Preventing account takeover: New threats and tools in digital authentication

The evolution of identity — from in-person to digital interactions — along with the exponential growth of technology has created enormous opportunities and efficiencies while attracting new kinds of unauthorized fraud and identity theft, both vast in scope. Indeed, identity theft and fraudulent transactions increasingly engulf U.S. institutions and their customers. Three-quarters of U.S. adults have experienced at least one instance of identity theft — fraudulent activity using a person’s credentials without their permission or knowledge — and 27% have said they’ve experienced it more than once, according to a U.S. News and World Report survey (USN&WR).

A wide variety of businesses and institutions — from universities and hospitals to financial, banking, retail, and credit services — have sought and implemented various tools to combat digital identity fraud. Yet, this type of fraud can be so common that both institutions and customers expect it to happen to them periodically. The question is: How can financial institutions and others respond in ways that advance prevention, quickly remediate breaches, and maintain relatively frictionless customer experiences?

Thomson Reuters Risk & Fraud Solutions has partnered with Feedzai, an innovative risk management platform powered by big data and machine learning, to add to its customers’ arsenal of tools for fighting digital fraud through risk monitoring. Feedzai’s comprehensive suite of AI-based solutions helps financial institutions, online retailers, and payment processors seamlessly and silently detect potentially fraudulent activity in real time before fraud or account takeover succeeds.

We begin this white paper by reviewing the history and methods of account takeovers. We then provide guidance for organizations on utilizing fraud prevention tools to maximize their investment. Establishing stronger digital trust — the total environment where all stakeholders safeguard electronic credentials, identities, and data — can lead to the confidence and innovation needed for a rapidly changing world. 

Part 1) Account takeovers: Familiar and newer means of digital fraud

Identity fraud predates the digital age. Document forgery and social engineering have been used for centuries to gain control of other people’s money and credentials. More recently, as consumer credit has become close to universal, many credit card holders have experienced fraudulent charges on their cards. This is one familiar form of account takeover (ATO), although it is now detected more quickly than it once was and is typically transient, with customers being repaid or credited in a timely fashion.

Account takeover fraud presents a different set of screening challenges than other kinds of digital identity fraud, such as new fraudulent account attempts. Unauthorized ATO fraud uses legitimate credentials already established by the institution and the end-user, which are then leveraged by fraudsters. Typically, a perpetrator gains just enough information about a target’s existing accounts — such as banking, email, or other digital identities — to begin editing profile data and essentially take over the operation of the accounts. From there, illegitimate activities can be singular, such as a swift, one-time purchase before the account compromise is detected, or it can be a stepping stone to facilitate other kinds of crime by hiding ongoing illegitimate activities in the accounts of legitimate customers and end-users.

Extensive and highly damaging identity theft can also progress through a series of steps to a complete takeover of a targeted individual’s other credentials, giving fraudsters access to the target’s money, credit, loyalty cards, vital documents, institutional and healthcare access, and reputation. It’s no wonder respondents to the USN&WR survey were more likely to say that they feared account takeover even more than burglary. 

Once an individual’s identity is compromised, there is nothing easy about getting it back. The USN&WR survey respondents who had been the victims of account takeover reported that it took them weeks or months to regain control of their accounts. Yet less than half said they sought legal remedies in the wake of such incidents.

The scope of the problem

Identity fraud, overall, remains a widespread problem despite attempts by both the private and public sectors to stop it. While not all cases are reported to federal agencies, such as the Federal Trade Commission (FTC), the agency’s data drawn from reported crimes paints a daunting picture. In 2023, the agency received close to 2.6 million reports of fraud, of which compromised identity was the means in more than 1 million cases.

According to the FTC, 2023 was the first year in which fraud accounted for $10 billion in losses in the U.S., and on the global level, fraud losses in 2023 are projected to be more than $485 billion. Unfortunately, most fraud cases go unreported, underscoring the need for routine screening tools at the organizational level.

