Account Takeover Fraud: What Is It and How Can You Prevent It?

Consider the online services you rely on each day, such as banking and online shopping. 

Now imagine how you’d feel if you were suddenly locked out of those accounts. As the panic sets in, you quickly realize that a fraudster has gained access – and likely made unauthorized transactions. You rush to call a customer helpline, where you work to take back control of your account. 

This is account takeover fraud (also known as account hijacking) – when a fraudster or criminal poses as a genuine customer to gain control of an account and then makes unauthorized transactions. Account takeover fraud can have a very personal impact, such as triggering immediate financial implications, preventing access to benefits or services, and causing poor credit scores until the matter is resolved.

• Around 22% of US adults have fallen prey to account takeover fraud scenarios, costing an approximate average financial loss of almost $12,000.
• Account takeover fraud is on the rise: reported cases increased by 90%, costing an estimated $11.4 billion in 2021, compared with 2020.

Fortunately, there is a solution. Biometric face authentication helps organizations to prevent account takeover fraud. A criminal can steal knowledge-based security information, such as a password or mother’s maiden name. They can dupe people into revealing PINs and account recovery information with social engineering. Once they have that data, they can change the contact number and email address associated with the account, so that one-time passcodes (OTPs) and password reset links are redirected.

Dynamic Liveness® helps defend against account takeover fraud by ensuring that only the genuine account owner can gain access. iProov’s technology is empowering organizations to safeguard users’ online accounts and ensure that accounts don’t end up under someone else’s control. With iProov, organizations can verify that each online user is the right person, a real person, and that they are authenticating right now. 

What is account takeover fraud?

Account takeover fraud is when a fraudster gains access to a genuine user’s account in order to reap financial gains or launder money through identity theft. It works through a series of small steps:

A fraudster gains access to a victim’s account. The fraudster can use a number of tactics to achieve this; using malware, social engineering, phishing, data from data breaches, or simply using information they know about a room-mate or family member.

Once the fraudster has access to an account, they can change the contact details to redirect information to another email and phone number.

Finally, as they can now confirm authentication methods such as SMS OTPs or email resets, the attacker can make further changes to defraud the account. This could include requesting a new payment card, changing the password, or adding another insurance policy holder or beneficiary. 

Account takeover fraud is a huge problem; it’s one of the most common consequences of identity theft. It can also be scalable, as consumers tend to reuse passwords; iProov research found that 59% of respondents admitted to reusing the same passwords across multiple sites.

The problem is exacerbated by ‘credential stuffing’ attacks, where collections of login credentials from data breaches are inserted into a bot which then attempts to access other accounts to automate the account takeover process. The US consumer banking industry alone faces nearly $50m per day in potential losses due to credential stuffing.

All industries can be targets of account takeover fraud. Financial service providers are common targets, such as banks and insurers. But other industries such as healthcare and higher education are targeted too – these accounts are often rich in sensitive data such as financial or medical records, which can then be used in further scams (such as new account fraud), or sold online.

Account takeover fraud vs new account fraud: what’s the difference?

• Account takeover fraud: bad actors target existing accounts to extract financial value or sensitive information from that account by undermining weak authentication security. In this case the solution is stronger user authentication.
• New account fraud: bad actors create new accounts using fake, stolen, or synthetic identities to access goods or services in order to commit crime, steal and launder money, or gain access to services they wouldn’t be able to access using their own identity. The solution to new account fraud needs to focus on stronger user verification.

What does account takeover fraud mean for consumers and organizations?

Organizations face a series of challenges in detecting account takeover fraud:

• How does an organization know which transactions are from a legitimate user, and which are fraudulent? The fraudster may change the address or phone number on the account, but so could the bona fide owner. And if step-up authentication methods are being fulfilled – like SMS OTPs or an email code – then it’s likely that no red flags would be raised on the system to prompt investigation.
• Significant financial losses can be quickly accrued. If a business has paid out a false insurance claim, for example, then it’s difficult to recoup that money. Any damages to customer funds would need to be repaid.
• Victims might lose trust in that business being able to adequately protect their accounts, while high-profile compromises can have lasting reputational impact that is hard to recover from.
• In more regulated industries, like finance, this can also result in more financial penalties and other reprimands. 

Account takeover fraud can be devastating to victims:

• As the fraudster often changes contact details, the genuine account holder can be oblivious and totally powerless to stop this fraud for a long time.
• Users can find themselves unexpectedly locked out from vital services when they most need them – such as making an insurance claim or a government support claim – causing huge emotional stress and financial hardships.
• Once an account is taken over, attackers can also use that account to seize control of more services and applications and can quickly escalate to full identity theft.
• Huge financial losses can be accrued across multiple accounts very quickly. 

How are organizations protecting against account takeover fraud already?

