Virtually all the payments innovation over the past decade has resulted from the need to better authenticate. These innovations have aimed to either directly prevent account takeovers or minimize friction from risk mitigation efforts.
But as with a balloon, risk tends to shift when you squeeze. In recent years, that shift has seen fraudsters turn away from targeting payment credentials toward targeting account sign-in information.
The numbers tell it all. One of the best-known breach databases surrounding bad actors, the Compilation of Many Breaches (COMB) reveals:
- 3.28 billion exposed passwords
- 2.18 billion leaked emails
- 635,505 exposed U.S. government passwords
In addition to these alarming numbers, emerging threats like botnet attacks and the rise of ecommerce make fraud mitigation strategies and authentication more critical than ever.
Account Takeovers: Today’s Biggest Threat
For years, account takeover fraud has haunted digital channels, whether by phishing attacks going after digital credentials, brute force attacks, or other methods. But the fraud market continues to shift toward account takeover, now making it a primary concern. It makes sense—as customers use digital banking and payments more—that bad actors will aim to infiltrate those digital channels.
The account takeover process typically includes:
- Credential Stuffing: Botnet attacks identify and compromise accounts based on re-used or common passwords. This method pulls information from numerous libraries and checks tens of thousands of password variations in minutes.
- Account Takeover: A bad actor who has purchased or solicited information assumes an existing account to defraud a consumer.
- New Account Fraud: The fraudster opens a new line of credit or creates a fraudulent user account for an existing user.
- Exfiltration: Once accounts are created and controlled, the fraudster begins to move money via P2P, ACH, Wire or RTP.
This sequence begins with one or multiple events, such as sophisticated social engineering techniques. Sometimes the opportunity results from simple mistakes like re-used usernames and passwords across various channels and accounts.
Fraud as a Service (FaaS) Continues to Grow
Meanwhile, it’s never been easier for inexperienced bad actors to target individuals or institutions. While it’s been happening for years, full-featured illicit marketplaces that package curated personal information for a price continue to grow. Inexperienced fraudsters can purchase information, and utilize open-sourced tools to review leaked passwords and check thousands of combinations in minutes.
Surprisingly, these parasitic Fraud as a Service (FaaS) markets can offer 24/7 chat support, how-to guides, complete warranty services and money-back guarantees. These sites provide a range of personal information such as account info, usernames, passwords, SSNs, contact info (for phishing), and sometimes, answers to common security questions. Some can even index search options by channel, geographic location and institution and notify fraudsters when specific criteria emerge.
If a bad actor has successfully defrauded your bank once, they can make you a “favorite” and receive updates when sellers have more information from your customers. Also, when banks publicly post messages on their sites about blocking a particular transaction type or geographic region, that information populates their profiles.
As threats continue to grow, preventing fraud requires a level of sophistication that can keep up with and exceed what the fraudsters themselves employ.
Static Information and Password Re-use Remain an Issue
Some of the best weapons against fraud remain knowledge and basic cybersecurity practices. But financial institutions, and society overall, still have a great deal to learn in order to make it harder for bad actors to steal personal information or purchase it from an illicit marketplace.
All too often, consumers rely on static passwords that include easily guessable components like pet names, birth dates, hometowns or some variation thereof. And even if consumers use a more complex password, re-use of passwords remains a primary threat. A single breach, in turn, puts an individual’s numerous accounts at risk: a breach at one vendor can severely affect numerous others.
A recent psychological study revealed some concerning discrepancies:
- 91% of consumers said using the same password across accounts is a risk, but 66% always or mostly use the same password or a variation of that password.
- 80% agree that having their password compromised is something to be concerned about, yet 48% said they never change their password if it’s not required.
- 77% said they know password protection best practices, but only 54% keep track of passwords by memory.
CSI and Harris Poll recently partnered on a nationwide survey to take further inventory of consumers’ perspectives about passwords, fraud and cybersecurity. It corroborates the above, with 30% of respondents seeing no issue using the same password across online accounts despite reporting identity theft and stolen card information as their primary concern.
