The Battle For Our Bank Accounts – How Machine Learning and Continuous Monitoring Can Prevent Fraud Attacks

OneSpan Team,

The ultimate prize for cybercriminals is to obtain access to other people’s money - so it’s no wonder that account takeover attacks are on the rise. In this article, originally published by Fraud Intelligence, Greg Hancell, Manager of Global Fraud Consulting at OneSpan, explains how banks can apply continuous monitoring and machine learning to defend against account takeover attacks.  

The battle for our bank accounts – continuous monitoring

Account takeover fraud (ATO) is one of the top threats to financial institutions and their customers. In an industry survey by the Aite Group, 89 per cent of financial institution executives pointed to account takeover fraud as the most common cause of losses in the digital channel. Today, cybercriminals remain focused on ATO, new account fraud, and card-not-present fraud. The 2020 Identity Fraud report by Javelin Strategy & Research found account takeovers trending at the highest loss rate to date, up a staggering 72 per cent on 2019 [1], to $5.1 billion, and a 120 per cent increase on 2016. [2] As fraudsters get more aggressive, they continue to leverage phishing, spear phishing and identity theft to perpetrate further new account fraud. In fact, 1.5 million victims of existing account fraud had an intermediary account opened in their name – a 200 per cent increase on the previous year.

Our digital identities are no longer private. In 2018, roughly 3.2 billion personal data records were compromised [3]; that’s nearly half of the world’s population. Today’s data breaches are being published online in dark web marketplaces, where there’s a lot of profit being made.

Like street crime, which historically grew in relation to population growth, we are witnessing a similar evolution of cybercrime with account takeover. In the past, for criminals to steal money they would need to observe a person’s behaviour or daily habits, take someone’s wallet, shoulder surf (ie, spy on a user to obtain a PIN or password), or perhaps apply a card-skimming tactic (where a fraudulent device is applied to a card reader in order to extract the payer’s details). Now, cybercriminals are more advanced and sophisticated. For example, an attacker can go online and get instant access to thousands or millions of account details -user names, credentials, email addresses and telephone numbers. Additionally, an attacker might conduct a phishing campaign sending out thousands of emails that purport to come from a financial institution. The email will either contain malware or a link to a phishing webpage designed to impersonate a bank’s website in order to capture the user’s access details.

Unfortunately, many of these elements are static and once compromised can result in an account takeover. In addition, there are more advanced tools available to attackers, such as Muraena and NecroBrowser, which are designed to bypass second factor authentication by performing a session hijack. The ease of availability of such tools and the lower barrier of entry means fraudsters have a variety of weapons and methods of harvesting personal data to cause serious damage – making effective protection a challenge.

Apply continuous monitoring

An effective way to recognise and defend against account takeover attacks is to implement continuous monitoring on digital platforms.

In the past, we would generally authenticate users during login or a transaction. Now, however, we have an abundance of data because users access their account through the web or mobile banking, and there are events constantly streaming to the financial institution as the user progresses through their session. This movement to digital banking lends itself well to continuous monitoring ­the capacity to keep watch on all the events as they happen – not just the login and the transaction, but also requesting a balance, creating a new beneficiary, adding a new device or changing an address. From the moment a user lands on a webpage, continuous monitoring enables behavioural understanding, as it identifies their normal online journey and interactions with their accounts and devices. Moreover, a profile can be created on all devices used in a particular session.

This combines seamlessly with other protections such as two-factor authentication or dynamic linking, because it allows the bank to utilise context from these authentication methods as well. (Dynamic linking, a requirement of the second Payment Services Directive (PSD2), ensures that there is a unique authentication code for each transaction that is specific to the transaction amount and recipient). Continuous monitoring provides that, as the behaviour of the user becomes known, new behaviour can be identified that might indicate a new person (ie, an attacker) or a bot. Typical indicators of attacks, such as new or known nefarious devices, cookies, headers, referrers, locations, bots, beneficiaries or others, can be monitored in real-time and distinguished from normal customer behaviour.

This approach establishes a continuous risk profile for the session, which can change with each action undertaken by the end-user or their device. Not only does this allow the financial institution to take automated real-time actions when anomalies are detected, it also allows the bank to reduce friction for legitimate sessions by decreasing the number of authentications required for genuine interactions. This ultimately diminishes attack propagation as well as losses, and enhances the user experience.

