The Rising Challenge of Account Takeover Fraud – What it is, How it Works, and How to Avoid it [Expert Interview]
Recent reports indicate that up to 15 billion consumer credentials are currently for sale on the dark web, with almost 25% of the leaked credentials including account information related to banking and other financial services. The availability of leaked or compromised data makes it extremely easy for hackers to conduct account takeover attacks on consumers’ financial accounts. Other factors, such as the availability of personal data on social media and current remote work conditions, have also made consumers a prime target for financial-related cyber-attacks.
In this interview, Will LaSala, Security Evangelist and Director of Security Solutions at OneSpan, discusses account takeover attack challenges with Steven Bowcut, Editor in Chief at Brilliance Security Magazine. In the interview Will shares his expertise on account takeover fraud, what it is, how it works, and how to avoid it.
The interview was originally published as a podcast by Brilliance Security Magazine and is reprinted with permission. You can listen to the podcast here:
Steve Bowcut: Welcome to the Brilliance Security Magazine Podcast, and thank you for joining us today. Today, we're going to be talking with Will LaSala. Will is the Director of Security Solutions at OneSpan, and we'll be talking specifically about account takeover fraud. Will joined OneSpan in 2001, and brought with him over 25 years of software and cybersecurity experience. Since joining OneSpan, he has been involved in all aspects of product implementation and market direction within financial institutions.
In this episode, relying on Will's expertise related to financial institutions, we're going to examine account takeover fraud. We'll talk about what it is, what types of accounts are susceptible to this threat, what users can do to protect themselves, and what financial institutions can or should be doing to protect their customers.
Will, welcome, thank you very much for spending your time with us today, we appreciate it. Let's start off by giving everybody a level set. Can you please give your definition of account takeover fraud. Talk to us a little bit about just what that is.
Will LaSala: Absolutely, and thanks for having me, Steve. Let’s start with a quick definition of account takeover fraud. Account takeover is when a user's account gets stolen or taken over by an attacker or a fraudulent individual, and then used for nefarious purposes – for example, transferring money out of the account, or transferring money into the account so that it can be later used or taken from the individual. There's many different ways that account takeover might happen, but most of the time it's related to the ability for the attacker to use that account to perform some type of attack, against either an individual or a corporation.
Steve: When this happens, typically, is it something that the end user is going to be aware of immediately, or can people come in and reside in these accounts and be doing things for a period of time, that the end user is not even aware of?
Will: Sometimes you are aware of it immediately. In the early days of account takeover, the account takeover locked you out of your account. The attacker would come in and they would immediately bump you out of your account and take over your account. Today, they often sit and wait. They might have access to your account for long periods of time and they may even be making minor modifications in your account that you're not aware of over that period of time. That's mainly so that they can go under the radar.
The longer the attacker is able to manipulate your account and be in your account, the more damage that they can cause to you and to your assets. Today, we see even more of that with social engineering attackers. Today, attackers can pretend to be the bank. They might talk to you as if they're a member of the bank, and then they take over your account. After the conversation you could be left thinking, "Oh, I just was on the phone with the bank, they didn't take over my account," and you may not notice for weeks to come that you've been attacked.
Steve: Wow, that's a little frightening. So, in my mind, the obvious accounts would be my bank account, my checking account or my savings account, but I assume there are other kinds of accounts that are susceptible to this kind of a threat. Can you talk about that?
Will: Yes, absolutely. Certainly, one of the most common accounts susceptible to account takeover attacks are corporate accounts. Corporate accounts usually have more money in them, so usually corporate banking environments are very heavily attacked.
In addition, with so many stolen different identities available on the internet, you also see a lot of savings, checking, and retail accounts under attack. You also see a lot of cryptocurrency accounts or trader accounts that are under attack.
Usually, what you're looking for, or what the hacker is looking for, are high-value accounts. They may be they're high-value because they have a large sum of money in them, but they also might be high-value because they can be used to transfer and to do money laundering. So they might attack someone account, take their money, move it into another account that they've stolen already, and then later, when the coast is clear, use that account to extract those funds that they've stolen. Often, you see some accounts being used as sleeper-style accounts. They’re just used to move things around.
Steve: Interesting. So I guess that with a corporate account, many people may have access to it. If financial people, the C-suite and more have access to that account, one additional person who has a ‘sleeper’ access to that account may go unnoticed for some period of time? More so than if money was moved in a personal checking account or personal savings account?
Will: True.
Steve: That's interesting. So far, we're just talking about bank accounts. Are there other types of accounts, like credit card accounts, or loyalty account with miles that can be redeemed for money, that are also susceptible to attacks?
Will: Yes, absolutely. You see many different accounts being taken over. Some years ago, online gaming accounts suffered a big surge of account takeovers. You might think, "Well, why would hackers want to attack my World of Warcraft account?” The reality is that those accounts were worth money too. If there is money to be made off an account, that account can be attacked.
Recently we saw a pretty massive attack on Twitter for a lot of individuals. Those are account takeover attacks too. I think those scams actually ask people to donate Bitcoin to them. As long as there's money to be made, account takeover attacks are going to be focused on those accounts. So they can be pretty much anything that is on the internet, or even, in some cases, in corporate networks and off the network.
Steve: That's probably a valuable thing to understand. Most of us, either in our personal lives or our business lives, are pretty careful with banking accounts, but we may not be so careful with our Twitter account. With Twitter and Facebook, or even our loyalty program at a hotel or the airline, we may not change the password very often and we may not be as suspicious when someone approaches us with a potential social engineering scam.
