- Legal Technology, Content and Solutions
- Insights
- Prevent account takeover with new digital authentication tools
WHITE PAPER
Preventing account takeover: New threats and tools in digital authentication
The evolution of identity — from in-person to digital interactions — along with the exponential growth of technology has created enormous opportunities and efficiencies while attracting new kinds of unauthorized fraud and identity theft, both vast in scope. Indeed, identity theft and fraudulent transactions increasingly engulf U.S. institutions and their customers. Three-quarters of U.S. adults have experienced at least one instance of identity theft — fraudulent activity using a person’s credentials without their permission or knowledge — and 27% have said they’ve experienced it more than once, according to a U.S. News and World Report survey (USN&WR).
A wide variety of businesses and institutions — from universities and hospitals to financial, banking, retail, and credit services — have sought and implemented various tools to combat digital identity fraud. Yet, this type of fraud can be so common that both institutions and customers expect it to happen to them periodically. The question is: How can financial institutions and others respond in ways that advance prevention, quickly remediate breaches, and maintain relatively frictionless customer experiences?
Thomson Reuters Risk & Fraud Solutions has partnered with Feedzai, an innovative risk management platform powered by big data and machine learning, to add to its customers’ arsenal of tools for fighting digital fraud through risk monitoring. Feedzai’s comprehensive suite of AI-based solutions helps financial institutions, online retailers, and payment processors seamlessly and silently detect potentially fraudulent activity in real time before fraud or account takeover succeeds.
We begin this white paper by reviewing the history and methods of account takeovers. We then provide guidance for organizations on utilizing fraud prevention tools to maximize their investment. Establishing stronger digital trust — the total environment where all stakeholders safeguard electronic credentials, identities, and data — can lead to the confidence and innovation needed for a rapidly changing world.
Part 1) Account takeovers: Familiar and newer means of digital fraud
Identity fraud predates the digital age. Document forgery and social engineering have been used for centuries to gain control of other people’s money and credentials. More recently, as consumer credit has become close to universal, many credit card holders have experienced fraudulent charges on their cards. This is one familiar form of account takeover (ATO), although it is now detected more quickly than it once was and is typically transient, with customers being repaid or credited in a timely fashion.
Account takeover fraud presents a different set of screening challenges than other kinds of digital identity fraud, such as new fraudulent account attempts. Unauthorized ATO fraud uses legitimate credentials already established by the institution and the end-user, which are then leveraged by fraudsters. Typically, a perpetrator gains just enough information about a target’s existing accounts — such as banking, email, or other digital identities — to begin editing profile data and essentially take over the operation of the accounts. From there, illegitimate activities can be singular, such as a swift, one-time purchase before the account compromise is detected, or it can be a stepping stone to facilitate other kinds of crime by hiding ongoing illegitimate activities in the accounts of legitimate customers and end-users.
Extensive and highly damaging identity theft can also progress through a series of steps to a complete takeover of a targeted individual’s other credentials, giving fraudsters access to the target’s money, credit, loyalty cards, vital documents, institutional and healthcare access, and reputation. It’s no wonder respondents to the USN&WR survey were more likely to say that they feared account takeover even more than burglary.
Once an individual’s identity is compromised, there is nothing easy about getting it back. The USN&WR survey respondents who had been the victims of account takeover reported that it took them weeks or months to regain control of their accounts. Yet less than half said they sought legal remedies in the wake of such incidents.
The scope of the problem
Identity fraud, overall, remains a widespread problem despite attempts by both the private and public sectors to stop it. While not all cases are reported to federal agencies, such as the Federal Trade Commission (FTC), the agency’s data drawn from reported crimes paints a daunting picture. In 2023, the agency received close to 2.6 million reports of fraud, of which compromised identity was the means in more than 1 million cases.
According to the FTC, 2023 was the first year in which fraud accounted for $10 billion in losses in the U.S., and on the global level, fraud losses in 2023 are projected to be more than $485 billion. Unfortunately, most fraud cases go unreported, underscoring the need for routine screening tools at the organizational level.
