in 2017, and grew to reach $25.6 billion last year in 2020.

Another alarming metric is the rate at which ATO fraudsters have taken over mobile phone accounts, with 680,000 subscribers falling victim in 2019, a rise of 78 percent from the previous year.

In terms of raw attack numbers, researcher Sift recently released its 2020 Digital Trust & Safety report, which found that ATO attacks increased by 282 percent, between Q2 2019 and Q2 2020, driven (logically) by increased digital transaction rates and online shopping during the early days of the COVID-19 pandemic. Consequently, Sift also found that the number of stolen credentials for sale on the Dark Web rose by 300 percent.

ATO Fraud Solutions: Hard Decisions - Balancing Convenience & Security

As big and uncontrolled a threat as ATO Fraud has proven itself to be to businesses and financial institutions, these companies are still more terrified by something else – customer abandonment. Given the vast competitive landscape for… everything in our economy, businesses know that customers are fickle, loyalties are few, and that their product or service can be “canceled out” and replaced by the next big thing.

As such, companies are loath to introduce excessive “transaction friction” into the security and authentication equation, standing between what we want to do/buy and how to go about doing it. If for every time you logged into your bank account, besides inputting your user name and password, the bank now required you to call in to answer 5 specific questions, complete two CAPCHAs, and then provide a fingerprint, an eye scan, a voiceprint, and a live picture of your favorite dog, you probably would have given up 3-4 steps ago (and started researching a new bank).

But if we acknowledge that our passwords are weak or have likely been stolen, that the network connection you’re on could be monitored at any given time, combined with increased year-over-year losses and costs attributed to ATO fraud, you can understand the bank’s immense security focus. That focus on security then presents an as-great operational challenge given known customer intolerance for hassle and inconvenience.

What’s a bank or business to do? In making the shopping experience more seamless and simple, it is proven that they’ve increased the size of the bullseye on their backs, drew increased hacker attention, and experienced draining profits, resources, and reputation. They absolutely cannot let their guard down, but also cannot risk introducing barriers that rev up customer dissatisfaction and defection.

What’s the right type of security quantity and quality that’s balanced with ease of access and transaction? If we agree that the aforementioned multi-hoop jumping authentication scenario was excessive and absurd, is it just a matter of throttling back a few security steps? Or can we all have our cake and eat it too, with step-ahead security AND easy transactions?

The answer is a resounding: Yes. Vendors such as Uveritech in the anti-fraud industry have developed solutions that combine best-class identity authentication with an automated, transparent, and multi-layered approach to security.

Companies should first and foremost prove the identity of whom they’re dealing with, given forensic-level, machine-based identity document authentication. Once a customer’s identity is fundamentally established to the business, they can employ subsequent (lower friction) multi-layered identity verification technologies that are, critically, completely transparent to the consumer in their transaction experience.

Just as digitization has accelerated hacker success, so too does it empower businesses to conduct covert customer verification, when linked to 1) our always present digital devices 2) our ever-growing “footprint” on the internet, and 3) our unique mannerisms and behavior.

Financial institutions have for decades relied on a variety of agencies to collect reams of info on us, as to what we’ve bought, where we’ve lived, where we’ve worked and went to school, etc. This trove of knowledge would be algorithmically processed to determine our creditworthiness or our fraud risk, and ultimately drove decisions on whether to allow us to open an account or take out a loan.

Given the increased capabilities and savviness of fraudsters, this decision methodology is clearly outdated.

Today, leveraging our always on and present smartphones, and the information collection mechanisms that exist on the various news, banking, online shopping, government, et. al. websites we visit, our “profile” of who we are (as fraud risk) is greatly expanded and perpetually updated:

• Has our primary email address, mobile phone number, or device location IP or MAC address ever been linked to fraud activity, spanning a global network of banks, physical and virtual consumer goods stores, utilities, or other businesses?

• Have we attempted multiple, rapid logins from outside of our known home or work location, then bounced to another country, and then another?

• What is the “normal” behavioral cadence and pace at which we access websites, fill out login pages, or the speed at which we type or move our mouse?

Every single one of these queries can be addressed and answered without customer knowledge or intervention, and can coalesce to provide a rich view into who we are and who we may not actually be.

All of this information can be constantly collected, analyzed, and dynamically updated to build our personal risk profile. If a business enrolls in such a service that pings a profile database whenever their customer attempts a transaction, the risk profile can instantly be served up to inform the business whether or not to continue with the transaction.

If a customer’s transparently-produced risk profile exceeds a company’s thresholds, further (potentially additive “friction”) methodologies can be introduced, such as capturing a (previously enrolled) face scan, fingerprint, voiceprint. This “adaptive authentication” methodology applies to specific individuals only when needed, and does not apply the wrong rule set to an over-broad population.

These rules are programmatically established within a machine system that operates at speed and without human misinterpretation or bias. Initial analysis and programming of a company’s risk policies are key, but can adapt as real-world results continually flow into the system.

Businesses today operate in fraught times – serving customers as best they can, concurrent with fighting off threats and mitigating risks, while somehow trying to grow and thrive throughout it all. Legacy policy and procedure rulebooks have to be entirely re-written, given the speed in which hackers have adapted to and overcome security defenses. Companies need to rapidly adapt and embrace technologies that keep up with our digital lifestyle, and leverage that unique speed and pace to develop identity and risk profiles tied only to the customer they allow in their secured walls.