Machine learning reduces the risk of fraud

Machine learning reduces human bias such as availability and confirmation because, unlike humans, it is able to see all events and learn from them, analysing large volumes of disparate and high dimensional data (a combination of many different data points) in real-time.

With machine learning, there are two main algorithm types applied to fraud detection: supervised and unsupervised.

Unsupervised and supervised machine learning

Unsupervised machine learning tends to use models that identify anomalies between what is usual and what is unusual based on the distance between features (data points).

With supervised machine learning, the model is trained using labelled data (fraud or genuine) and predicts the likelihood of fraud (fraud score). A machine learning model can apply, in real-time, to every event that’s occurring and send a score back. This can allow a solution, or a user, to take an action based on these events.

One of the challenges for a financial institution is how to move to supervised machine learning. The data set they have is unbalanced, in that there is a majority of genuine events against a minority of fraud. Data scientists are using more advanced techniques such as synthetic data to generate more data points and enable the training of a supervised model. Some financial institutions are moving to semi-supervised machine learning, which combines a small amount of labelled data with a large amount of unlabeled data during training. This approach can considerably improve learning accuracy.

What is a dimension in machine learning?

A machine learning model will work on the features of data elements such as a device, the user’s IP address and the user’s internet service provider. If we take a device as an example, the features might be:

  • How is that device used?
  • What is the age of that device?
  • Is that device new to the user?
  • Is it new to the financial institution?
  • Is it shared with any other users?
  • What security parameters are on that device?
  • What biometric methods and authentication methods are subscribed to that device?
  • What communication method is it using?
  • What model is it?
  • What operating system?
  • Is anything malicious running (keylogger, debugger, keyboard overlay, etc)?
  • Has anything changed?

All of these are questions you can ask around the device alone.

Financial institutions that leverage machine learning can get real-time decisions on events. They take data and ask thousands of questions in real-time. The output is intelligence that is then modelled in a high-dimensional space, ie, the capability to model lots of different data points, often into the thousands of dimensions, which is far beyond a human’s capability. The model provides an actionable intelligence output – that is, it informs the financial institution of the likelihood of an action being anomalous, or the likelihood of fraud, as it occurs.

It’s impossible to have a fraud expert in place 24/7, seeing all events. So, machine learning is removing that availability bias we as humans are subject to. Moreover, it can reduce alert fatigue by only presenting highly unusual events and transactions to a fraud expert. In this way, machine learning enables decision-making about events in real-time on an automated basis.

Machine learning can also make decisions for other workflows – such as what type of authentication a financial institution should apply to a transaction, according to the risk. This can be used to improve the customer experience because where financial institutions can determine that the risk is low, there is no need to request authentication from the user at that point in time. If financial institutions are using continuous monitoring then, if the risk changes, they can serve up stronger authentication measures. Machine learning is exceptionally well suited to establishing the level of potential risk/fraud across banking channels through user, device and transaction data. These risk scores enable dynamic changes to the authentication workflows to match the level of risk. So, low-risk transactions (ie, a balance check from a known device) would require no additional authentication, and higher-risk transactions (ie, a large transfer, from a ‘jailbroken’ device in a new location) would trigger additional authentication steps. (A jailbroken device has been modified so that changes can be made to it that aren’t supported by the software in its default state).

Account takeover fraud is likely to continue to grow, as it is a relatively easy source of profit for bad actors who will continue to exploit all available weaknesses in the financial banking system. However, a multi-layered security approach can significantly assist in mitigating the attacks that lead to account takeover. Technology that protects the user, the device, the app, and the communication channel, combined with a comprehensive risk analytics engine and intelligent authentication framework, are essential to moving forward in the fight against account takeover fraud.

Account takeover fraud prevention

Account Takeover Fraud: How to Protect Your Customers and Business

Help prevent account takeover fraud and secure customers at every stage of their digital journeys.

Download Now


The OneSpan Team is dedicated to delivering the best content to help you secure tomorrow's potential. From blogs to white papers, ebooks, webinars, and more, our content will help you make informed decisions related to cybersecurity and digital agreements.