With numerous free or nominally priced online tools available that facilitate access to consumer data, verifying stolen credentials and using proxy networks, you don’t really need to be a technology wiz to steal a genuine user account

In a digital first world, consumers are increasingly shopping and accessing services online. Greater penetration of smartphones have meant users are not tied down to a specific location and can access digital services on the go. While time-, location- and device-agnostic access to online services have made it convenient for consumers to transact, it has also led to a spurt in fraud and online abuse.

Data is easily available

Consumers are required to provide their personal details while signing up for a new service, logging in to an existing account or payment checkout. And as online engagement increases, this cycle repeats many times over across multiple channels. As a result, the internet is littered with personally identifiable information of consumers, which provides fraudsters with countless opportunities to orchestrate many types of frauds and financial crimes.

A direct fallout of easy availability of rich consumer data is that fraudsters can steal consumers accounts—also known as account takeover—with no difficulty whatsoever. Arkose Labs research has revealed that one in every ten login requests are account takeover attempts.

Data breaches supplement fraudsters’ databases

It is no wonder then that recently there has been a prolific increase in the number of data breach incidents. Each successful data breach incident provides fraudsters with fresh consumer data to supplement the existing databases, making it easier for them to impersonate genuine customers and gain illegitimate access to true user accounts. Once, fraudsters are in control, they can abuse the account in every manner possible—from stealing the money and reward points it contains to stealing stored payment details and passwords, and even using them as launchpads for more malicious crimes such as money laundering.

Stealing a bank account is now a child’s play

Technological advancements have made stealing a bank account ridiculously easy—even for novices! Watch how simple it is to steal a bank account in this webinar. You don’t really need to be a technology wiz to steal a genuine user account. With so many tools available for free or at nominal costs, facilitating an account takeover is really simple. Account takeover provides fraudsters with a larger time frame to commit crimes and escape without resistance. As a result, fraudsters armed with deep consumer details are now graduating to account takeover from credit card fraud—although not completely giving up on it.

The process

To steal an account you need two things to begin with—a target and data. Internet is replete with ample resources that you can use to access breached data—real username and password combinations—for free. You can also buy data by brand or specific data breach on popular marketplaces. Then there is also the dark web, with resources to facilitate malicious, large-scale and complex attacks.

You can verify whether the combinations of username-password that you have accessed are correct, by using online tools—again available for free on the internet. Once you have established that the username-password details are correct, you can use them to log in to the compromised user’s bank account. Unfortunately, most consumers use the same username-password combination across services, which gives fraudsters unrestricted access to numerous genuine accounts, which they can exploit at whim. It’s as simple as this!

Avoiding detection

But multiple requests from a single network IP can lead to detection and blocking. So, you need multiple network IP addresses to avoid detection. You can use proxy settings to make the attacks look originating from multiple IP addresses. There are databases of residential IP addresses of genuine users from all across the world, available at a price. You can buy a database and use different IP addresses for multiple attacks without raising suspicion.

Account takeover is difficult to detect because you can masquerade as a genuine consumer without raising suspicion, only until the affected consumer realizes that (s)he has been robbed. Fraudsters leverage technology, use automated bots and human or ‘sweatshop’ driven attacks to attempt account takeover at scale. They are increasingly using Single Request Attacks to hide account takeover attempts and execute JavaScripts just like a human would do.

Longer-term approach to fight account takeover

Businesses cannot fight the rising menace of account takeover by simply blocking fraudsters when they attempt stealing consumer accounts. Instead, businesses need a longer-term approach to create and implement barriers that increase the cost of the attack to make it financially non-viable. Arkose Labs protects global businesses from account takeover attempts and helps prevent losses to businesses and their customers by eroding the financial incentives of an account takeover attempt.

Read more about our capabilities in protecting businesses from account takeover, here.