Any organization that supports user accounts is subjected to the risk of Account Takeover. Verified and operational accounts are among the main targets of online criminals. Accounts are compromised for several reasons – theft of available financial or digital value balances, money laundering or future resale of account credentials.
Account Takeover techniques are manifold – phishing attacks, session hijacking, MIM attacks, brute force attacks, social engineering and many more. The weakest links in the chain are usually the user behaviour and the security measures implemented by online organizations.
Detecting and preventing ATO without destroying customer experience is a complex task that requires monitoring and collecting data from multiple customer interaction points throughout the customer journey. Very often organizations try to detect ATO by just monitoring at a single point – customer logins or transactions. This option is usually driven by the high cost associated with screening all stages of customer activity or the inability of mainstream fraud and risk solution to consume and process events like account updates, password changes, etc.
ATO techniques become more and more sophisticated – fraudsters are usually aware of the customer profile that they are about to attack, the IP address and Device profile are easy to temper and match, language, time zone, OS and browser mismatches are unlikely to exist at login. Therefore, detecting ATO solely at login becomes more and more difficult. Answers to secret questions are also a frequent target of Phishing attacks, hence reducing their efficiency at login.
After login, fraudsters usually try to take control over the account by updating contact details and passwords, so the victim is locked out of their account with no communication of subsequent financial operations.
Once the fraudsters are in possession of an account, it is time for any available funds to be stolen, loyalty points redeemed or a purchase to be placed. Screening only at this last stage of ATO is not enough to achieve high detection rate of ATOs.
Most of the risk policies and models place significant reliance on old and verified accounts and their extensive purchase history. Therefore, ATO prevention strategy based only on endpoint, financial transaction screening will not be entirely successful.
NOTO offers the capability to connect to multiple stages of the customer journey and consume and process the data from these points of interaction – customer login, account updates, password changes, adding or removing of payment instruments, placing orders, sending or receiving money, etc. For each of these events, Risk and Fraud managers can create unique decision making policies, allowing them to intercept ATO when there is enough data for highly accurate decisions.
Let’s have a look at how an ATO develops and how it can be successfully identified and intercepted using NOTO:
A login attempted on a customer account:
- IP address almost perfectly matching the location of all previous IP addresses used
- Device profile is almost the same as the historically observed ones
- Just the browser version is new, but is this enough to act – Not really…
The next step is adding a new email address to the customer profile:
- Email address is clean and it is not associated with any previous activity
- Again, not enough intel to act…
Next, the fraudster initiates a payment:
- To an account that has never been a recipient in the user’s transaction history
- The transfer is for the entire account balance, this again, is completely deviating from the norm.
What do we know so far?
- IP has not been seen before
- Email address was just added
- The entire account balance is about to be sent to a new recipient…
It's time to take action!
Implementing monitoring in multiple points throughout the customer journey not only allows for high precision when detecting ATO, but also makes it more difficult for fraudsters to figure out your risk and fraud set up.