Account Takeover Fraud Is on the Rise — Here’s How to Fight Back
In just one year, account takeover fraud has tripled, reaching $5.1 billion in 2017, according to Javelin Research. Unlike a stolen credit card that impacts a single consumer account, account takeover fraud is insidious. Once fraudsters gain access to one account, they use it to gain access to multiple accounts.
As a result, consumers face out-of-pocket costs that can reach hundreds of dollars while also having to spend multiple hours trying to resolve the fraud claims. Javelin estimates that consumers spent more than 62.2 million hours on account takeover issues last year.
Account Takeover Fraud is Good Business (for Criminals)
There are several reasons for the rapid increase in account takeover fraud. The addition of EMV chips to credit cards has been successful, making it more difficult for fraudsters to perpetrate counterfeit card fraud. But like any good business, fraudsters move where the money is. Too difficult to get away with card present fraud? Fraudsters shift their focus to account takeover fraud.
Another reason for the increase is that it’s simply easier than ever before to pull off. The data that fraudsters need to take over accounts is becoming more accessible. With huge data breaches and phishing attacks putting literally billons of consumers’ personally identifiable information (PII) and user names, email addresses and passwords on the dark web, any fraudster with a few dollars can buy stolen PII. And the dark web is not the only place this information is available. Fraudsters can get it openly on the Internet or mining through social media sites.
And finally, account takeover fraud is lucrative. A fraudster can quickly hijack multiple accounts, significantly increasing their payday.
Account Takeover: The Gift that Keeps on Giving
Account takeover fraud can be devastating to consumers. Unlike the $50 liability limit that protects consumers in the case of credit card fraud, an account takeover thief could quickly empty out a consumer’s bank accounts. And once the money is gone, it can take weeks to recover.
It’s a great business model for fraudsters. Once criminals gain account access, they can open new accounts using the stolen information. Since consumers tend to use the same or similar username and password for many of their accounts, the fraudsters can use this to their advantage and access additional accounts. Maybe they’ll add authorized users to a credit card and rack up expensive purchases, or they’ll transfer money from the stolen checking account to a new account. They can also take advantage of online offers for credit cards for a prequalified consumer, or apply for a loan to purchase a new car or boat.
A consumer will feel the impact of account takeover fraud for months, even years.
Account takeover fraud can be highly disruptive for the financial institution as well. Consumers expect their bank or credit union to protect them from fraud. An account takeover experience will erase or seriously erode any positive feeling consumers had for their once-trusted financial institution.
Catch Me If You Can
It’s difficult to catch the criminals. For one, they move quickly. Second, credit monitoring is unable to detect account takeover fraud. Third, fraudsters often sell the stolen identities to other criminals, introducing another level of anonymity and increasing the damage to the consumer.
Unlike credit card fraud that appears on statements, consumers are often unaware that their accounts have been taken over. Fraudsters have become adept at changing a consumer’s account profile to re-route email, phone, and text communications from the financial institution. Typically, a financial institution will send an SMS text message to a consumer to verify a change to their account. But if the text gets ported to fraudster’s phone, they’ll be the one to confirm the change. The consumer — and the financial institution — will be none the wiser.
Fraudsters perpetrate account takeover fraud using a variety of access points including online, phone, and even in person. While financial institutions have focused on ramping up their security to protect against online access, they often leave the phone channel vulnerable. For example, many call centers still rely on automatic number identification (ANI) to verify that consumers are who they say they are.
Protecting Against Account Takeover Fraud
It’s important to remember that fraudsters are entrepreneurial. When EMV chips made it more difficult to counterfeit credit cards, they moved online. As banks and credit unions focused on tightening online security channels, fraudsters have moved to mobile channels, becoming skilled at spoofing ANI or porting communications.
Fraudsters can easily call into the contact center with a spoofed phone number, and by leveraging social engineering, pretend they are the consumer. Fraudsters, ever the professionals, can trick even the most experienced, savvy call-center rep into divulging information the fraudster can exploit for illicit purposes or to make changes to a consumer’s account that allow the criminal to do further damage. Or, fraudsters steal a mobile device, remove the SIM card and use SMS text-based, password-reset tools to get access to additional accounts.
But what can’t be faked is device-based identification data. The only way to get access to this data is through relationships with telecommunications companies, government agencies, and utility companies.
Neustar, through our relationships with phone carriers, receives updated device identification linkages on more than 500 million phones every 15 minutes, indicating current phone ownership. Neustar can also make a direct call to the carriers to see if a SIM card is still tied to a consumer’s phone, if the phone number has been forwarded, or if phone porting has occurred.
Neustar also gathers information about the device itself, including attributes such as usage, phone type, and mobile network operator (MNO) data and combines that data with offline verification data such as name and address and online digital identity data such as IP address and cookie data. This three-layered security approach is much more accurate at identifying fraud — and verifying legitimate consumers.
The other option to protect against account takeover fraud is to increase the number of hoops you ask consumers to jump through to prove that they are who they say they are. While this approach will likely decrease fraud, it will increase friction for consumers. With a lousy experience, consumers will possibly abandon the process — or even look for another financial institution that can authenticate and verify their identity painlessly.
Account takeover fraud is lucrative for criminals, so it won’t be going away anytime in the near future. If anything, expect the incidence of this damaging type of fraud to increase. The best way to protect your customers — and your institution — is to outsmart the fraudsters by using unstealable device attributes as part of your verification process yet to do so with as little impact to consumers as possible.
To learn more about Neustar’s authoritative consumer identity intelligence and how our solutions enable financial institutions to reduce compliance risk, improve the customer experience and increase revenue across the enterprise, visit our Risk homepage, contact us at 1-855-898-0036 or email firstname.lastname@example.org.