The UK's National Lottery recently became the most recent high-level organisation to fall foul of account takeover fraud. Around 26,500 accounts are feared to have been hijacked with sensitive details potentially at risk. National Lottery confirmed that although its own systems had not been compromised, players' login details had been stolen from elsewhere.
Over the past year, we at Risk Ident have noted up to a 300 percent increase in account takeover attempts on our customers' sites. So what is account takeover fraud? And what can businesses do to protect themselves?
Account takeover fraud is not a lottery, it does not happen completely at random. The rising tide of account takeover fraud is due in part to negligent personal security, increasingly sophisticated attempts from fraudsters to gain login data, and security setups that do not look deep enough into the data available to find the needle in the haystack.
Why is this type of fraud so attractive to fraudsters? It's primarily because a customer's good record provides the perfect defence to hide behind. If fraudsters can assume the identity of the legitimate customer and can get hold of their account, they become very difficult to spot. And often, they are afforded a considerable amount of time to cause chaos before the merchant realises what's happening and stops the transaction or closes the account.
Hijacked user accounts
Fraudsters may use a myriad of methods to attack existing user accounts:
- Buying emails and passwords online, targeting ecommerce websites, telecoms businesses and online banking portals.
- If fraudsters gain access to email accounts, the danger levels skyrocket. Email accounts often bring multiple online accounts together; if passwords match with other accounts, fraudsters can make transactions and also intercept the email confirmations.
- Easy-to-guess, unsafe passwords, are still common, despite constant warnings against them. If fraudsters have a customer's email address or other personal data bought from the darker corners of the Web and can guess a simple password, it's far too easy for them to gain access.
- Cyber-criminals may also use phishing attacks: a Google study showed that some phishing websites have a success rate of 45 percent in obtaining usernames and passwords. Malware can also be used to spy on computers and intercept login credentials.
Once a fraudster has access to an existing user account, they can easily change the password and block the original user before beginning their spending spree.
How significant is the account takeover threat?
Existing accounts contain everything from addresses to birthdays to saved payment information. These details alone have everything one would need for online fraud. Critically, a genuine account that has been hijacked also offers fraudsters a significant advantage: trustworthiness.
Online businesses typically place much more trust in existing customers with years of good experience behind them, rather than new customer accounts that can be created with stolen data. This gives fraudsters a cloak of invisibility.
Legitimate customers will sometimes change their settings and display so-called conspicuous behaviours, like changing passwords or shipping addresses. Here, online businesses must be careful of false alarms. These ‘false positives' not only harm immediate revenues, but also damage customer relationships and subsequently, brand reputations.
Spotting fraud in a sea of good business
Fraudsters work hard to stay invisible for as long as possible, but it is possible to spot them early and prevent irreparable damage. Indicators of account takeover can include for example:
- Unusual numbers of failed attempts
- A password change followed by unusual customer behaviour
- An address change just before ordering
- Purchasing an unusually expensive item or a high volume of goods
- Login attempts from different devices and places
- Suspicious device configurations such as proxy or VPN setups to hide actual whereabouts
- Switching to an older browser / operating system
- Login with an already-known suspicious device
By looking at these indicators in combination, merchants can make more informed decisions on whether to prevent transactions or allow them through.
Human experience scaled to large numbers by the machine
Machine learning technology is the most modern defence available to help make these decisions. These systems scan vast datasets, identifying patterns and irregularities while learning from the information as it processes it. New models are continually created and better algorithms are constantly evolved to perform analysis and make more accurate decisions on fraud.
All over the world, fraudsters are developing their techniques and mounting new forms of attack. Machine learning software keeps online businesses ahead of the game by evolving to the changing threats and learning continuously from the available data. This makes the algorithms stronger and the fraud prevention more precise.
But companies should always be aware: a human being with years of experience fighting fraud can never be replaced by a machine. A combination of the two entities is the key to a strong defence against account pirates. This strategy is now being taken up by merchants across the world and means that transacting with them securely is no longer a lottery, while fraudsters hoping for a jackpot win will need to look elsewhere.
Contributed by Roberto Valerio, CEO, Risk Ident