Preventing Account Takeover (ATO) Fraud in Banking and Financial Services

As customers move from traditional banks and financial services firms to online-only options, the digital transformation is causing challenges for some firms. According to research by Security.org, ​one third of login attempts for financial services and financial technology companies were suspected account takeover attempts. The average value of financial losses from account takeovers of financial accounts was around $12,000.

Account takeover fraud often begins with compromised credentials that have been stolen, found on the dark web, or obtained through phishing attacks that trick users into giving their login information to fraudsters. Because customers reuse and share their passwords, the risk of account takeover fraud grows exponentially.

Account takeover fraud is completed through a series of steps, typically starting with the use of compromised credentials. The fraudster begins by making small changes to an account, often changing the password so the legitimate account owner can no longer access their own account. The fraudster then moves on to financial transactions, including money transfers, until the fraud is detected or the customer's account is drained. The customer may have to spend months or even years undoing the damage done by fraudsters.

Collateral Damage for Consumers and Institutions

The more personally identifiable information (PII) the fraudster gathers from the victim's account, the easier it is to take over additional accounts, including accounts connected to partners of the institution. Fraudsters can also use the PII to create new fraudulent accounts using the victim's information.

The impact on account takeover fraud for institutions is extensive, including:

• Direct fraud costs from each event.
• Customer service and IT costs associated with assisting victims and other financial institutions or partners connected to the victim's account.
• Loss of Customer Lifetime Value (CLV) for customers and their networks of friends and family who move their accounts to other institutions.
• Losses resulting from brand damage not only from customers and their networks, but when news spreads via social media or news reports.

Multi-factor authentication (MFA) and two-factor authentication (2FA) provide banks and other financial institutions with an added layer of security to prevent fraudsters from using compromised credentials to access customer accounts. Some financial institutions even provide pages that explain the importance of these security measures on their websites.

MFA and 2FA require users to provide proof of their identity from more than one authentication category:

• Knowledge - Something you know. Passwords (the weakest form of authentication), PINs, answers to security questions and other personal information related to the customer.

• Possession - Something you have. One-time passwords or other soft tokens are sent to a smartphone or another device in the customer's possession. Hard tokens, including USB-based devices or separate code generators, also fit in this category.

• Biometric - Something you are. Inherited traits are unique to each individual. They can be confirmed through fingerprint scans, facial and voice recognition or retinal scans.

Fraudsters rarely possess multiple types of authentication, so access to accounts is denied.

Multi-factor authentication is part of a scalable customer identity and access management (CIAM) solution for financial institutions that also includes registration, self-service account management, consent and preference management, single sign-on (SSO), access control, directory services and data access governance tools. CIAM solutions ensure a secure, frictionless customer experience from any device at any time.

Watch this short video to see how seamless the process is for customers.

Because financial institutions are regulated, mitigating fraud risk goes beyond corporate and customer losses. Regulations dictate that solutions that need to be in place to protect customer data and allow customers to control how their information is shared. Open banking standards and Payment Services Directive 2 (PSD2), Payment Card Industry Data Security Standard (PCI DSS)  and other regulations ensure that customer information is protected and stored in a secure environment. Customer identity and access (CIAM) solutions for financial institutions help ensure privacy and consent.

While prevention is the ultimate goal, modern online fraud detection tools have been developed to identify abnormal user behavior should fraudsters gain access to accounts. ATO fraud can be conducted using manual and/or automated methods, with fraudulent activity by bots being easier to detect than activity involving humans.

Fraud detection tools use artificial intelligence (AI) to dissect hundreds of user data points from human-to-device interactions, device attributes and account activities to differentiate between legitimate users and fraudsters. Because automated and fraudster behavior do not follow the same pattern as legitimate user activity, behavioral and context-based analysis identify the discrepancies. Fraud detection tools activated when a session begins can recognize this abnormal activity during the session and stop fraud before it occurs.

Watch this short video to see how online fraud detection tools and MFA work together to prevent fraud.

To learn more about online fraud, please read Everything You Need to Know about Online Fraud.