Financial account takeover is a form of identity fraud where fraudsters use stolen credentials to break into digital financial accounts of genuine customers. An exponential increase in the number of consumers using fintech services and digital channels for banking needs during the pandemic has opened up the attack surface like never before, leading to a greater risk to financial institutions.
In a market where digital-first banking is largely replacing in-person transactions, the pressure is on businesses to deliver an increasingly convenient and consistently secure customer experience. While consumers are more accepting and appreciative of security gates from financial institutions, many banks are still searching for the ideal balance between low-friction user experience and account security. A great user experience can contribute to customer retention, any issues in account security can be a deal-breaker. This is because account takeover attacks in banks and fintechs can result in users losing their life-earnings and their accounts becoming a conduit for mass downstream fraud.
Account takeover fraud that targets banks and fintechs is especially lucrative for fraudsters due to the enormous amounts of monetary value these institutions deal with. Financial account takeover not only enables fraudsters to strike big – due to the value of assets in these accounts – the potential to use them for multiple other types of fraud is also immense.
The User-Friendly Art of Fighting Fintech Fraud
To execute account takeover attacks, fraudsters require valid user credentials. These inputs are harvested through account enumeration, account validation, credential stuffing, and social engineering. In the case of financial institutions and fintechs, email IDs are not used as usernames. Therefore, fraudsters generally rely on social engineering to elicit the required information that can fuel financial account takeover attacks. They use phishing and vishing to manipulate users into sharing their personal information. Fraudsters also send out emails, purportedly from providers that customers have an existing relationship with in order to create panic and redirect them to a malicious webpage to harvest identity data at scale.
Commoditised tools, including bots and scripts, are easily available on the internet, which make it possible for fraudsters to execute such attacks at scale with the least possible investments. Furthermore, being creative, fraudsters use all possible measures to reduce investments and maximize ‘profits’. They mobilize their resources and use a mix of automation, bots, and human labor to increase the returns. This makes account takeover attacks a lucrative ‘business’ opportunity for fraudsters that cause losses worth millions of dollars every year to businesses. In the first half (H1) of 2021, 285 million account takeover attacks were detected and stopped on the Arkose Labs network.
Multiple ways to monetize an attack
The stolen user data and corrupted digital identities are used to execute financial account takeover attacks on banks and fintechs in many ways as described below:
- Account draining: The first and the obvious method to monetize compromised attacks is to drain the accounts of the funds contained therein.
- Money laundering: Compromised accounts serve as a conduit for money laundering, whereby, fraudsters transfer the proceeds of a crime multiple times and across multiple accounts until the roundabout journey results in fraudsters reclaiming the money as ‘clean’ money. Multiple transfers also make it difficult to trace, as the origin gets obscured.
- Money muling: This is yet another method fraudsters use to convert dirty money into clean money. They recruit legitimate users who have active accounts for the purpose. Fraudsters also use the compromised user accounts—both active and dormant—as money mules to transfer the funds.
- Credit applications: In this type of fraud, compromised accounts are used to open new lines of credit by making fraudulent credit applications. Fraudsters may hold the compromised accounts for months together before using them. This not only enables them to avoid raising suspicion but also makes it challenging to identify the attack.
Busting the ROI of Fintech Fraud
Financial institutions are overburdened
The increase in the number of digital users and reliance on digital channels has elevated the level of expectations that customers have from their financial services providers. Therefore, the onus of providing a secure and seamless experience rests with these digital businesses. Furthermore, fintechs and financial institutions have additional responsibility of compliance with a number of regulations that mandate them to ensure security and privacy of customer data.
Aware of the challenges that financial institutions are facing at multiple fronts, fraudsters are taking advantage of the situation by studying the defense mechanisms and devising ways to circumvent them. For example, fraudsters are now aware that many defense mechanisms require more nuanced human interaction. They have, therefore, found a method to bypass these defenses through the use of human fraud farms. These adaptations and the use of advanced techniques not only make it simpler for fraudsters to launch sophisticated and complex financial account takeover attacks, but also extract rewards faster than deployment of countermeasures.
Financial account takeover can result in serious monetary losses to banks and fintechs. In case the attack is successful, these institutions also run the risk of non-compliance and bearing the burden of paying hefty penalties. In addition, they stand to lose customer trust and erosion of brand equity, which takes years of effort to build.
A solution that works for digital-first financial institutions
To avoid losses – both tangible and intangible – banks and fintechs need effective solutions that can help them safeguard the interests of their business and customers. Having said that, account takeover attacks are not easy to detect. Therefore, financial institutions of the current digital era cannot solely rely on traditional defense approaches or point solutions. This is because these solutions often lack the ability to cope up with the evolution in attack tactics and therefore, cannot ensure the level of protection needed today.
The need for digital-first fintechs and banks is an approach that can protect long-term and from new attack techniques, without adding friction to the customer journey. They need a solution that eases out their burden and frees them from absorbing fraud losses as a business cost.
Arkose Labs for Financial Services and Fintech
‘Bank’rupting the business model of fraud
Mitigating fraud can be an onerous task and still not provide robust security, so critical for banks, and fintechs. Therefore, these institutions must look to prevent fraud rather than clean up after the damage is done.
Most solutions on the market today are focused on fraud detection and mitigation. Arkose Labs, however, believes in the zero tolerance to fraud approach and deters fraudsters from attacking. This deterrence is achieved by making the execution of an attack so expensive that it loses its financial viability, which forces attackers to give up.
Arkose Labs enables invisible screening for good users while absorbing attacks with targeted enforcement. The presentation of an enforcement challenge is driven by a complex process involving the dynamic risk engine – Arkose Detect – that analyzes hundreds of parameters to assess the risk of an incoming user in real-time, and informing the challenge-response mechanism – Arkose Enforce – to step up the complexity of the challenge for confirmed malicious users.
This targeted friction makes clearing the challenges at scale nearly impossible for attackers, as bots fail instantly and human attackers are required to clear challenges successively that also increase in complexity. Wastage of time, effort, and resources soon escalates the costs of a financial account takeover attack and ultimately outweighs the returns to bankrupt the business model of fraud.
Arkose Labs is a trusted partner for leading global financial institutions when it comes to customers’ account security with an accessible and customer-focused user experience. To learn how Arkose Labs helps fintechs and banks ward off financial account takeover attacks, book a demo now.