Resources / The Evolution Blog
What is account takeover Fraud?
Stephen Purvis
Persistent Account Takeover Fraud Shows Digital Account Security Remains an Unsolved Problem
Worldwide losses from scams and bank fraud schemes totalled $485.6 billion in 2023, according to a report from Nasdaq*
Have I Been Pwned tracks website account leaks where account information can be used for Account Takeovers not only on the site that the information was leaked but also on other sites as it’s estimated that 78% of individuals use the same password for more than one account. Have I Been Pwned has reported over 13.5 billionpawned accounts from 780+ websites (figures correct as of the 17th of July 2024).
As of today, the world population is 8.1 billion people so even if you are not directly impacted, you will more than likely know some who has been subject to Fraud.
Account Takeover accounts for about 33%* of fraud cases reported by businesses.
The Many Faces of Account Takeover Attacks
The common methods used for Account Takeover are listed below:
- Phishing: Fraudulent emails or messages trick users into revealing their login credentials.
- Credential Stuffing: Attackers use lists of compromised usernames and passwords, often obtained from data breaches, to gain access to accounts by trying these credentials on multiple websites.
- Social Engineering: Manipulating individuals into divulging confidential information.
- Malware: Software designed to capture login credentials without the user’s knowledge.
- Brute Force Attacks: Automated tools are used to guess passwords by trying multiple combinations.
Once an attacker gains access to an account they can perform various malicious actions:
- Stealing sensitive information: Personal, financial, or other valuable data.
- Making unauthorized transactions: Transferring funds, making purchases, or altering account settings.
- Using the account for further attacks: Sending phishing emails or spreading malware from a trusted account.
- Selling the account information: On dark web marketplaces for further exploitation.
Changes in Technology and Behaviours make Account Takeover Harder to Detect
The one common theme for Account Takeover attacks is that an unauthorised person has accessed an account, that will result in a very unhappy customer and a costly recovery process and a possible loss of a customer for a business due to a breakdown of trust as well as negative press. There are several factors, however, that are making the job of separating trusted from risky logins harder than ever:
- Devices are becoming less unique: Consumers are being becoming more privacy conscious sometimes making it challenging to know who is really visiting a site.
- Scammers becoming more creative: Using combinations of brute force and social engineering techniques to bypass legacy account takeover security controls.
- Improved Payment Protection: The introduction of secure customer authentication (SCA) protocols at payments, as well as chargeback guarantee providers is pushing fraud further up the customer journey to Account Takeover.
As discussed, preventing Account Takeover can be incredibly challenging in this evolving digital world. But to help identify Account Takeovers more effectively we need to have a deeper understanding of why some older technologies are failing consumers today.
- Use of Cookies: Traditionally cookies were used to store smalls bits of information about a user in their browser so that re-visiting users can be identified.Restrictions around cookies and consumers clearing their sessions after use or running in incognito mode means these methods aren’t as reliable as they once were. Data privacy laws such as GDPR and CCPA mean the information stored and collected now has much tighter controls.
- Use of Fingerprinting: This method was used to collect large amounts of information from a device, so that you could recognize the same device visiting. Fingerprinting collects information about a device to generate a fingerprint.The problem is that this technique is becoming less effectivedue to not having enough unique information points.
Account Takeover Can be Stopped – With the Right Solutions
At Darwinium we recognize that privacy of user data can co-exist with device fingerprinting for digital security and fraud prevention. Darwinium has introduced a concept of “similarity” to permit questions posed in relation to device recognition and consumer behaviour.
We have deeply studied what makes devices unique and we’ve quantified how sure we are that two events are from the same device as a probability from zero to one.
We have built a solution that we call Darwinium digital signatures, to allow similarity matching to be used in all kinds of decisions in the context of what is happening now and across different use cases to make are more informed risk decision.
Asaas, a Brazilian Fintech, has been able use digital signatures for biometrics and devices to accurately recognise a returning user with 97% accuracy. Along with other signals they can provide a safer experience for their customers.
By being able to accurately identify returning users we are able to recognize more easily those malicious attackers attempting an account takeover as we can recognize that their digital signature and actions are abnormal. This can then trigger a signal to allow the introduction of a step-up, to verify using multi-factor authentication (MFA) or a human interaction before any fraudulent activity takes place on an account.
Darwiniumdoesn’t just stop there. We are able to identify devices, IP address locations, behavioural and biometric information on attackers attempting Account Takeover, allowing our customers to carry out in-depth analytics to stay one step ahead of those individuals trying to carry out malicious activities.
If you are interested in seeing a demo of the account takeover solution in action, drop us a line.
=https://www.securitymagazine.com/articles/100765-78-of-people-use-the-same-password-across-multiple-accounts#:~:text=78%25%20of%20individuals%20use%20the,safety%20measures%20to%20secure%20passwords.