Not surprisingly, governments have been responding to this vast threat with increasing regulation — even, in some cases, shifting the fraud liability from the customer to the financial institution. At the same time, the speed and volume of modern financial transactions mean that the only foolproof screening methods often end up blocking legitimate transactions as well, driving off customers and increasing reputational risks for the bank.
A changing environment for the ATO problem
Social engineering and phishing scams get a great deal of attention and have increased in recent years as they’ve become more sophisticated. Now, personal data stolen and used to facilitate identity fraud stems increasingly from organization-level breaches, in which data is taken by way of cyberattacks rather than end-user errors.
Cyberhackers target the collected data of retailers, service providers, agencies, and employers. According to a January report from the Identity Theft Resource Center, 2023 was a record year for organizational data breaches — more than 3,200 incidents were reported that affected more than 300 million identities. Not surprisingly, healthcare and financial services organizations were the two top sources of stolen data — not surprising since these industries gather and hold particularly sensitive and valuable information. Nearly everyone interacts with these kinds of institutions by establishing unique digital credentials or personally identifiable information (PII). Each of these data points can be used to increase the likelihood of successful account hijacking.
Once fraud actors obtain this sensitive information, they can proceed to ATO either by manual input at a target’s login portal or by credential stuffing, a process in which user ID and password pairs are rapidly tried against many login portals until they gain access. Even a small percentage of successful fraudulent logins can result in profitable account access.
When institutions are targeted, they need access to efficient tools to prevent losses, but they also need to address the threat of breaches. Safeguarding the PII of existing customers is also an essential piece of any institution’s anti-fraud practice, as individuals and customers can face financial or reputational damage if their PII is used to create false identities or credentials that bad actors can then use to take over accounts.
Individual customers and authorized users can do very little on their own to quash the dissemination of information about themselves that fraudsters gain from breaches — and their own vigilance will not always protect them in such cases. However, their banks and other account providers can use tools that protect both the institution and the legitimate customer. Moreover, government regulatory requirements are also very likely to increase in the near future, and organizations should begin researching which emerging tools will best help with compliance.
Another way fraudsters access customers' personal information, like their banking credentials, is through impersonation, manipulation, or coercion. Authorized fraud, or scams, often start in other channels, like email, social media, or phone calls. In these instances, a legitimate user is coerced or unduly pressured to use their authentic credentials to the threat actor’s benefit, such as to transfer funds to an illicit source or to run illegal commerce proceeds through their accounts in a money mule scam.
Safeguarding PII benefits everyone, in part by preventing future fraud and reducing associated prevention expenditures.
Tailored systems for financial industry and retail clients
Losses and transactional friction are mounting from ATO, and businesses that move to adopt tools to screen and investigate potential cases have to be mindful of which tools best suit their needs and those of their customers or end users. Every possible tool in this arsenal has drawbacks, such as placing too many burdens on customers or institutional screening tools that produce too many false positives, resulting in increased rather than reduced administrative burdens. Seamlessness, speed, and silence of the screening and flagging processes are part of today’s best digital trust practices.
Part 2) What organizations need to do
Increasingly, many institutional stakeholders — including customers and other end-users — expect government agencies and private data holders to do their part to prevent and remediate identity theft and ATO.
Account providers must also efficiently facilitate routine transactions and allow legitimate customers to edit data about themselves — such as emails, phone numbers, mailing addresses, credit cards, and other payment system information — when those things change. Too many roadblocks in this process can create a loss of existing customers, with negative reviews and word of mouth diverting potential new ones. Ideally, digital trust systems should be nimble enough to accommodate friendly account takeovers, for example, when a family member or trusted friend does online banking for a relative.
Recent advancements in screening and detection methods
It’s already common for banks, in particular, to use automated flagging to tag any unusual spending patterns, transaction locations, and IP addresses as an occasion for additional verification or denial of transactions — and newer tools focus on biometrics and device characteristics at the transaction level. Some of these methods can use artificial intelligence (AI) and machine learning, and a majority of service institutions plan to implement this advanced technology to enhance fraud prevention within the next few years. Indeed, a Nasdaq survey shows that 70% of surveyed institutions expected to spend more on AI and machine learning to aid in fraud detection in the near future.
