Phishing and data breaches are not new. Many attacks have resulted in stolen customer account information. Various businesses are targeted. But perhaps among the most targeted victims of fraud are financial institutions. News of attacks has prompted different institutions to strengthen their cyber security. Some have included multifactor authentication, adding passwordless and biometric authentication along with other security measures like OTP. In doing so, they have reduced the risks of falling victims to different fraudulent activities.
One type of fraud that financial institutions should be wary of is Account Takeover (AT)). It happens when fraudsters use the credentials of the account holder to access legitimate banks, payment service providers (PSP), or merchant customer account. Commonly taken information includes bank and card account credentials, username and passwords, and personally identifiable information (PII).
In 2020, the number of successful monthly fraud attempts to financial services firms grew by 42%. Between the second quarter of 2019 to the second quarter of 2020, there was a 282% increase in ATO fraud attempts to steal from e-commerce merchants, as well as consumers.
How It Happens
There are many ways ATO attacks happen. Some fraudsters start by harvesting personal information. Using the data, they will conduct targeted phishing campaigns and gain unauthorized access to accounts.
Another way is credential stuffing, fraudsters use bots to compare lists of stolen credentials with different websites to find matches. Once they gain access to an account, they will be able to alter the details. Other possible activities they can do are add another name or redirect notifications and communications from financial institutions.
ATO attacks do not only affect financial institutions, merchants, and payment channels. The most affected may be the customers as it is their identity being stolen and used.
The affected customer may find themselves locked out of their account. They may even be unaware of the attack until they are informed of the unauthorized transactions through their bank or card statement. Additionally, their personal information is compromised.
The business itself will also suffer from the impact of ATO attacks. They can suffer financial losses. There may be chargebacks. Customers may demand refunds. The business may also spend money and time in disputing and/or processing said chargebacks.
At the same time, they will experience a hit on their reputation. Clients may lose trust and decide to leave the company. Thus, reducing future revenues.
The best protection against account takeover is security. Consider adding more authentication at different steps in the customer journey. Aside from asking for passwords and PII, add biometric authentication and passwordless authentication.