Account takeover in financial services: How it works and how to prevent it

Account takeover fraud continues to be a risk for individuals and businesses, and banks continue to be a key target. Given the stringent nature of the financial sector, a full understanding of account takeover fraud, and how to prevent it, is essential.

In this article, we will explore the impact of ATO fraud on financial accounts, the methods that cybercriminals use to gain unauthorized access, and how banks can prevent account takeover attacks in the first place.

A form of account takeover fraud, a bank account takeover occurs when fraudsters gain access to a user's bank account. A natural target for cybercriminals, bank accounts include enough personal information to cause considerable damage, as well as access to an individual's financial resources.

Once a fraudster gains access to user accounts, they have the power to carry out various malicious activities. These actions can lead to significant damages not only for the genuine account holder but also for others who may unwittingly become entangled in the scam.

Fraudsters can steal funds from compromised accounts for their own profit. This can be achieved through multiple methods, such as making hard-to-trace purchases or transferring the money to other shady accounts.

Access additional accounts

Most people have multiple accounts online and, if those accounts use the same details as their bank account - such as email address and password combinations - fraudsters can use this to commit further ATO attacks.

Such compromised accounts can be used in a variety of ways:

• Fraudsters can engage in direct fraud, typically through phishing and other schemes.
• They can also change the password in an attempt to lock the original user out and maintain access.
• Fraudsters may also sell the details on the dark web, leading to further data breaches in other accounts.

Identity theft

Account takeovers in many accounts can become a form of identity theft. Cybercriminals can use the details gathered to commit various acts under the assumed identity of the victim. If they have details for a user's credit card accounts, for example, they can make payments and operate under the victim's identity. This can, for instance, lead to unauthorized transactions on behalf of the victim, while the fraudster is untraceable.

Aside from the customer, account takeover attacks represent a big risk for financial institutions. This sector has very stringent privacy requirements, even before GDPR and other data compliance policies, so data breaches of any kind can result in fines, penalties, and related financial repercussions.

Additionally, exposed bank accounts can lead to a great loss of trust from the public, and a potential drop in new business due to a damaged reputation. Having to announce data breaches alone implies the possibility of account takeover, which is of great concern to customers and their accounts.

These two factors combined can greatly impact a bank's operational status, thus heightening the need for account takeover fraud protection. Consequently, it's in the bank's best interests to invest in account takeover prevention rather than adopting reactive measures.

One critical step in preventing account takeover fraud is understanding how access is gained in the first place. There are many ways in which bank account takeover fraud occurs, from singular targeted attacks to large scale operations.

Data breaches

If a corporate account is targeted, it opens up a treasure trove of crucial information about the bank's customers. Sometimes, this can include all the credentials needed to gain entry, while, in others, it might include some key information, such as email addresses, that can then be combined with other methods on this list.

Such a data breach doesn't need to be committed by the fraudster directly, either. Data breaches are often orchestrated by individuals who then peddle the compromised information online – often in the seedy corners of the dark web – giving the opportunity for further exploitation by other fraudsters.

Brute force attacks

Also known as dictionary attacks, this approach sees cybercriminals attempting different combinations of letters and numbers, combined with known email addresses, to guess passwords. This strategy utilizes a lot of bots to scale effectively.

Social engineering

Social engineering methods are the real plague of banking fraud. When it comes to individual bank accounts, fraudsters can deploy a number of scams to collect passwords and account details from users. Common methods include:

• Pretending to be a user's bank via fake social media accounts, phishing emails or phone calls. In these cases, fraudsters try to convince the user to reveal critical information they can then use to gain access.
• Creating a fake website designed to look like the real bank's website. In this approach, users submit their login credentials and are then directed to the real service. The fraudster then has the details, and the user is none the wiser to the ATO fraud.

These processes are also often known as "man in the middle" approaches. During this kind of attack, the fraudster relays communication between the user and the bank. As the information is still delivered to the bank, the user achieves their expected outcome, leaving the bank oblivious to the ongoing fraud. 