Verifying a user’s identity requires more vigilance than it did in the past. Typically, organizations ask users for two types of information: something they have, such as a cell phone, driver’s license, or authenticator token, and something they know, such as a Social Security number or security question response. As many institutions have moved toward emphasizing user authentication, as customers, we have become more familiar with security and access practices using physical biometrics like fingerprint matching and retinal scans.
Newer-generation verification steps might now include live facial verification to match an already-on-file picture, according to a November 2023 ITRC Biometric Working Group Discussion Paper. Also, note that facial verification and facial recognition are not the same. Verification uses a picture reference that the customer or end-user has provided for that purpose, whereas recognition is used in public places such as stadiums as a means of mass public surveillance. Verification is more similar to retinal or fingerprint matching for authentication purposes.
Biometric analysis, however, is no longer limited to physical matching. Continuous review methods such as those provided by Feedzai include not just behavioral biometrics and analytics but also the use of threat intelligence, up-to-date recognition of malware patterns, and network and device scanning.
Biometric behavioral analysis: Opportunities and dilemmas
Behavioral biometrics tools and analytics add additional levels of assessment specific to the customer. Behavioral biometrics refers to using AI and machine learning to build a baseline of each user’s typical banking behavioral patterns. Then, each user’s subsequent activities can be assigned a risk score based on previous behavior.
This system can compare a customer’s current digital activities with past ones and use this analysis to determine identity through a series of behavioral questions, such as:
- What kind of keyboard shortcuts do they typically use?
- Are they fast or slow in entering data, erring on the side of precision or multiple corrections?
- Do they move the mouse or touchscreen buttons quickly or slowly?
- What are their site navigation practices — do they move right to a transaction or, more typically, navigate around and use other functions on the account portal?
Rather than just screening at the login stage, the transaction undergoes continuous review for possible signs of ATO. Behavioral biometrics have the advantage of being silent and non-burdensome to the customer or end-user.
Real-time monitoring for anomalies is one way to close the time gap between a threat actor’s takeover of an account and actions that cause losses or enable further fraudulent access. Newly available tools can address unusual activity at nearly all points in the process, including onboarding and identity verification, monitoring expected transactions, and post-anomaly analysis.
Through this process, anomalies can be detected about individual end-users, as well as abnormal patterns of digital interaction across accounts. Once fraud or fraud attempts are identified, a forensic investigation of that case can yield information about networks, devices, and sequences of behaviors similar to the fraudulent ones.
Not surprisingly, 91% of organizations already use data analysis techniques to detect fraud, so pushing institutions to adopt less cumbersome and quicker detection is likely to be the main area of focus, according to the Association of Certified Fraud Examiners (ACFE) Benchmarking Report. Simply put, can data analysis be improved and cost less to use?
Of course, the immediate benefit of this system is that it protects the end-user and the organization, potentially identifying threat actors by analyzing what specific factors the targeted accounts or account holders have in common. If widely adopted, such advanced biometric analysis may contribute to a decline in the profitability and attractiveness of ATOs as a method of fraud.
A dilemma exists here, however. As with all the new forms of data collection, recording such biometrically unique data confers an ethical responsibility on the part of the institution that employs it. Breaches or theft of that data can make the affected customers even more vulnerable to identity theft. Thus, institutions and other organizations should use encryption and other enhanced barriers to prevent data theft while committing to use such data only for fraud detection, with no drift toward marketing or the resale of such sensitive data.
Also, institutions should inform customers and end-users about these practices and ask for their consent. Advancements in digital trust — such as device scanning and behavioral analysis — necessarily include gathering more data about user-and-organization interactions than institutions have kept in the past. That’s why the data developed by these tools must be safeguarded and not redeployed outside the trust-and-safety realm.
Automated fraud: Malware, bots, and beyond
Device and network monitoring can detect unusual usage patterns on an institution’s customer portal. Feedzai’s BionicID systems personalize green and red lights for individual users, including device and network familiarity and attributes. Continuous review systems can also flag the type of behavior that is more characteristic of automated actors than human ones, including malicious malware and bots. If automated actions or known malware traces are suspected, stepped-up authentication or automatic session logoff actions can be used to thwart their progress and deny fraudsters access to the data they sought.
