How to Stop Account Takeover Attacks with Continuous Monitoring and Adaptive Multi-Factor Authentication
Financial institutions invest millions each year into protecting customers from scams and fraud attacks. Despite this investment, losses due to fraud attacks continue to rise.
To protect customers from digital fraud, financial institutions (FIs) typically authenticate users on login. In the US, a 2019 survey found that 96% of the organizations surveyed used some form of username and password to authenticate users, alongside other authentication methods such as knowledge-based authentication (65%) and one-time passwords (OPT) (50%). In Europe, strong authentication is mandated by PSD2.
However, usernames, passwords, secret answers and even two-factor authentication (2FA), can be vulnerable to unauthorized access attacks through phishing, overlay attacks and malware. In his article on how attackers bypass modern 2FA using phishing and advanced browser imitation tools, Ben Balthazar illustrates how phishing attacks can be modernized to defeat two-factor authentication at login, stating that "Implementing 2FA alone does not offer complete protection from phishing.”
Consumers and regulators are now pushing FIs to adopt stronger, passwordless authentication methods for login to improve account security and the user experience. In a recent Visa survey of 1,000 U.S. consumers, 52% claimed they would change banks if their bank did not offer biometric authentication in the future.
While passwordless authentication methods such as biometrics can help stop attackers at the point of access, machine learning and continuous fraud monitoring can help FIs detect and stop account takeover attacks even when secure authentication methods such as 2FA have been bypassed. This can be achieved through step-up security and contextual adaptive multi-factor authentication (MFA) challenges.
Continuous fraud monitoring also enables FIs to know the context (reason) behind each authentication request. This allows them to determine not only whether authentication credentials are correct, but also whether the context of each authentication requested is genuine or suspicious. This creates additional barriers for fraudsters while protecting the user.
Current State of Account Takeover Fraud
In 2020, the US Federal Trade Commission (FTC) reported that American consumers suffered $1.9 billion in fraud losses in 2019 – an increase of $293 million over 2018. In a report commissioned by the European Union, analysts estimated that approximately 24 billion EUR of financial losses could have been incurred by the adult population of the EU as a result of scams and fraud between 2018-2020.
Account takeover (ATO) fraud is one of the top causes of fraud losses for banks and financial institutions. In a 2019 video, Julie Conroy, research director at Aite Group, explains that “Account takeover comes up as one of the number one concerns in pretty much every conversation that we have with financial institutions, FinTechs and e-commerce merchants.”
Greg Hancell, fraud expert at OneSpan, agrees: “Account takeover is increasing because the way that malicious actors can arrive at personal information is much faster now. Last year and the year before, roughly 3.2 billion personal data records were compromised. Our identity is not our own. If you're an attacker, you can very easily obtain personal information and perform an account takeover attack.”
An account takeover occurs when a customer’s bank account is digitally ‘broken into’ and acted on by an attacker. The methods and schemes attackers use to fraudulently obtain access to a customer’s account credentials are continually evolving. These include obtaining data from data breaches, malware, phishing, and other social engineering attacks such as phone scams (read more on common fraud schemes).
For the customer under attack, these attacks might result in fraudulent payments to newly added beneficiaries, or the attacker may apply for a new product using the customer’s credentials. Some account takeover attacks result in the customer being locked out of their account entirely and their recovery email and phone number being changed or compromised.
For FIs, the impact of account takeover attacks can go well beyond financial losses. They can lead customers to lose trust in the bank and can impact consumer confidence and growth. The time and human effort taken to recover, shutdown and investigate the attack can also be significant.
How Banks Can Get Better at Detecting and Preventing Account Takeover Attacks
Account takeover attacks cost banks and insurers billions in payouts and compensation to customers. To reduce these losses, FIs must find ways to detect when an attacker is trying to obtain access to an account, and when an attacker is attempting to carry out an action or transactions fraudulently inside a customer’s account. They also need to prevent these from taking place.
In short, they need to address the issue of trust – when can they trust that a genuine user is accessing and using their account, and how can they determine when an attack is underway? To solve this problem, FIs need a profoundly innovative approach - one that enables the collection and analysis of vast cross-channel data to detect fraud in real-time.
Greg Hancell explains how FIs might detect account takeover fraud through continuous monitoring and machine learning:
“In the past, the way that we would authenticate users might be during login or a transaction. Whereas now, we have an abundance of data because users access their account through the web or mobile banking, and there are events that are constantly streaming to the financial institutions as a user progresses through their user journey.
This movement to digital banking lends itself well to continuous monitoring, the capability to monitor all of the events that are occurring - not just the login and the transaction, but also requesting of a balance or creating a new beneficiary and/or creating a user or changing users.”
