Perhaps more than ever, fraud and identity theft continue to impact consumers. Account opening fraud and account takeover of consumer accounts is an area of concern for those in the security field across many consumer-facing industries. Breaches and security gaps have created opportunity for fraudsters to thrive and pain points for consumers and organisations that serve consumers, particularly in this “always-on” digital world.
Since the launch of EMV chip-enabled cards in the US, fraud has been steadily shifting to digital channels, precipitating a rise new account opening fraud. The 2018 Identity Fraud Study by Javelin Strategy & Research, revealed that the number of identity fraud victims increased by eight percent (rising to 16.7 million US consumers) in the last year, a record high since Javelin Strategy & Research began tracking identity fraud in 2003. Despite industry efforts to prevent identity fraud, fraudsters successfully adapted to net 1.3 million more victims in 2017, with the amount stolen rising to US$ 16.8 billion (£11.8 bllion). (Javelin Strategy & Research, 2018 Identity Fraud Study)
Competitive pressures, cost reduction measures, and growing consumer expectations for 24/7 digital access have forced many organisations to discontinue manual application review processes in favour of allowing users to open accounts quickly in digital channels to generate more revenue and increase market share. However, dropping the manual review process and not implementing advanced security measures can create an environment for fraudsters to exploit.
Account opening fraud techniques vary. They can be the result of sophisticated highly technical bot attacks or a single fraudster using stolen personal identities of multiple victims. Contributing to the growing size of this problem is the availability of vast amounts of compromised personal information available on the black market due to well publicised security breaches. Using such compromised information, fraudsters can open new accounts by using a mix of information to create a synthetic (fake) identity or to open new accounts using a real consumer's identity.
The more sophisticated criminal actors are increasingly using automated bots to generate a torrent of new account applications in a short time. The use of bots enables fraudsters to utilise a large amount of stolen information with a potentially short shelf-life quickly, increasing the likelihood of successfully opening a greater number of fraudulent accounts and moving money before the fraud is detected.
The best way to avoid account opening fraud is to detect fraudsters before they can gain access to any account opening processes. There are a number of automated solutions that organisations can employ to shut down fraudster tactics, such as bots and device compromise. Bot attacks often involve velocity enabled by automation—usually hijacking a computer to attempt to log in to many accounts in a short amount of time. These scenarios often use the device or multiple devices repeatedly to perform the fraudulent transaction until the devices are detected.
Due to the large volumes of activity generated by a bot attack, monitoring spikes in traffic can help identify it. In addition, velocity detection technology exists which can flag devices being used to perform multiple unusual behaviours. If a device performs multiple login attempts on multiple accounts over a short period of time, this could signal the use of a bot. In the case of “low and slow” attacks, which are fraud attempts that are intentionally made over a longer period of time to avoid velocity detection, advanced technologies can also detect bot activity based on behavioural analysis. This allows the identification of an adversary who builds remote controlled tools to automate an attack.
Preventing account opening fraud via risk assessments
Whether or not a bot is responsible for the attack, or a single fraudster manually opening accounts, there are identifiers that can be used in to detect risk in account opening. Such identifiers are outside of the typical verification of the identity itself using credit or other data.
The following techniques make a risk assessment on either the device itself or the behaviour during the session.
Device intelligence enables organisations to verify the identity of a device by the device's unique characteristics. Device authentication technology uses certain unique attributes in each device to create device id, with the more advance solutions defending against “device spoofing” – where an adversary mimics another device. Using device identification, transactions from risky devices can be flagged for next-level review or denied altogether.
Device spoof detection:
Device spoofing is done to impersonate a true customer's device or defeat negative lists, which are lists of devices associated with prior fraud attempts. In an account takeover situation, the fraudster typically has compromised enough information about a consumer and their account information to gain access. However, many organisations will typically challenge an unknown device if it is not previously associated with a consumer.
Sophisticated fraudsters are aware of this best practice and therefore use fraud tools to impersonate the true consumer's device and avoid step-up authentications.
Fraudsters will also use device spoofing to defeat a negative list. For example, in card provisioning or payments, they can change their device to keep loading stolen payments information even if negative listed, by continually changing their device.
Is this the same device IDs over many IP addresses or many accounts being opened on the same device?
Identities associated with Fraud: Organisations may look into certain recurring attributes about users, such as a known fraudulent device or known fraudulent phone number or email address, to raise a risk indicator when these attributes reappear on subsequent account applications.
Other fraud detection techniques include but are not limited to malware, location analysis, checking for automation vs human tendencies, behavioural analytics, checking for fraud, and examining data elements of the mobile device or browser in use to check for anomalies. Often many different elements and detection techniques are combined to create a comprehensive risk score, as a single element may not by itself be an indicator of fraud.
Retailers, financial institutions, card issuers and others know they must take more stringent measures to combat digital account opening fraud, yet they want to do so in a way that does not cause more friction and inconvenience to customers who prefer the speed and convenience of opening accounts online. By deploying the latest digital security measures and solutions, customer experience and security no longer have to be mutually exclusive.
Contributed by By Mike Lynch, Chief Strategy Officer, InAuth.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.