For example, device scanning involves checking to see if a particular device is linked to a large number of transactions, if malware is present, or if the device is modified to bypass standard screenings. Various malware techniques exist — including some that can swipe login information — and can provide an opportunity for thieves to edit information and thus bypass the two-factor authentication of the legitimate user. Other malware can piggyback on legitimate logins to remotely access the account when the real user logs in. Once they gain access, they can make quick but effective transfers of data or funds without otherwise being detected at the login portal.
Malware offers a profitable and low-risk way to steal money from accounts. Although threat intelligence organizations will eventually detect it, there can be significant theft from thousands of accounts by various criminals in the time between the introduction of new malware and the issuance of warnings about it.
With so many fraud pathways and evolving real customer needs, how do risk and safety professionals choose to balance frictionless experiences and safeguarding?
Thinking about ROI with digital fraud prevention tools
The top three considerations should be choosing the best real-time fraud solution that meets the institutions’ needs, has technological prowess, and — of course — the cost. Institutions should ask several questions in identifying the right third-party solution supplier, including:
- Is the firm built for longevity and flexibility?
- Does it emphasize continuous learning and innovation?
- Does the firm have a stable financial profile to support its clients and grow with the technology, especially as the institution's needs evolve, such as through a change in its clientele mix or gaining more student customers or retirees?
- Will the firm also evolve as the digital fraud threat environment does?
Next, the decision-makers around the trust, risk, and safety functions within a financial or retail organization need to understand how to balance security and accessibility for customers. How do capable guardians within institutions efficiently detect wrongdoing without frustrating customers and potentially losing them over legitimate variations or changes in user access activities? The right fraud prevention partner will consider this factor in depth when calibrating their tools to the organization’s needs.
Ultimately, institutions need to select the right tools for their remit. Many are available, and the industry is now asking big questions about return on investment (ROI) once a partnership begins.
- How well does each tool perform at stopping attempts at identity fraud and ATOs? This evaluation should include identifying the number of false positives and negatives, transaction block rates and chargeback rates, and other metrics specific to the organization.
- Is it a better investment — in both time and money — to acquire new tools for fraud mitigation rather than upgrading the institution’s current legacy and benchmarked systems? Which systems prevent losses better? Internal fraud professionals can deploy the newer solution in shadow mode to measure this. Shadow mode allows for the risk scoring of live transactions in production without impacting real-life results. In the back end, fraud teams can see the simulated results, using actual transactions, to compare against their legacy system. Individual thresholds, rules, and risk strategies can be fine-tuned to measure each function’s independent contribution to the end results in fraud prevention and detection.
- By definition, new forms of detection have no comparison point with past performance. However, as more of these systems come into use, external data may soon be available for comparable organizations. Investigating these metrics can help set expectations.
- Other specific questions about fraud-fighting solutions need to be asked of third-party suppliers, as well:
- Does the system in place distinguish between low- and high-risk customers and activities?
- Does the system reduce burdens on those internal fraud professionals who need to do manual investigations? Why or why not?
- Does the system consider which kinds of risk tolerance characterize the organization? Have they identified tolerable shifts in financial losses, predictability, staffing projections, and customer losses?
Conclusion
Preventing account takeovers, digital identity fraud, new account fraud, and other types of unauthorized fraud is paramount for all financial services institutions and other organizations operating in today's digital landscape. The partnership between Thomson Reuters and Feedzai offers a powerful solution that leverages advanced technologies to proactively detect and prevent account takeovers.
By employing tactics from confirming digital IDs using a variety of transaction factors to adopting a risk-based approach to fraud detection and prevention, organizations can safeguard their business, protect their customers, and maintain the market's trust in an increasingly interconnected world.
To learn more, visit: legal.thomsonreuters.com/en/c/proactively-prevent-digital-identity-fraud.
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a “consumer report” as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning; establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing; or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.
Protect your business and safeguard your customers by preventing account takeovers with Thomson Reuters risk and fraud solutions