Hancell goes on to explain how continuous monitoring and machine learning can be used to analyze the ‘normal’ behavior of the user – such as the way they interact with the device, how they type, swipe and drag across a page, and how they typically establish and interact with sessions. This creates a profile of their normal behavior.
Machine learning can then be used to contrast the normal behavior of the user against suspicious behavior, such as the behavior of a bot or attacker. When suspicious behavior is detected, financial institutions can request additional authentication from the user to challenge access or transactions taking place. If the user can pass the security hurdle and authenticate, they can proceed. If they cannot, the process is stopped and the fraud is prevented.
Why Financial Institutions Need to Make ATO Prevention a Priority
In March 2019, a US survey revealed that 90% of banks surveyed lagged in their ability to authenticate customers and step-up security depending on the risk of an action or transaction. The biggest challenges to detecting and preventing fraud through authentication and step-up security was an over-reliance on credentials such as usernames and passwords. The survey also revealed that 44% of respondents were challenged by the use of legitimate credentials exposed in data breaches and social engineering schemes in account takeover attempts authentication.
Static credentials such as usernames, email addresses and secret answers are vulnerable to attacks as users tend to repeat credentials across multiple websites, social media profiles and sign-up accounts. Once one website is compromised, attackers have access to the user’s other accounts. Greg Hancell explains that “Users tend to have a single point of failure recovery account (i.e. an email account). Once this is overcome you can review their prior emails and perform account takeover against all accounts linked to it.”
Julie Conroy explains how usernames and passwords are vulnerable to fraud attacks:
“Consumers are really lazy about using username and passwords appropriately, and so we have multiple surveys that show that the majority of consumers use the same handful of username and passwords across all of their online relationships. The bad guys know this too, and they are leveraging technology to perpetrate and automate credential stuffing attacks.
Since the onset of the COVID-19 pandemic, attackers have launched an influx of phishing attacks designed to capture consumers’ credentials and other personal information. Once credentials are breached, attackers can automate credential stuffing attacks to see how many different e-commerce accounts or bank accounts the breached credentials will get them into.”
Authenticating users at login and using credentials alone is no longer an option. Analyst firm KuppingerCole argue that “Only requiring a username/password for access to online or mobile banking systems is grossly insufficient for account security.” Financial institutions must continuously monitor the user’s actions and behavior to detect suspicious actors and challenge with setup-up security when risk is detected.
Leading Commercial Bank Uses Fraud Monitoring to Detect Fraud
With the dramatic rise in sophisticated fraud schemes, a leading commercial bank needed the ability to analyze transactions and customer behavior within a centralized fraud management platform. The bank is turning to continuous fraud monitoring and machine learning-based risk analytics to detect a broad spectrum of fraud including unauthorized login attempts, suspicious money transfers and more, all in real-time.
How Intelligent Adaptive Authentication Technology Can Stop Account Takeovers
In his article ‘Solving the Multi-billion Dollar Fraud Prevention Problem’, OneSpan Director of Security Product Marketing David Vergara explains how intelligent adaptive authentication technology can be used with continuous monitoring and machine learning to provide the precise level of security at the right time for each transaction. The technology uses real-time risk analysis to determine the most suitable authentication method(s) based on the level of risk.
Tailoring the authentication flow to each unique transaction makes it more difficult for fraudsters to predict and plan their attacks. This unpredictability thwarts a fraudster’s attempt to takeover an account and turn a profit. As the user’s particular contextual patterns and circumstances evolve, the technology is intelligent enough to recognize these changes and adapt.
Used together, risk analytics and adaptive authentication can be highlight effective in mitigating the risk of account takeover attacks. The technology has been recognized by analyst firms such as KuppingerCole, Gartner, ISMG and Forrester, as a leading technology for financial institutions looking to address the challenges of advancing cybercrime strategies and evolving legislation while protecting financial assets.
Data Breaches, Phishing and ATO Attacks are Ever-Evolving
Account takeover fraud is a major cause of financial loss for financial institutions. In a survey by Aite Group, 89% of financial institution executives pointed to account takeover fraud as the most common cause of losses in the digital channel.
To decrease fraud losses due to account takeover, financial institutions need to adopt technology that leverages machine learning to continuously monitor and analyze each user’s behavior to detect suspicious activity and step-up security with an authentication challenge when risk is detected.
As Trace Fooshee, senior analyst at Aite Group concludes in his research into 2019 account takeover trends, “The era of industrial-scale ATO attacks is here, and the table stakes for FIs to remain competitive in defending against the ever-evolving threat landscape are increasing.”