Not surprisingly, governments have been responding to this vast threat with increasing regulation — even, in some cases, shifting the fraud liability from the customer to the financial institution. At the same time, the speed and volume of modern financial transactions mean that the only foolproof screening methods often end up blocking legitimate transactions as well, driving off customers and increasing reputational risks for the bank.

A changing environment for the ATO problem

Social engineering and phishing scams get a great deal of attention and have increased in recent years as they’ve become more sophisticated. Now, personal data stolen and used to facilitate identity fraud stems increasingly from organization-level breaches, in which data is taken by way of cyberattacks rather than end-user errors. 

Cyberhackers target the collected data of retailers, service providers, agencies, and employers. According to a January report from the Identity Theft Resource Center, 2023 was a record year for organizational data breaches — more than 3,200 incidents were reported that affected more than 300 million identities. Not surprisingly, healthcare and financial services organizations were the two top sources of stolen data — not surprising since these industries gather and hold particularly sensitive and valuable information. Nearly everyone interacts with these kinds of institutions by establishing unique digital credentials or personally identifiable information (PII). Each of these data points can be used to increase the likelihood of successful account hijacking.

Once fraud actors obtain this sensitive information, they can proceed to ATO either by manual input at a target’s login portal or by credential stuffing, a process in which user ID and password pairs are rapidly tried against many login portals until they gain access. Even a small percentage of successful fraudulent logins can result in profitable account access. 

When institutions are targeted, they need access to efficient tools to prevent losses, but they also need to address the threat of breaches. Safeguarding the PII of existing customers is also an essential piece of any institution’s anti-fraud practice, as individuals and customers can face financial or reputational damage if their PII is used to create false identities or credentials that bad actors can then use to take over accounts.

Individual customers and authorized users can do very little on their own to quash the dissemination of information about themselves that fraudsters gain from breaches — and their own vigilance will not always protect them in such cases. However, their banks and other account providers can use tools that protect both the institution and the legitimate customer. Moreover, government regulatory requirements are also very likely to increase in the near future, and organizations should begin researching which emerging tools will best help with compliance.

Another way fraudsters access customers' personal information, like their banking credentials, is through impersonation, manipulation, or coercion. Authorized fraud, or scams, often start in other channels, like email, social media, or phone calls. In these instances, a legitimate user is coerced or unduly pressured to use their authentic credentials to the threat actor’s benefit, such as to transfer funds to an illicit source or to run illegal commerce proceeds through their accounts in a money mule scam.

Safeguarding PII benefits everyone, in part by preventing future fraud and reducing associated prevention expenditures.

Tailored systems for financial industry and retail clients

Losses and transactional friction are mounting from ATO, and businesses that move to adopt tools to screen and investigate potential cases have to be mindful of which tools best suit their needs and those of their customers or end users. Every possible tool in this arsenal has drawbacks, such as placing too many burdens on customers or institutional screening tools that produce too many false positives, resulting in increased rather than reduced administrative burdens. Seamlessness, speed, and silence of the screening and flagging processes are part of today’s best digital trust practices. 

Part 2) What organizations need to do

Increasingly, many institutional stakeholders — including customers and other end-users — expect government agencies and private data holders to do their part to prevent and remediate identity theft and ATO. 

Account providers must also efficiently facilitate routine transactions and allow legitimate customers to edit data about themselves — such as emails, phone numbers, mailing addresses, credit cards, and other payment system information — when those things change. Too many roadblocks in this process can create a loss of existing customers, with negative reviews and word of mouth diverting potential new ones. Ideally, digital trust systems should be nimble enough to accommodate friendly account takeovers, for example, when a family member or trusted friend does online banking for a relative.

Recent advancements in screening and detection methods

It’s already common for banks, in particular, to use automated flagging to tag any unusual spending patterns, transaction locations, and IP addresses as an occasion for additional verification or denial of transactions — and newer tools focus on biometrics and device characteristics at the transaction level. Some of these methods can use artificial intelligence (AI) and machine learning, and a majority of service institutions plan to implement this advanced technology to enhance fraud prevention within the next few years. Indeed, a Nasdaq survey shows that 70% of surveyed institutions expected to spend more on AI and machine learning to aid in fraud detection in the near future. 

