Why Account Takeover Attacks Are Banks’ Biggest Threat

Greg Hancell, Fraud Expert at OneSpan, Talks to Finextra TV About How Banks Can Prevent Account Takeover Fraud

Video Icon

Greg Hancell, Manager of Global Consulting at OneSpan, talks to Finextra TV about why account takeover attacks are one of the greatest challenges facing financial institutions and how they can get better at detecting and mitigating these types of attacks.

Watch the interview in full or read the transcript below.  

Hannah Wallace: Hello Greg, thank you very much for joining us today.

Greg Hancell: Thank you Hannah, it's a pleasure to be here.

Hannah: What are some of the main challenges financial institutions are facing in relation to fraud?

Greg: The main challenge that I believe we have is account takeover fraud. The reason for that is that it's actually increasing year on year. From 2017 to 2018, there's been an increase of 162%, according to new data, and we're expecting it to increase again.

You might ask, why it is increasing so much? In the past, if you wanted to maliciously obtain or steal somebody's details, you might have to perform manual tasks such as reconnaissance, standing in the street or stealing their wallet. It would be a very manual task and would take quite some time. Whereas now, you could perform a phishing attack whereby you would send an email or include malware that could infect their device and obtain the data. If it's a phishing attack, then they might click on a link and provide their identity and their credentials. Account takeover is increasing because the way that malicious actors can arrive at personal information is much faster now and the way that they can then use that data can be automated as well.

Last year and the year before, roughly 3.2 billion personal data records were compromised. Our identity is not our own and there are malicious actors that run crime as a service and sell identities online. If you're an attacker, you can very easily obtain personal information and then perform an account takeover attack.

The account takeover doesn't stop there. If we think about how that can propagate - if you are a customer, the account takeover might result in a new beneficiary being created, or the application for a new product, or there might be a full account takeover where they would actually remove your device and lock you out and/or potentially compromise your recovery email address and the phone numbers. Financial institutions need to think about not only what's the risk of a customer’s data being taken (their username and their password), but also the recovery process that is used as well. For me, account takeover is a big problem for financial institutions.

Hannah: How are financial institutions getting better at detecting and mitigating account takeover fraud attacks?

Greg: I believe that we need to reflect and think about what is trust, and how do financial institutions think about users, their data and their devices. What we need to consider is that trust is not static, it is dynamic. It is ever changing.

In the past, the way that we would authenticate users might be during login or a transaction. Whereas now, we have an abundance of data because users access their account through the web or mobile banking, and there are events that are constantly streaming to the financial institutions as a user progresses through their user journey. This movement to digital banking lends itself well to continuous monitoring, the capability to monitor all of the events that are occurring - not just the login and the transaction, but also requesting of a balance or creating a new beneficiary and/or creating a user or changing users.

We also need to think about the session as well, because it might not just be one device that is used to login and to authenticate. A user may login from a web device and then authenticate from a mobile device. The risk on both devices is different, yet the session is the same, so it needs unifying and something needs to determine how the risk for both of these devices and how it correlates to that behavior.

Behavior is a big point and that lends itself to machine learning. Financial institutions need to be able to answer:

  • What is the normal user behavior?
  • How do they interact with the devices in terms of typing, swipe, drag, speed across pages?
  • How do they interact with the sessions?
  • When do they establish a web session or a mobile banking session?
  • How do they move through these pages?
  • What pages do they visit, in what order?

By asking these questions, machine learning can profile the speed of a user and their behavior and then contrast that very quickly against a bot, for example. Machine learning can also profile the behavior in terms of spend.

This is quite a challenge for banks. They typically have lots of fraud solutions in place, but they have a gap there in terms of product risk in digital banking and mobile banking. Many financial institutions now are looking to bring in a solution that does continuous monitoring in their web sessions, but there is also a shortage of experts globally. I think it's estimated that by 2021 there will be a shortage of 1.1 million financial cyber-crime experts. Financial institutions are going through a knowledge process where they're gaining the information around indicators of compromise in web sessions, as well as a process evolution as well.

Hannah: How are the regulators addressing these problems?

Greg: Regulators have really been present these last years. We see that mainly with Payment Services Directive 2 (PSD2) and GDPR. With Payment Services Directive 2, what the regulators are doing is actually challenging - What is a strong customer authentication? A user authenticating with a one-time password, in my view, is not necessarily enough. Payment Services Directive 2 also references this and explains that there needs to be a capability to dynamically link back. That brings in context. Financial institutions need to ask:

  • Why is somebody authenticating?
  • What are they authenticating on?

The signature or the one-time password based can then be derived upon context (e.g. the beneficiary, amounts and date.) Using this method, users are not simply arriving into one-time password that they do not know about. It is derived from their data, so they have context and also the financial institution has context as well.

On top of that, there's also the requirement to apply identification of malware in the authentication process. So, the banks or the financial institutions are looking to identify malware, and that's quite a challenge. If we think about phishing attacks, phishing attacks are relatively simple to identify because the end user doesn't have a session with the bank. In a malware scenario, actually, the end user's device is being used. So, in that sense, the regulators are driving forwards another innovation towards machine learning because ultimately, rules will not identify malware. So actually, you need to take in lots of data points, profile, and understand:

  • Is it a user?
  • Is it a bot that's interacting in that session and in that device?
  • What speed are they at?
  • Are there any other indicators of compromise that can be identified?

GDPR is also changing the way that we think about privacy and data. In the past, we would say that PII would be anything relating to me as a person, but the reality now is that because of the capability to identify people from their devices and from their locations, device and location data is now being challenged and classified as PII as well. This influences how you can collect information around the device, how you can collect information around the IP and how that can relate back to the user. Ultimately, this is driving a security change in what applications are doing with that data. Applications are now applying encryption right the way through - encrypting their databases and ensuring that this type of data cannot be obtained or sniffed or received in the middle. So yes, I think regulators are having a big impact on account takeover fraud prevention as well.