The cost of account takeover is steep when organisations aren’t properly protected. In fact, 84% of financial institutions experienced account takeovers in the past year, and it can cost up to 8.3% of their annual revenue, according to new research by the Aberdeen Group, writes Serpil Hall
Following upon the research by Aberdeen Group, Serpil Hall discusses the factors driving the increase in account takeover and how best financial services providers can ramp up their defences.
The research attempts to quantify the risk of credential stuffing and account takeovers across four segments of the financial services industry in the United States: commercial banks, credit unions, savings institutions, and fintech organisations.
Somewhat surprisingly, 84% of financial institutions said they experienced account takeovers in the past year, meaning traditional methods of preventing account takeovers aren’t working nearly as well as they should.
This tracks with other reports that show global account takeovers are on the rise – made easier by lax password security. And the bottom line is that the financial consequences from these threats can no longer be ignored – with the average cost of an attack rising as high as 6.4% of the revenue generated from monthly active users.
The factors driving the increase in account take-overs
Digital banking has grown 52% in recent years, and with that growth has come an increase in bot-driven account takeover (ATO) attacks. Automation lowers the bar for more sophisticated (and frequent) attacks.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Reports suggest there were 15.1 billion data breach incidents in 2019 – up 284% over 2018. Meanwhile, these data breaches included the loss of personally identifiable information (PII), payment card numbers, and usernames and passwords.
Like other forms of fraud, account takeovers also tend to spike around the holidays, with fraudsters leaning heavily on this attack vector to steal payment information and rewards points stored in online accounts on merchant websites.
For example, in the UK, the banks, credit bureau, the police and so on send extra warnings to consumers about the dangers of online fraud in the lead-up to Black Friday, Cyber Monday and Christmas, when many shoppers are poised to take to the Internet in search of a good deal.
Fraudulent social media posts and online ads are also extremely common ways to entice consumers to visit fraudulent websites where criminals ‘phish’ for personal data that can later be used to steal identity or take over accounts. Phishing is incredibly popular given that consumers naturally gravitate to using just a handful of passwords across the Internet, which makes the job easy for fraudsters to stitch together a complete profile of their victims and makes ATOs very profitable.
How is the industry responding – and what more should banks be doing?
First off, there needs to be a shift in thinking. Instead of focusing on fraud mitigation, banks need to prioritise fraud prevention.
What does that mean? Banks need to adopt strategies and technologies that catch fraudsters in real-time. Behavioural biometrics offer a novel approach to the problem of remote account takeover – and represent an emerging technology that banks need to take a hard look at to adopt a more real-time approach to fraud prevention.
Common behavioural biometrics
Common behavioural biometrics may include how consumers swipe on their devices, how they hold their devices, specific keystroke and device movements, and more. Using this data, banks and credit unions can understand when digital patterns diverge from past behaviour—potentially indicating a compromised account—and take immediate action to stop fraudulent activity dead in its tracks.
Aiding existing rule-based fraud prevention measures and systems, real-time behavioural biometrics help banks continuously authenticate genuine users, and identify suspicious activity to get them ahead of fraudsters, whether they gain access directly or through coercion.
Account takeover is a serious global threat. To address ATO, credential stuffing, and API attacks, banks are adopting solutions that employ advanced analytics technology that understand the context and the behaviour of the transaction requests.
However, not all banks in the world have the capability of utilising the latest technologies yet.
The UK and Australia seem to be getting help from regulators and the police to tackle ATO. For example, in Australia, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 was signed to combat serious crime enabled by anonymizing technology using three new warrants: network activity, data disruption and account takeover.
In the UK, CIFAS and UK Finance are working closely with the banks to prevent fraud and stop ATO, and the most recent UK Finance fraud half-yearly results show that the efforts are starting to pay off with ATO down 28% compared to last year.
Globally, the banks need to look for solutions that can detect and deter automated fraud attacks, and they need to get better at real-time data sharing.
Behavioural biometrics capability is a need, especially when dealing with remote account takeover (RAT) cases. Fraudsters look for easy targets, and as banks apply more robust and sophisticated defences, they will see attack volume decrease as fraudsters focus their efforts on easier targets.