Want a better picture of how your customers view fraud and the security of their personal information? Download your copy of our Consumer Cybersecurity Poll Executive Report.
Financial Institutions’ Role in Fighting Account Takeover
The flip side is that 3 in 4 respondents reported trusting their financial institution to protect their personal and payment information from bad actors. Financial institutions have a unique opportunity to be the vault in which identity information, however complex, is stored and protected.
Fraud costs us all directly but also erodes trust and undermines consumer confidence. As a result, expectations from regulators to monitor such risks as internal fraud, and authenticate customers, are rising as well.
An approach to preventing fraud must account for people being people and risk being unavoidable. So, designing solutions and processes with risk in mind must be fundamental to banking. Dynamic data, tokenization, limiting exposure and prescriptive recommendations can all play a role in preventing fraud.
With the expansion of tokenization and cryptography, the rate of counterfeit fraud endemic to magstripes has steadily declined. As these tokens continue to proliferate through physical plastics, wearables, digital wallets and more, the potential impact of a merchant breach will continue to fall.
Similarly, a shift to an enterprise management perspective and a continuous drive to better authenticate will make account takeovers far more difficult for bad actors.
Shifting to an Enterprise Fraud Management Perspective
Fraud and risk management solutions also help you authenticate your customers by capturing behavior and notifying security teams when something is out of character.
While existing fraud solutions will help in this “infinite game,” the industry must also start approaching fraud from a complete view of the customer, including:
- Single, holistic customer identities that connect customer identity data, biometrics, behavior, device information and external data
- Unified identity proofing that collects information from tenured sources with passive monitoring at each interaction or transaction
- Continuous authentication – the best type of authentication at the best time in the customer journey, promoting a consistent and seamless experience
- Proactive, personalized interdiction – risk-based, preference-driven customer interaction when necessary within the flow of interaction or transaction
Unifying customer data from siloed channels can be a massive undertaking. But with so much on the line, from your customers’ accounts to your institution’s reputation, it’s well worth the effort.
Prescriptive Solutions to Combat Fraud Today
Securing digital channels is a balancing act, as we should strive for zero or minimal new user friction. Fortunately, digital channels allow more passive controls such as alerts and card controls. Specific solutions, like push provisioning, can both mitigate fraud risk and remove friction.
Additionally, it’s wise to embrace EMV encryption and encourage its use through contactless cards, digital wallets, and other payment methods. Information sharing initiatives between issuers and merchants provide further safeguards with improved, more secure authentication.
Banks should also continuously focus on layering digital security efforts to protect against fraudulent enrollment, logins and behavior within digital banking. Protective features like password security checks, out-of-band authentication and fraud anomaly detection aim to secure those digital accounts and channels that fraudsters increasingly go after.
Moving forward, combatting account takeover will employ:
- Consortium trend data that provides a holistic view of banks’ data
- More advanced user metrics such as facial recognition and more advanced government ID scanning
- Behavioral biometrics, including the way users type or hold their phone
- Device profiling that detects new devices
- Bot identification to prevent credential stuffing attacks
Shore Up Authentication Weaknesses Now
The industry will continue to make great strides in fraud prevention by tearing down siloes and looking more holistically at customers across channels. By combining those methods with security baked into the design, we’ll have a clear roadmap to drive away bad actors over the next decade.
As you pursue this path, be sure to refer to CSI’s Consumer Cybersecurity Poll to comprehend your customers’ understanding of risks and more tips to optimize your authentication practices now.
Matt Herren is the Director of Payment Strategy at CSI. With a strong focus on emerging technologies and how they apply to the financial industry, Matt has led CSI’s effort to drive innovation in the payment space. In his role, Matt has worked to enhance customer experience and helped direct innovative product offerings to increase bank profitability, allowing banks to realize industry-leading results and maximize program performance.