The importance of ATO fraud detection for mobile apps

If ever there was a time to take account takeover (ATO) fraud detection seriously, now is definitely the time. In what may be some uncomfortable reading, eCommerce merchants worldwide reported a 55% increase in account takeovers in 2021. The various methods fraudsters use to gain access to your precious accounts are expanding. Unfortunately, the rising ATO trend looks likely to continue well into the 2020s as digital goods and services become increasingly popular, with mobile apps catching the eye of fraudsters. But could this be the defining year ATO fraud detection rates, especially on mobile apps, improve? The answer to this is entirely down to the willingness of businesses, financial institutions and even down to service users to understand the risks. Awareness of the threats always helps, but so too does access to effective tools to combat those threats.

Unfortunately for businesses and individual users alike, fraudsters simply love taking over online accounts as they can be performed cheaply but prove to be quite lucrative. Every trick and technique fraudsters can possibly think of, you can be certain they will try their best to use them to gain control of your account. Nobody is immune from attack - from inexperienced online shoppers, even to those savvier with their online presence, everyone should be aware they can fall victim to ATO fraud. You are potentially just a few clicks, taps and swipes away from suffering from a compromised account.

So why all the fuss? ATO fraud is one of the most serious types of fraud that businesses or individuals with an online presence must contend with. Take this into consideration: according to a Javelin Strategy and Research study, there was a 90% increase in ATO attacks between 2020 and 2021 - at the height of the COVID-19 pandemic. More people than ever before are using online services and also buying goods, and most of them are now doing so through mobile devices. The migration to online services, particularly mobile apps, was hastened by COVID-19 lockdowns. But there’s one crucial thing to remember - using smartphones to browse online may feel safer, but mobile apps are just as susceptible to fraudsters as any computer can be.

What has become particularly popular among fraudsters is to target accounts that have real value, but may be neglected by account holders. This means that not only are fraudsters targeting eCommerce and banking accounts but accounts that may contain reward points that can be used to purchase products, which can they resold. Many customers simply forget they have such an account and they lie dormant as their points grow. The same applies to cryptocurrency exchange accounts. The hype around cryptocurrencies goes up and down, but once the value of crypto shrinks, users may lose interest, neglecting to login to their accounts and check in on their digital wallets. These accounts can act like sitting ducks for fraudsters who are on the hunt for lucrative returns. And attacking mobile apps can be easier than you think.

There are a few ways that fraudsters can succeed in taking over someone's account on a mobile app, all of which place added urgency for companies to be able to combat them with effective ATO fraud detection. But some simpler tactics often focus on the weakest link in the security chain - people. Using a mobile device may feel safer than a computer, but the same vulnerabilities apply to the mobile experience. This is why educating service users about the threats posed by fraudsters is just as important as combating them with advanced tech solutions.

Data breaches and credential stuffing: if a company doesn’t have adequate internal workplace security measures in place, nor do they take cybersecurity risks seriously, this may lead to data breaches. It is essential to educate employees not to open suspicious email attachments (that may contain malware), and for IT support to update and maintain software updates to patch security loopholes. Leaked login details can be used by fraudsters to access accounts and take control of them through the process of credential stuffing. If users do not employ proper digital hygiene measures and use the same passwords across multiple services, automated bots may use credential stuffing using these same details to gain access to other accounts. 

Social engineering scams: Fraudsters will try to trick their victims into giving away their login information by pretending to be a customer service representative or someone else who has a legitimate reason to ask for the information. Social engineering scams are often associated with emails, but they can also be performed via SMS and even voice calls to build up confidence in the victim that they are dealing with a legitimate service. This tactic often focuses on building up a sense of urgency to act immediately - in other words, giving up your details ASAP. If it feels suspicious, it most likely is.

Phishing: The most common social engineering scam. This is when a fraudster sends a fake email or text message that appears to be from a legitimate company, asking the victim to enter their login information on a fake website which is fully controlled by a fraudster. The victim believes they are logging into their account, but they are actually giving away their personal information and login details on a plate.