Steve: Talk to us specifically about what end users can do to protect themselves against this type of fraud. Whether it's an individual end-user or a corporate end-user, what can they do to protect themselves?
Will: The first thing I always tell my customers and end users (and my mother, father and others), is to enable two-factor authentication. Different sites have different ways of doing that. Most sites, whether it's a banking site or a social media site, have some way of enabling two-factor authentication. This often comes in the form of an SMS password that's sent to you.
It's important to understand that when you're using two-factor authentication, you don't want to just have an SMS password. That's not two-factor - an SMS password is one-factor authentication. You want to combine SMS with other things. Sometimes that means typing in a static password or a pin along with the code that you get from your SMS.
I always recommend that people use their mobile application as the authenticator versus SMS, as SMS has some known vulnerabilities. Hackers can steal SMSs. They do this through what is called a sim-swap, where they take the card from the phone and clone it. Once the hacker has a copy of your phone, they can get all your text messages. So SMS is kind of a baby step to securing your account. Using a mobile application that generates codes for you, or even a hardware device that generates codes for you, is much more secure.
I also think people need to pay attention to what they’re sharing. During COVID-19, we saw a lot of over-sharing of information. Early-on in the pandemic, we saw that attackers were building campaigns on social media to harvest people’s information. They were creating questionnaires which they’d send out on social media and say, "Hey, here's a cute little list of questions, why don't you go ahead and answer these?" And people were. Once people answered these questions, attackers had an easy way to search for that information – information that was tied to an individual and their social account. All of sudden, they had lots of information to use for social engineering attacks. So, really pay attention to what you're sharing. Don't over share your information and pay attention to your surroundings.
There are also a lot of customers who that don't think about when they're using their accounts. Whether they’re using a credit card or they're walking up to an ATM, they're just not paying attention to the surrounding. There are card skimmers out there that can read your credit card and your PIN. This is also a form of account takeover – attackers can take over your credit card and use it for other things. In summary, really pay attention to your surroundings and pay attention to what you're doing. Don't over-share, protect your information and use two-factor authentication when you can.
Steve: Thank you, that’s good advice. Let's move on to what banks, and I all institutions where I may have an account, should be doing to protect me as a customer or my corporation against this kind of attack? What can be done on their end?
Will: Banks have been fighting this battle for a long period of time. They have a lot of technologies in place and there are some things that they can do to help. The first thing is to prove the identity of a user. This means identifying who a user is. This might mean making the user jump through additional hoops like biometrics using a face capture, or scanning their license. Identifying the user is the first thing, but also during that process, institutions need to analyze risk factors. This means not just analyzing know-your-customer risk factors, but also other risk factors. For example, did this account sign up for three different offerings from us all at the same time? That's a red flag because the user is only one user, they probably can't sign up for three offerings at the same time. This could mean a synthetic identity attack is taking place, which is when attackers using real data from multiple people to create a fake or synthetic person. This happens often. If financial institutions have new risk and fraud tools in place that analyze the data that's coming in, they can use artificial intelligence to pick up these patterns and detect this type of fraud.
To further give you an example, let’s say that the same address is used by multiple people to open an account, and we know it’s not an apartment complex or something. Artificial intelligence and risk environments will pick that up and should stop and flag that. Using biometric authentication is a really important component.
Institutions can also harden their mobile app so that it’s more secure from attacks. If you secure your mobile app, you're now making it much more difficult for the attackers to attack your product, and they'll move on to the next one. It's always about the lowest hanging fruit for attackers. They want to re-use as much of the attacks that they've built in the past, and they will just update it, just a little bit so that they can attack the next big bank down the road. So keeping in front of them is a really important task.
Steve: When you're Citibank, and you're getting thousands of account requests a day, it would be an impossible task for a person to sit there and judge the risk factors for each request. You talked about software that would do that for them. Could they all deploy something like that or is that a fairly new technology? Where we at in the evolution of the technology to do that protection?
Will: That's a great question. Most banks have implemented point solutions on individual applications. Maybe they have a risk analysis for their money market accounts, but they usually aren't across all of their accounts. They're not taking a holistic view. A user might have multiple accounts and they're not taking the data from all of that and aggregating it to identify it. Partially this is because there's a lot of data there, and also, a lot of the systems aren't quick enough to do that.
Dealing with real-time attacks was previously very difficult, but today that's changed. Now we're dealing with real-time data and across multiple endpoints and large amounts of datasets. That's all new stuff, and that's really what the banks are starting to implement. We’re seeing a lot of the big banks start this, but even the smaller banks and the processors are combining all of their intelligence or their risk and fraud analysts across all of their offerings so that they can catch attackers as they come in. It's really important to do that.
Steve: A final question here – could you could take a couple of minutes and talk about OneSpan, your solution, where it fits into everything that we've talked about today?
Will: OneSpan focuses on the financial industry and offers a number of solutions that help banks to detect risk and prevent fraud, as well as implement two-factor authentication, mobile application security and electronic signatures. Our solutions bring a customer from an unknown to a trusted identity. We build the trust within the mobile platform, so we're hardening and trusting that mobile device, and then as the user is creating transactions, we're building trust in those transactions by analyzing the risk and fraud and using strong authentication as those transactions go.
We offer all of this on our trusted identity platform, essentially allowing a bank to utilize multiple components to build that full trust picture that helps users be more secure and do more with the financial institution. It also allows the banks to offer more solutions to users.
In a trusted environment such as the OneSpan Trusted Identity Platform, banks can offer more services and get more customers who will stay for longer periods of time.
Steve: Obviously, there's a great need for those kinds of solutions to keep us protected because the threats keep growing and growing and growing. So thank you very much and thank you for your time today.