""
Blog

ATO alert: Outdated mobile authentication leaves customers open to fraud

Authentication Fraud prevention Technology
Almost half of U.S. banks could be leaving their customers vulnerable to account takeover (ATO) fraud due to inadequate protection of their mobile channels. According to Liminal’s 2024 Link Index for Account Takeover Prevention in Banking, mobile apps are a primary target for ATO attacks. This means that criminals are increasingly using mobile devices to gain unauthorized access to consumers’ bank accounts, over attacks targeting mobile web or desktop channels.

OTPs: No longer a barrier against ATO and other modern fraud

Liminal describes ATO as a type of third-party fraud where a malicious actor gains access to a user’s account to initiate fraudulent transactions or steal funds or data. The report adds that unauthorized access is typically achieved through some type of phishing attack or by exploiting user credentials that may already have been stored from previous data breaches.

Not only are U.S. banks seeing an increase of 66.8% in social engineering attacks, like account takeovers, in the last two years, the losses from these attacks have also been growing – averaging between $6,000 to $13,000 per ATO incident in the banking industry. Despite these high risks, many banks are still not adequately protecting their mobile channels.
"According to Liminal, only 44% of banks are using mobile device signals for protection, while most are still using outdated SMS one-time PIN codes (OTPs) to secure mobile logins and transactions."
The problem is that SMS OTPs are no longer effective against today’s fraud vectors. Their security is dependent on the security of cellular networks, so banks can’t assure the confidentiality of text messages or that they won’t be intercepted. This lack of robust mobile security poses a significant risk to both banks and their customers.

Modern authentication uses risk signals for added security, without adding friction

Mobile device signals refer to a broad spectrum of data generated and transmitted by a mobile device, for example:

  • Device-specific details like SIM card numbers
  • Network-related signals like IP addresses
  • Behavior signals like user interactions
  • Security related signals like biometric data

Behavioral signals use the patterns and characteristics of user behavior, such as typing speed and pressure, to determine risk and prevent ATO attempts.

As fraud continues to rapidly evolve, banks choosing not to deploy risk signals and intelligence are unnecessarily subjecting their customers to extra friction – but not extra protection.

A major benefit of these signals is that, more often than not, the information is gathered in the background without the customer having to do anything, or even knowing about the efforts to verify their identity. This significantly cuts down on user friction.
Reduce fraud and friction, while preserving customers' privacy, with our built-in silent authenticators. Learn more.

More context supports seamless customer authentication

Modern authentication is about recognizing the vital role of user patterns and intelligent device signals for gathering context about a transaction and determining its legitimacy.

For example, imagine if customer A spends $30 at a small craft store, while customer B spends $300 on online sports betting. When deciding which transaction is suspicious, it’s important to look at the context and consider the customer’s historical transactions:

  • Customer A’s transaction, albeit small, is linked to a corporate account that is usually used for booking travel. This makes that transaction unusual for that customer.
  • Customer B, however, has regularly spent similar amounts on online gambling in the past, making the transaction normal for that customer.

These context-rich risk signals, and other advancements in authentication technology, are invaluable in the fight against ATO fraud. With biometric authentication capabilities becoming standard on new devices, fingerprint scanning and facial recognition are now part of our everyday lives. New technologies such as sophisticated machine learning and AI are also being used to analyze a growing range of signals to identify anomalies and prevent fraud.

In addition, the open standard FIDO2 uses public key cryptography to enable secure, passwordless logins across devices and platforms. These measures cannot be intercepted, and provide a long-term security measure, unlike OTPs, which are single use.

Banks now have a host of options to secure their mobile channels and help prevent ATO fraud. So, what’s holding them back?

Next steps for banks to secure their mobile channels

One of the biggest challenges is a lack of education about mobile device signals. In addition, there is a perception that mobile authentication comes at a high cost. Add concerns about tricky app integration and burdening a bank's overstretched internal tech teams, and it becomes clear why many banks choose not to address this growing issue.

However, banks need to prioritize advanced risk signals to identify suspicious activities that can prevent attacks in progress. They should also consider real-time threat detection that employs strong authentication methods such as biometrics, tokenization, and device fingerprinting.

By using advanced authentication, banks can leverage silent and active authenticators, supported by risk signals that advise the optimal authentication challenge and journey. Without device signals, customers are burdened with unnecessary friction. And with limited signals, financial institutions risk blocking valid transactions and frustrating their customers.

On a final note, FIs should avoid a multi-vendor solution that can add layers of complexity and costs to the end solution. Rather, banks should partner with a solution provider that can cover the entire user lifecycle. This reduces costs and the strain on internal resources while ensuring they get the full range of signal benefits with one simple integration. A better solution is possible.