Malware: malicious pieces of software, designed to steal your information, actually involve your participation to install on your mobile device. You often have to give permission for an app to be installed - you do so in good faith, however, 3rd party software (fake apps) can be aimed at you directly via a phishing link or you can download it unwittingly via an app store. Even individuals seeking out anti-virus software on app stores have fallen for fake apps that steal their account details rather than protect them. The consequences can be huge, with a fraudster having the potential to control your phone and see everything that you do.

Password cracking: If a password is weak, fraudsters may be able to crack it by using a dictionary attack to guess a victim's password by trying thousands or even millions of possible combinations - the simpler your password is, the easier it’ll be to crack. It is important to be aware of this tactic and to take steps to protect yourself by using strong passwords. Using password123 or passwords made up of dates of birth has never been a good idea!

Use of public WIFI: if you connect to a public network, you never really know who is in charge of it, or if someone is snooping on you, just waiting for you to divulge some sensitive and confidential information - would you feel comfortable typing your pin no. at an ATM as someone watching over your shoulder? Of course not. If a public network is compromised, a potential fraudster can see everything you are doing - including typing in personal information such as login details. To avoid this scenario, consider using a VPN service whenever you are using public wifi to block out prying eyes.

Consider the use of mobile devices, particularly smartphones, and there is a perception among everyday users that these devices are inherently safe. Indeed, Android and iOS devices have preinstalled anti-malware features that can detect and warn users about 3rd party software - but determined fraudsters can potentially bypass these security measures on a compromised device. Also, even with a warning about installing 3rd party software, some users may choose to accept installation, believing they have downloaded a legitimate app. 

Despite measures taken by Apple and Google to remove fake apps from their app stores, there are still many that remain undetected - even by the time they are removed, there may already have been thousands of downloads, resulting in many potential victims.  Then there are the cases that sophisticated apps may not be detected as malware at all. The risks evolve, therefore, so must the solutions to combat them. ATO fraud detection for mobile apps is crucial to prevent fraud from succeeding.

Reputation is everything. If you cannot protect your customers during their online experience, or their accounts are compromised, people will feel that your security and anti-fraud measures were unable to protect them. When this happens, online reviews, or in the case of large-scale attacks, media attention can have an immensely negative impact on your business. It is in the best interest of every business to employ the best internal security measures, while also using the best tech available to provide real-time and effective protection against threat actors. Failure to act can lead to revenue loss from loss of custom, bu, but can also result in card networks penalising you with fines for going over accepted fraud thresholds and being added to fraud monitor programs. This is far from an ideal situation for merchants to find themselves in.

It is important to protect every step of the online customer journey. From registering accounts to use of service and beyond. On this point, it is not enough to simply protect just certain steps (payments and transactions) but to also gain valuable insight into every user’s intentions. This is most effective when using machine learning-powered anti-fraud solutions that analyse interactions, transactions and behaviors automatically and in real time. By using behavioral biometrics, it is possible to understand the device and network setups behind each user, distinguish if they are human or a bot, and have good or bad intentions. This holistic approach to fraud ensures that ATO fraud detection can be effective in preventing ATO through mobile apps - especially as the technical challenges of every mobile operating system (Android and iOS) need to be met.

Deploying advanced fraud solutions such as that offered by Nethone, it is possible to vastly improve ATO fraud detection and stamp out the risks before real damage is done. With data enrichment and machine learning models continually evolving and being adapted by our dark web fraud intelligence (where most ATO attack tools can be found), fraud attacks can be sizzled out before they’ve had a chance to burn. Of course, internally, a company can also adapt its focus on cybersecurity and the education of employees and service users on the risks of online fraud. The ingredients for success are there and can aid businesses can make a big impact on reducing global ATO fraud rates. It’s never too late to act and improve ATO fraud detection.