Verifying a user’s identity requires more vigilance than it did in the past. Typically, organizations ask users for two types of information: something they have, such as a cell phone, driver’s license, or authenticator token, and something they know, such as a Social Security number or security question response. As many institutions have moved toward emphasizing user authentication, as customers, we have become more familiar with security and access practices using physical biometrics like fingerprint matching and retinal scans. 

Newer-generation verification steps might now include live facial verification to match an already-on-file picture, according to a November 2023 ITRC Biometric Working Group Discussion Paper. Also, note that facial verification and facial recognition are not the same. Verification uses a picture reference that the customer or end-user has provided for that purpose, whereas recognition is used in public places such as stadiums as a means of mass public surveillance. Verification is more similar to retinal or fingerprint matching for authentication purposes.

Biometric analysis, however, is no longer limited to physical matching. Continuous review methods such as those provided by Feedzai include not just behavioral biometrics and analytics but also the use of threat intelligence, up-to-date recognition of malware patterns, and network and device scanning. 

Biometric behavioral analysis: Opportunities and dilemmas

Behavioral biometrics tools and analytics add additional levels of assessment specific to the customer. Behavioral biometrics refers to using AI and machine learning to build a baseline of each user’s typical banking behavioral patterns. Then, each user’s subsequent activities can be assigned a risk score based on previous behavior.

This system can compare a customer’s current digital activities with past ones and use this analysis to determine identity through a series of behavioral questions, such as:

• What kind of keyboard shortcuts do they typically use?
• Are they fast or slow in entering data, erring on the side of precision or multiple corrections?
• Do they move the mouse or touchscreen buttons quickly or slowly?
• What are their site navigation practices — do they move right to a transaction or, more typically, navigate around and use other functions on the account portal?

Rather than just screening at the login stage, the transaction undergoes continuous review for possible signs of ATO. Behavioral biometrics have the advantage of being silent and non-burdensome to the customer or end-user. 

Real-time monitoring for anomalies is one way to close the time gap between a threat actor’s takeover of an account and actions that cause losses or enable further fraudulent access. Newly available tools can address unusual activity at nearly all points in the process, including onboarding and identity verification, monitoring expected transactions, and post-anomaly analysis.

Through this process, anomalies can be detected about individual end-users, as well as abnormal patterns of digital interaction across accounts. Once fraud or fraud attempts are identified, a forensic investigation of that case can yield information about networks, devices, and sequences of behaviors similar to the fraudulent ones.

Not surprisingly, 91% of organizations already use data analysis techniques to detect fraud, so pushing institutions to adopt less cumbersome and quicker detection is likely to be the main area of focus, according to the Association of Certified Fraud Examiners (ACFE) Benchmarking Report. Simply put, can data analysis be improved and cost less to use?

Of course, the immediate benefit of this system is that it protects the end-user and the organization, potentially identifying threat actors by analyzing what specific factors the targeted accounts or account holders have in common. If widely adopted, such advanced biometric analysis may contribute to a decline in the profitability and attractiveness of ATOs as a method of fraud.

A dilemma exists here, however. As with all the new forms of data collection, recording such biometrically unique data confers an ethical responsibility on the part of the institution that employs it. Breaches or theft of that data can make the affected customers even more vulnerable to identity theft. Thus, institutions and other organizations should use encryption and other enhanced barriers to prevent data theft while committing to use such data only for fraud detection, with no drift toward marketing or the resale of such sensitive data.

Also, institutions should inform customers and end-users about these practices and ask for their consent. Advancements in digital trust — such as device scanning and behavioral analysis — necessarily include gathering more data about user-and-organization interactions than institutions have kept in the past. That’s why the data developed by these tools must be safeguarded and not redeployed outside the trust-and-safety realm.

Automated fraud: Malware, bots, and beyond