3 Ways to win against account takeover fraud

Banking Security Technology
If a fraudster gets hold of a customer’s credit card, that’s not great news. What has even further-reaching consequences is if they get hold of personally identifiable information (PII), such as account login details or social security numbers. With that sensitive information at their disposal, fraudsters can take over multiple accounts or even sell off the compromised details on the dark web.
In this article, the second in our financial fraud deep dive series, we explain what account takeover (ATO) fraud is and explore three ways you can safeguard your customers and financial institution (FI).

What is account takeover fraud?

ATO fraud is a type of cyberattack that occurs when a bad actor takes over another person's account and uses that access to steal funds, set up accounts in their ‘name’, or sell sensitive information to other attackers.
With this particular fraud vector, customers often only become aware of what’s happening a few days after the fraudster takes action. But, by this time, the attacker can already have cleared out all their victim’s cash or set up other accounts in the individual’s name without their knowledge.
How account takeover (ATO) fraud happens.
The steps fraudsters take to perform ATO fraud, and what consumers should look out for.
FIs that experience frequent ATO fraud attacks not only face enormous financial losses for themselves and their customers, but risk breaking their customer’s trust and causing damage to their brand. Consequently, they’ll quickly slip down in top-of-wallet status as consumers switch to banks or credit unions that show high regard for data security.

To prevent fraudsters from multiplying their attack surface quickly with ATO attacks, FIs can beat them at their own game by investing in modern, innovative security technology.

How to prevent ATO fraud at your FI

1. Boost security with multi-factor authentication

Single-factor authentication solutions, such as using a password to log in, are no barrier from today’s evolving fraud vectors. Adding an additional layer of authentication, such as a one-time password (OTP), is an improvement but OTPs are also vulnerable to ATO fraud.
During an account takeover, it’s likely the attacker will also have changed the customer’s mobile details — which is where the OTP is usually sent. So, the bank will try and authenticate the customer by sending an OTP to their new number and the fraudster easily intercepts it.
Multi-factor authentication (MFA), on the other hand, includes more than weak password-only (or Knowledge factor) authentication. It provides additional layers of protection by also requiring something you have (the Possession factor), such as your mobile device, and something you are (the Inherence factor), such as your fingerprint.
Considering that 49% of data breaches in 2022 involved stolen credentials, and that cybercriminals steal 33 billion personal data records annually (IBM, 2023), FIs need the added security of MFA to keep fraudsters out.

2. Make it harder for fraudsters with passwordless authentication

Moving away from outdated username and password logins is essential if FIs want to prevent account takeovers. With hackers able to crack simple passwords in a matter of seconds, FIs need authentication measures that deliver better security. And ones that don’t create a frustrating user experience by adding unnecessary friction, like laborious password resets.
Passwordless authentication replaces passwords with user-friendly measures such as biometrics, QR codes, passkeys, or risk-based authentication to quickly verify the user. These modern authentication options balance security and the user experience by not adding any additional friction, and oftentimes giving customers a choice of authentication measures.
Basically, passwordless authentication enables customers to easily verify they are who they say they are, and get on with their digital transactions, trusting that their sensitive data is protected.
To learn more about passkey technology, download our passkeys factsheet.

3. Offer real-time protection with risk-based authentication

If a customer’s behavior appears out of the ordinary regarding their transactions, logins, or other online banking requests, the bank should immediately flag it as suspicious. To prevent ATO fraud, security solutions need the capacity to assess risk in real-time. When determining whether a risk is high or low, authentication tools require data on what a customer’s normal online banking and payment behavior looks like, from the amounts they pay and their location to what device they usually use.
Authentication technology should be able to differentiate between normal and unusual activity across all an FIs customer engagement channels. Cross-channel solutions break down data silos and share vital data points between channels to build a better picture, or context, for each customer.
Let’s look at an example. A fraudster uses a SIM-swap attack to divert the bank’s OTP security. They use that info to change the customer’s login credentials and then request to transfer all the funds in the account to an account abroad. Risk-based authentication (RBA) will enable FIs to flag this type of suspicious behavior in real-time and step up the security measures by requesting biometric verification, for instance, and stop the account takeover if the activity is fraudulent.
RBA leverages hundreds of data points it collects on the customer, such as their device ID or typical payment behavior, to assess the level of fraud risk, and determine the most appropriate authentication mechanism at that moment. Ultimately, it provides the intelligence to keep your customers’ data secure.

The bottom line

Fraudsters will always take advantage of any emerging trends, tech, or economic vulnerabilities. Yet, FIs can stand their ground and protect their customers by adopting strong fraud prevention strategies and cutting-edge security solutions that prevent simple attacks, like ATOs, and keep a step ahead of any new attack vectors.
Safeguard your customers and your institution’s reputation with a layered approach to authentication that keeps fraudsters out. Book a personalized demo today.

In case you missed the first blog in this series, you can discover how to defeat the 3 major fraud schemes threatening FIs today.