Preventing Account Takeover (ATO) Fraud in Banking and Financial Services

Feb 23, 2022
-minute read
Headshot of Maya Ogranovitch Scott Ping Identitys Solutions Architect
Maya Ogranovitch Scott
Senior Product & Solutions Marketing Manager

As customers move from traditional banks and financial services firms to online-only options, the digital transformation is causing challenges for some firms. According to research by Security.org, ​one third of login attempts for financial services and financial technology companies were suspected account takeover attempts. The average value of financial losses from account takeovers of financial accounts was around $12,000.

 

Account takeover fraud often begins with compromised credentials that have been stolen, found on the dark web, or obtained through phishing attacks that trick users into giving their login information to fraudsters. Because customers reuse and share their passwords, the risk of account takeover fraud grows exponentially.

 

Account Takeover (ATO) Fraud in Banking and Financial Services

Account takeover fraud is completed through a series of steps, typically starting with the use of compromised credentials. The fraudster begins by making small changes to an account, often changing the password so the legitimate account owner can no longer access their own account. The fraudster then moves on to financial transactions, including money transfers, until the fraud is detected or the customer's account is drained. The customer may have to spend months or even years undoing the damage done by fraudsters.

 

Collateral Damage for Consumers and Institutions

The more personally identifiable information (PII) the fraudster gathers from the victim's account, the easier it is to take over additional accounts, including accounts connected to partners of the institution. Fraudsters can also use the PII to create new fraudulent accounts using the victim's information.

 

Account Takeover Fraud Costs for Financial Institutions

The impact on account takeover fraud for institutions is extensive, including:

 

  • Direct fraud costs from each event.
  • Customer service and IT costs associated with assisting victims and other financial institutions or partners connected to the victim's account.
  • Loss of Customer Lifetime Value (CLV) for customers and their networks of friends and family who move their accounts to other institutions.
  • Losses resulting from brand damage not only from customers and their networks, but when news spreads via social media or news reports.

How Multi-factor Authentication (MFA) Prevents Account Takeover Fraud

Multi-factor authentication (MFA) and two-factor authentication (2FA) provide banks and other financial institutions with an added layer of security to prevent fraudsters from using compromised credentials to access customer accounts. Some financial institutions even provide pages that explain the importance of these security measures on their websites.

 

MFA and 2FA require users to provide proof of their identity from more than one authentication category:

 

  • Knowledge - Something you know. Passwords (the weakest form of authentication), PINs, answers to security questions and other personal information related to the customer.

 

  • Possession - Something you have. One-time passwords or other soft tokens are sent to a smartphone or another device in the customer's possession. Hard tokens, including USB-based devices or separate code generators, also fit in this category.

 

  • Biometric - Something you are. Inherited traits are unique to each individual. They can be confirmed through fingerprint scans, facial and voice recognition or retinal scans.

 

Fraudsters rarely possess multiple types of authentication, so access to accounts is denied.

 

 

Multi-factor authentication is part of a scalable customer identity and access management (CIAM) solution for financial institutions that also includes registration, self-service account management, consent and preference management, single sign-on (SSO), access control, directory services and data access governance tools. CIAM solutions ensure a secure, frictionless customer experience from any device at any time.

 

Watch this short video to see how seamless the process is for customers.

 

Welcome to the BX Finance User Journey demonstration, where we'll explore 5 use cases Demonstrating how the Ping Identity platform can deliver personalized, Seamless, and secure experiences for your online banking customers.
We'll start at the beginning of the user journey at online customer registration.
Jane is an existing customer of a fictional bank called BX Finance, but has never used their online banking platform.
First, we'll see Jane click the link to register for an online account.
BX Finance uses Ping to collect only the information needed to open an account, With additional information collected later through progressive profiling.
With Ping, all customer data collected is available through REST APIs to use for Personalization and can also be encrypted end to end.
BX Finance also allows customers like Jane to decide how they want to log in at the time of Registration.
Fed up with forgetting passwords?
Jane decides to use her MobileIron device or a one-time passcode.
A choice she can make during login.
To use her MobileIron device to log in, all Jane needs to do is download the BX Finance mobile Application with Ping Technology embedded.
Log in with her username and password for the first and last time.
And trust the device.
Jane is now registered.
And our experience continues to be seamless as she's automatically logged in following Registration.
Next, we'll demonstrate passwordless login and Single sign-on.
Jane clicks to sign in after entering her Username, Jane continues with her ideal login experience using Face ID while taking comfort In knowing that email and SMS one-time passcodes are always there, Just in case.
She submits, taps the customizable Push Notification on her phone, authenticates.
And she's in.
Now that she's signed in, Jane is able to Securely access any BX Finance application integrated with the Ping platform.
As an example, BX Finance provides a chatbot for customer service.
Integrated with Ping, Jane's very first digital interaction can be personalized by provisioning Jane's profile attributes, such as length of time as a customer to the service.
Jane closes the chatbot and continues to explore the website.
Next, we'll demonstrate transaction approval.
Jane navigates toward her next B2B finance experience, online money transfer.
Here, Jane enters the accounts, the amounts, and starts the transfer.
Then she completes it by clicking on the push notification and approving the transfer on a Fully customizable approval screen where the customers can view transaction details before Clicking approve.
Next, we'll demonstrate simple consent.
Management.
Jane navigates to Profile and Settings to view Her marketing communications preferences.
With the click of a button, Jane's preferences for SMS and email can be captured and stored Alongside her profile information, where consents can be enforced before communications Are sent and changed by Jane at any point in time.
Of course, enabling customers to self-manage preferences goes hand in hand with ensuring Those preferences are honored.
Let's flip over to view this scenario from the perspective of an email administrator at BX Finance using a popular email marketing tool.
After performing a quick search, you can see again that Jane's email and phone number are Visible, but her physical address is not.
With Ping, no matter what the request contains, only attributes with associated customer Consent will ever be accessible.
Finally, we'll demonstrate advanced consent management and Partner Identity Management.
Beyond honoring communications preferences, you can offer customers partner-based services while allowing them to choose both the partners they share data with and to what extent.
Here, we see common services like Mint and Zelle, but Jane decides to explore Services From any wealth advisor, a wealth management partner of BX Finance.
After reviewing their services, Jane decides to grant any wealth advisor access to view accounts Data, but only for her savings accounts.
From here, using Ping's federated single sign-on capabilities, Jane can navigate directly to any Wealth Advisor Portal without logging in.
Note that only the details of the account she chose to share are displayed, but also that the page is personalized with relevant profile data provisioned to the third-party service, such as her name in the welcome message and ZIP code for geographically Relevant investment seminars.
Finally, to see how consent is enforced with partners, let's flip over to view this scenario From the perspective of Amy Davis, an employee at any Wealth Advisor assigned to Jane's account.
In this case, any wealth advisor is leveraging The Ping platform for employee single sign-on into custom-built portals at some of the Biggest banks in the world, many of which are Ping's customers.
BX Finance is among these, and Amy clicks to log in.
BX Finance ensures that only certain individuals can access this wealth advisor Portal using Ping's authorization capabilities.
Here, we can see Amy look up Jane by her email address and again see that Amy's view is Limited to the savings accounts shared by Jane earlier.
This concludes our demonstration of how the Ping Identity platform can deliver personalized, Seamless, and secure experiences for your online banking customers.
To learn more, talk to your Account Representative or sign up for a free trial Today.

