Account Hijacking: The Ins and Outs of Account Takeovers

I was a fraudster. I used to specialize in the development of new methods of account takeovers. After my daughter was born in 2017, I decided to use my skills for good. Now, I work with organizations to help them develop fraud strategies, improve their programs, and train employees. During my time on the other side, I gained a unique perspective on mistakes that institutions would make, making it easier for me to compromise someone’s identity. Now, as fraud fighters, we can work together to help prevent account takeovers.
‍

Transaction Monitoring Is Not Enough for ATOs
‍

Fraud monitoring began somewhere in the late 1980s. Digital banking came on the scene around the time of smartphones in 2006. The tools we use today to detect account takeovers, which started because of digital banking, are the same tools we used to monitor transactions in the 80s. Many financial institutions today use the same approach that they have for the past 30 years to detect Account Takeovers (ATOs). Fraud professionals have always been trained to monitor transactions and determine if the customer initiated the transaction. If it was a victim of fraud, then you froze the account and ensured the customer was safe. ATOs are a completely different breed.
‍

Institutions often fail to realize that if an account takeover is happening, the end-user has already been compromised. Fraud prevention focuses on transactions and payments, and from there, we reverse engineer where something has or hasn’t happened and change our approach. In account takeovers, it’s simply taking over an account, and from there, the options become limitless. Any way a user can interact with a platform becomes available to a fraudster.
‍

Assets, Not Victims
‍

It’s critically important that financial institutions stop looking at customers as potential victims and start looking at them as assets. Each person adds up to an ROI for a fraudster, depending on the products and services they have. There’s a viability of the profiles being taken over. If you don’t look at them as a holistic asset, then it’s harder to start detecting when a fraudster has taken over.
‍

During my time on the other side, I would qualify a profile (identity) by what they had in an account and look at their social media presence. I would leverage things like Twitter and Instagram and look at their lifestyles to see if they had money available or if they might be in good standing with the credit bureaus. I would group them into two stacks, those that appeared to have low credit viability and those with high viability. Based on that, my tactics would change, but they were all valuable to me no matter what.
‍

It's important to distinguish a payment instrument as an asset and an identity as an asset. Many believe the shift from payment fraud to identity-related fraud is more of the same, but it is a new evolution. When we think about payment instruments being compromised, it’s only worth what a fraudster can get on any particular transaction. Institutions are monitoring transactions; merchants are monitoring the checkout process. If you get a card linked to a $50 million account, that card isn’t necessarily worth $50 million. It’s worth what you can get through at one of these merchants.
‍

Now, shift gears and look at an identity as an asset. Every new bank account at a Fintech or a financial institution, as well as every new investment portfolio, is another bucket that fraudsters can put funds into until they age and withdraw. Plus, they’re all stolen funds. Fraudsters seek to establish connections between third-party platforms, link them, and exchange funds. When a fraudster gets into a targeted account that's well funded, they will add an authorized user and request a secondary card. When all a financial institution is doing is looking at the transactions, they are missing out on a truckload of use cases that I have personal experience in interacting with, and we're walking around in a pitch-black room with a flashlight. The ROI for identity information is greater than that of a compromised payment instrument.
‍

Know Your Customer Is Not Enough
‍

There are use cases where Know Your Customer (KYC) is powerful. As fraudsters shift over to identity information, it quickly loses value. Today, we have a central identity aggregated over time with data such as transactions, account creation, login data, claims, or chargebacks. Each way that someone interacts, we’re checking against this central identity to determine if a request should go through.  All these data points across all these different accounts are tied to a single identity and its performance over time. I know firsthand how easy it is to associate new data points to that central identity with positive performance across the network. 
‍

I call this data injection or data poisoning. Data points that I control, such as an email address, phone number, or physical address, become associated with that central identity. I do this well before attempting to create a new account or enact a new transaction. Uni-directional KYC is going to be stressed to its limits. All our fraud prevention tries to tie accounts and transactions to the performance of that central identity. Fraudsters will see how easy it is to inject those positive performing data points into that central identity, nullifying that whole dynamic.
‍

Different Fraud Methods
‍

All fraud methods fit into three buckets: linear, multi-touch, and multi-system. In a linear approach, a fraudster will obtain compromised login details, such as someone’s Netflix account. The person happens to use the same username and password for the bank account. The fraudster logs in and gains access. Thankfully, many financial institutions put step-up verification processes in place; however, it’s still easy enough to bypass some of that.
‍

In the multi-touch exploit, the fraudster aggregates profile information for a central identity. Databases such as Spokeo aggregate and organize public data information. The fraudster will get information to satisfy Knowledge-Based Verification questions used by customer service. When they call in, they anticipate being asked certain questions, answer the questions correctly, and then reset access to the account.
‍

With a multi-system, fraudsters can take access to the next level. They have enough information on a central identity to create a new account on another platform to transfer funds. Unfortunately, the micro-deposit verification process is still in play at many institutions. The fraudster calls into the established account and gives the required last four of the social or zip code to gain access to transaction history. When all you need is micro-deposit to verify authority to an account, the fraudster has the transaction history handy and can successfully set up transfers between the established account and the newly created account. They start to make transfers over time as a slow drain and onto layers of other mule accounts.
‍

Combating Account Takeovers
‍

How do institutions fight back against account takeovers? The simple answer is to take the power out of the fraudster’s hands. When a fraudster interacts with a platform, they are trying to anticipate every request the platform will make. They can use those failures as research if they get shut down because they were wrong on an answer or need to satisfy a biometric check. They will sacrifice low-level accounts while gathering information to see what step-up verification will be performed. Institutions can take power away from the fraudsters by using passive data sets.
‍

One example is transaction analysis. How does the real user typically transact? When do they interact with the platform? How do they interact with the platform? Is it normal for them to call customer service to get transaction history, or have they never done that before? This could indicate suspicious behavior. What device do they normally use? What are their spending behaviors?
‍

Using passive data stops the information-gathering ability of fraudsters and benefits legitimate users because they aren’t being hit with step-up requests. As a fraudster, I’m not going to go through the work to mimic a user’s behaviors. Even if I was willing to do the work, how would I know when they typically interact with the platform? 
‍

A fraudster can provide anything the platform asks for from the user. Even as voice and facial biometrics came on the scene, fraudsters have successfully satisfied those requests. We need to move to something more passive to be effective and still low-friction for customers.
‍

You can hear the full discussion from the Fraud Fighter Virtual Summit in this session recording.