To prevent fraud, many companies have implemented two or multi-factor authentication (2FA or MFA).This is mandated for financial institutions in Europe under PSD2 strong customer authentication (SCA) regulation. This means authentication needs to meet two or more of the following:

• Something a user is (inherence) – e.g. biometrics
• Something a user knows (knowledge) – e.g. passwords
• Something a user has (possession) – e.g. a device, a mobile number, to receive an OTP

However, traditional knowledge-based methods like passwords are increasingly considered insecure. These are phishable – meaning they are ‘shareable secrets’ that attackers can acquire from data breaches or social engineering attacks. It’s easier than ever for attackers to acquire this information and, with so many accounts, consumers are increasingly deploying easy-to-remember passwords across multiple accounts.

Passwords are simply no longer fit for purpose. Similarly, pairing these with other 2FA methods like SMS OTPs (possession-based authentication) is inadequate, because phone numbers can easily be swapped on accounts and messages can be hijacked. The US is already issuing guidance, such as the 14028 Executive Order, recommending the discontinuation of authentication methods that fail to resist phishing, such as SMS OTPs.

How does biometric authentication prevent account takeover fraud?

Biometric credentials cannot be ‘shared’ in the same way other authenticators can be. Your genuine face cannot be lost or stolen, or used at scale in a credential stuffing attack. They are unique to a person, making them considerably more secure as an authentication factor.  

Face biometrics are a compelling inherence-based option, as organizations can cross-check users with government-issued ID (most of which include photos) to validate users during onboarding and enrollment.

Users can use their face for ongoing authentication. With the right biometric solution, this means that nobody else can access that account or carry out any activity/transactions other than the genuine owner. Passive biometric solutions such as iProov’s Dynamic Liveness will also offer a far better user experience. Rather than having to remember and enter a complicated password, a user can simply look back at a device, making the security process effortless. 

But remember, not all face biometric solutions are created equal…

How does liveness prevent account takeover fraud?

Liveness detection uses biometric technology to verify that an online user is a real live person. Without liveness detection, a criminal could use a photo or a video of a victim and present it to the camera, spoofing the authentication process.

To prevent account takeover fraud with ultra-secure authentication security, you need to verify all three aspects of genuine presence: right person, real person, and authenticating in real-time. That’s where iProov Dynamic Liveness comes in.

How does iProov Dynamic Liveness (GPA) prevent account takeover fraud?

iProov’s Dynamic Liveness (GPA) technology is an invaluable tool in preventing account takeover fraud, as it offers organizations the highest level of assurance that a user is genuine. iProov’s solution has been specifically designed to be easy to use while also highly secure and validates three vital things – that a user is the right person, a real person, and that they are authenticating in real time.

The most difficult aspect to validate  is verifying a user is authenticating right now. This is done using iProov’s Flashmark technology, which illuminates the remote user’s face with a unique sequence of colors that cannot be replayed or manipulated synthetically, preventing spoofing.  

What’s more, Dynamic Liveness is a cloud-based technology, meaning its defenses are hidden from attackers, making it far more challenging to reverse engineer. GPA is powered by iProov Security Operations Center (iSOC), which uses machine-learning technology to monitor day-to-day operations and identify new attacks, meaning GPA provides active threat management. Dynamic Liveness can offer additional value through its reassuring ‘ceremony’, as Flashmark assures users that additional security is taking place. When accessing a sensitive account, this ceremony is a great comfort – especially if you have experienced fraud in the past.

Example: a fraudster acquires a victim’s email and password that have been shared on the dark web following a data breach. They enter the credentials into a number of online accounts, such as banks and retailers. Some accounts have no step-up or two-factor authentication in place, so the fraudster can walk right in and cause a huge amount of damage. But in this example, the person’s bank uses iProov face authentication. When the fraudster tries to log in to the account secured by iProov, the authentication fails. Even if they had imagery of the defrauded person’s face, iProov’s Dynamic Liveness technology would detect that the genuine individual was not present and the access request would be rejected.

 Account takeover fraud: a summary

• Account takeover fraud happens when an attacker gains access to an account through illicit means, before using that access to lock the genuine user out and defraud them.
• ‘Credential stuffing’ is a popular form of attack that can automate account takeover fraud. It usually uses automated bots to enter stolen credentials at scale and try to access multiple other services.
• Account takeover fraud is common because phishable credentials used to protect accounts, such as passwords, can be stolen or solicited via social engineering attacks.
• Biometric authentication can deliver higher levels of security because they are an ‘unshareable credential’ unlike passwords and OTPs.
• iProov technology can help organizations to prevent account takeover by verifying that the online individual trying to access the account is the right person, a real person, and that they are authenticating right now.

Account takeover fraud causes great emotional stress to its victims, as well as financial and data loss. Organizations face reputational damage and unhappy customers, as well as financial implications. By adding face authentication – either as a sole authenticator or part of a multi-factor authentication deployment – organizations can prevent account compromises.

If you’d like to see how iProov’s technology can bring effortless security to your onboarding and authentication processes – helping to combat account takeover fraud – book an iProov demo here.