Credential stuffing

As mentioned before, if login credentials don't differ between accounts, this could allow fraudsters to exploit that information to access online banking as well. Dedicated cybercriminals will take stolen credentials that they know work on one platform, and attempt to use them on as many other platforms as possible to find new vulnerable accounts.

Viruses and malware

Fraudsters can also gather sensitive information through keylogging malware. One popular method involves mobile banking trojans in the form of apps designed to represent a legitimate bank's application. Other forms can include sending files through email or websites, often combined with phishing attacks.

Banks can implement measures such as  multi-factor authentication (MFA). This gets around some of the more primitive methods, such as brute force attacks and password guessing, as it requires additional input from the customer, such as a unique PIN code or input via a mobile banking app.

However, this alone is not enough, and banks also have to balance the strength of their MFA against the user experience. It's better for banks to combine MFA with more advanced solutions that detect potential account takeover incidents in real-time. After all, by properly assessing data and putting the correct account takeover alerts in place such measures are truly effective

Banks can implement continuous monitoring to flag suspicious behavior, assigning it a risk level and acting accordingly. For example, if the risk is high enough, the bank can automatically ask for additional authentication steps, prevent services, or otherwise take action as needed.

Such an approach is important for banks, as traditional means only need to be bypassed once. In the case of stolen accounts, using a password will not raise the alarm on the bank's side. Continuous monitoring makes it much harder for an account takeover attack to be successful since the company has numerous more opportunities to detect ATO fraud.

Digital fingerprinting

By implementing tracking software that logs the last device used to access an account, banks can better detect when suspicious behavior occurs. This works by analyzing data that is hard for fraudsters to spoof.

Since users need to log in to their online accounts to use banking services, this serves as a viable option for financial institutions to protect against account takeover attempts at the earliest stages.

Behavioral biometrics

Similar to device fingerprinting, banks can also implement software that compares the user's real-time behaviour with their historical data. This can range from the actions taken to the time between clicks or even the strokes on their keyboard.
The more varied this behavior is from an established baseline, the greater the potential of ATO fraud and the better the bank can react. As a session continues, this constant monitoring will help reassure each session represents a legitimate user, or provide more and more chances for the fraudster to make a mistake.

< Check in details: Behavioural biometrics and how it can be used to fight account takeover > 

Other key indicators

Banks can also likewise set up automated systems that look for signs of suspicious activity. This can include multiple login attempts, login IP addresses that are geographically too far apart, or extensively long login times. There are countless such alerts that can be considered.

Combined, all of this creates a clear digital image of a user and their expected activity. Since fraudsters are not aware of these details during account takeover attempts, it gives the bank a significant advantage.

When it comes to preventing bank account takeover fraud, it's critical to stay up to date and respond in real time. This includes not only setting up alerts for suspicious behavior, but also keeping up with the techniques and methods used by fraudsters.

For the former, Nethone provides advanced digital fingerprinting, behavioral analytics, and pattern anomaly detection. This system monitors user activity in real time, flagging suspicious behavior, assigning it a risk level, and responding appropriately. Because it's automated, your bank will be able to respond immediately, resolving the situation and removing the greater risk of financial losses if left unchecked.

<Read: How we decreased fraud rates for a major bank operating in Europe & Asia>

Advanced behavioral analytics

Every user shows a unique behavioral pattern.The script embedded on the website extracts the information on how the client behaves, including how they type – focusing on specifics such as the time between pressing particular keys and the duration of pressing the keys. Each user session is compared with the previous ones to check if the person behind the monitor is a legitimate, recurring user or a fraudster. Our machine learning models adapt to constant changes in user behavior to avoid rejecting a legitimate user.

Device fingerprinting

During every session, we create multiple digital fingerprints connected with the user’s browser. Each time the user tries to log in, Nethone uses machine learning and rules models to assess if the device and its setup have not changed. The analysis is based on hardware, software, and browser characteristics, as well as network intelligence. The solution checks, for example, whether the user is trying to anonymize the session, or uses virtual machines or a TOR network.

More than this, however, we can also provide up-to-date information on fraudster tactics and strategies. As defenses become more advanced, so too do cybercriminals look for new ways to acquire sensitive information and gain access. Our experts keep an eye on this activity, responding to new approaches as they are developing.