Regulatory Compliance for Banking and Financial Services

Because financial institutions are regulated, mitigating fraud risk goes beyond corporate and customer losses. Regulations dictate that solutions that need to be in place to protect customer data and allow customers to control how their information is shared. Open banking standards and Payment Services Directive 2 (PSD2), Payment Card Industry Data Security Standard (PCI DSS)  and other regulations ensure that customer information is protected and stored in a secure environment. Customer identity and access (CIAM) solutions for financial institutions help ensure privacy and consent.

 

Online Fraud Detection Tools for Banking and Financial Services

While prevention is the ultimate goal, modern online fraud detection tools have been developed to identify abnormal user behavior should fraudsters gain access to accounts. ATO fraud can be conducted using manual and/or automated methods, with fraudulent activity by bots being easier to detect than activity involving humans.

 

Fraud detection tools use artificial intelligence (AI) to dissect hundreds of user data points from human-to-device interactions, device attributes and account activities to differentiate between legitimate users and fraudsters. Because automated and fraudster behavior do not follow the same pattern as legitimate user activity, behavioral and context-based analysis identify the discrepancies. Fraud detection tools activated when a session begins can recognize this abnormal activity during the session and stop fraud before it occurs.

 

Watch this short video to see how online fraud detection tools and MFA work together to prevent fraud.

 

As more transactions move online, the cost of online fraud is rising, And fraudsters are getting smarter.
Fraud prevention needs to happen throughout the Customer journey, and it needs to be invisible to legitimate users.
If providers, our customers get it wrong, they risk losing trust.
Market share, and millions of dollars.
With the PingOne cloud platform, fraud detection starts at the first interaction and continues through the entire customer journey.
Fraud signals.
Lead into authentication and authorization Decisions to stop fraudsters from creating accounts, logging in, and completing transactions.
Enterprises can orchestrate multiple fraud signals to ensure that they prevent fraud, But don't create friction for real users.
The PingOne Cloud platform provides actionable intelligence throughout the user journey.
Detection begins before registration and continues through authentication by analyzing Dozens of signals to analyze.
Distinguish real users from bots and bad actors.
These signals help identify bot attacks, new account fraud, and account takeover.
The signals evaluate and mitigate fraud in real time, leveraging dynamic authorization to Safeguard transactions and sensitive data as known users sign on, The Penguin Cloud platform assesses risk and steps up authentication when needed.
Enterprises can even leverage identity verification.
I needed to confirm a user's actual identity.
Multiple fraud signals from Ping and beyond can be orchestrated, Stopping fraudsters in their tracks and delivering extraordinary experiences to real Customers.
Detect fraudulent activity as it happens.
Mitigate risk and shut down fraudsters before loss occurs.
Apply learnings and reinforce your defenses, all while legitimate users transact with ease and confidence.
Share this Article:
Related Resources
MFA Fatigue Attack: How to Detect and Prevent It
Louise Watson
Feb 21, 2025
An MFA fatigue attack bombards users with push notifications until one is approved. Learn how to detect and prevent prompt bombing at your organization.
Biometric Authentication: How It Works & Why It Matters
Rich Keith
Nov 7, 2024
Learn how biometric authentication works, key methods like fingerprint and facial recognition, security features, and real-world use cases.

Start Today

Contact Sales

sales@pingidentity.com

See how Ping can help you deliver secure employee, partner, and customer experiences in a rapidly evolving digital world.