Account Takeover

Practical Steps to Eliminating Account Takeover Attacks in Banks and Fintechs

June 8, 20226 min Read

Account takeover (ATO) attacks allow fraudsters to gain unauthorized access to bank accounts and highjack genuine users’ finances. Fraudsters are using sophisticated attack tactics to maximize profits with the least possible investments. Account takeover attacks in banks and fintechs present a particularly lucrative opportunity for fraudsters and are highly targeted compared to other industries.

Traditional banks are facing tough competition from the disruption caused by fintechs, with both fintechs and traditional banks trying to balance low-friction user experience with account security. This is because account takeover attacks in banks and fintechs can result in the financial accounts of the users getting compromised and becoming a conduit for mass downstream fraud and credit applications, with far-reaching social consequences.

Automation and phishing power account takeover attacks in banks and fintechs

Breaking into user accounts at scale is becoming increasingly simple for fraudsters—thanks to easily and cheaply available bots, automation scripts and constantly refreshed leaks of username/password credential spills. That said, the economic viability of an attack is important for fraudsters, who tailor their attacks by maneuvering the available resources—bots, human labor or a combination of the two—to maximize profits.

Fraudsters engage in a range of malicious activities including account enumeration, account validation, credential stuffing, and social engineering to harvest user credentials. Social engineering is an especially useful tool when fraudsters target financial institutions. This is because financial institutions usually do not use email IDs as usernames. This piece of information, therefore, needs to be elicited from true users on some pretext. Phishing enables fraudsters to manipulate individuals into divulging personal information or directing them to fraudulent websites to harvest identity data at scale.

Fraudsters attack on multiple fronts

  • Once fraudsters have stolen data and corrupted digital identities, they use all of this data to orchestrate account takeover attacks in banks and fintechs on multiple fronts. These include:
    Account draining: After wresting complete control of the users' financial accounts, the first goal for fraudsters is to drain the funds contained therein.
  • Money laundering: The ‘dirty’ money—the proceeds of a crime—is transferred multiple times across multiple accounts to obscure its origins and make it look legitimate. After a roundabout journey, the ‘clean’ money returns to the fraudster.
  • Money muling: Fraudsters recruit legitimate users, with active accounts, as money mules to transfer dirty money into their accounts. Alternatively, fraudsters also use compromised user accounts—both active and dormant—to transfer the funds.
  • Credit applications: With an aim to maximize financial gain, fraudsters abuse the compromised accounts and stolen identity data to make fraudulent credit applications. To avoid raising suspicions, fraudsters often hold on to the compromised accounts for months together before actively engaging in fraudulent activities. This makes identifying the attack, all the more difficult.

Playing on the pressures banks and fintechs are facing

Consumers expect secure and seamless digital experience across touchpoints. Fintechs and financial institutions are obliged to honor consumer trust and protect their hard-earned money. There are a number of regulations to this end that mandate financial institutions and fintechs to comply with.

Fraudsters are aware of the pressures financial institutions are enduring; and, are, therefore, leveraging technology to study the defense mechanisms and devise ways to circumvent them. For instance, fraudsters use advanced bots that can closely mimic human behavior to bypass fraud solutions that require human intervention. When confronted with a defense mechanism that requires more nuanced human response, fraudsters switch over to human sweatshops to clear the hurdles at scale. All of these advanced techniques allow fraudsters to launch sophisticated account takeover attacks in banks and fintechs and extract rewards faster than the ensuing countermeasures.

Need relief from bearing fraud as a cost of doing business

Apart from a deluge of downstream fraud that can cause serious monetary losses, account takeover attacks in banks and fintechs can make these institutions non-compliant with the prevailing regulations and liable to pay hefty fines. Perhaps, the biggest loss comes in the form of damage to the brand reputation and a trust deficit among consumers—a key ingredient in any successful business.

Banks and fintechs cannot risk monetary and reputational losses and must, therefore, make adequate efforts to safeguard the interests of the business and their customers. Given that account takeover attacks in banks and fintechs are challenging to detect, traditional approaches or point solutions will not provide financial institutions with the level of protection and readiness to thwart evolving attack tactics.

Fintechs and banks, therefore, need a fresh, long-term approach that can help them neutralize account takeover attempts without causing undue friction for genuine users. A solution that also relieves the burden of tolerating fraud losses as a cost of doing business.

Bankrupt the business model of fraud

When the cost of executing an attack outweighs the returns it can fetch, the attack becomes economically non-viable. This is precisely what the Arkose Labs' solution does to account takeover attempts in banks and fintechs—it bankrupts the fraud model and forces the fraudsters to give up.

Combining real-time, continuous intelligence with an adaptive, step-up challenge enforcement mechanism, the Arkose Labs Fraud and Abuse Prevention Platform triages every incoming user and, based on the risk assessment, presents custom 3D puzzles to solve.

Genuine users find these puzzles fun and simple to solve—if challenges are even presented to them. This helps preserve user experience, while judiciously using targeted friction to detect and block fraudulent activity. Because these puzzles are resilient to automatic solvers, bots and automated scripts cannot clear them at scale and fail instantly. The persistent, malicious humans face challenges that become progressively more complex. This slows the attack down and saps fraudsters' resources. As more time, effort, and resources must be invested to clear these challenges at scale, the returns begin depleting, which makes the attack economically non-viable and forces fraudsters to abandon the attack.

Leading global financial institutions trust Arkose Labs to help them balance account security with an accessible and customer-focused user experience. To learn how Arkose Labs thwarts account takeover attacks in banks and fintechs, click here