By Ray Birch
BOSTON—Account takeover fraud is ramping up to an “industrial scale,” according to one analyst who says many financial institutions are not prepared to defend against “Fraud, Incorporated.”
Trace Fooshee, senior analyst at Aite Group, told CUToday.info financial institutions are now getting caught off guard as crooks rapidly increase the size and scale of account takeover crime.
“It is not that they are caught unaware that these attacks are happening, they are caught off guard by the sheer number of them,” said Fooshee.
Account takeover fraud is a form of identity theft where a third party gains access to unique details of a trusted user's online accounts. By posing as the real customer or member, fraudsters can change account details, make purchases, withdraw funds, and even leverage the stolen information to access other accounts.
Other Growing Threat
The threat comes at the same time synthetic ID fraud—where crooks create a fake identity and open accounts at financial institutions to obtain loans without the intent of ever making a payment and commit other crimes—is rising quickly.
It had been expected that once EMV took hold crooks would begin shifting their focus to other fraud avenues, such as card-not-present fraud and account takeover, which has happened, as CUToday.info has extensively reported.
“But how fast fraudsters have focused on account takeover attacks has been surprising to many,” acknowledged Fooshee. “It was expected that maybe these crimes would increase two-fold, maybe three-fold, but we have seen them increase tenfold. No one was ready for that.”
What has led to the increase is the cost of these attacks coming down for crooks as they use new tools to execute their crimes, the large amounts of readily available personal data stolen through numerous large-scale breaches, and fraudsters now being able to execute these attacks in bulk, as opposed to attacking one account at a time.
What is ‘Most Concerning’
“The size of the attacks, their industrial scale, is what is most concerning,” Fooshee said. “Eight or nine years ago, account takeover fraud was a relatively rare thing. It didn't happen very often and when did it was relatively limited in scope and scale. I kind of equated it then to a cottage industry—something that was perpetrated by a relatively small niche of criminals who were fairly specialized and were a little bit more clever than the average crook. Generally speaking, the average criminal steered away from account takeover because it was a lot more costly for them to pull it off, plus they had easier avenues to get money then, such as cards.”
Years ago, noted Fooshee, if a crook was considering attacking cards or taking over an account, the decision was simple.
“The card fraud caper wins out every day of the week and twice on Sunday because it's so easy to do,” he said. “You go on the dark web and get a batch of stolen cards and then go to town. Whereas with account takeover you really have to do a lot of research, identify your targets, get the personal data, and sort of do your surveillance. You have to figure out how you are going to pull this off…”
But that began to change in the last few years.
“A lot of the criminals’ data mining operations for credit card information also began to gather a lot of personally identifiable information,” noted Fooshee. “So, a lot of the information you needed to compromise someone's identity was also included in those mining operations.”
“Fraud Incorporated,” a term Fooshee uses to describe how crooks now work like big companies to perpetrate crime, began to turn its attention to account takeover as EMV made card crimes much more difficult and costly to pull off at the point of sale.
“That was the first catalyst, shifting tactics toward account takeover,” said Fooshee.
‘Rinse and Repeat’
Fooshee emphasized criminal organizations have devoted a great deal of time to developing new tools—such as using bots for credential stuffing—that make account takeover fraud easier and less costly, and can be pulled off in larger scale.
“When you look at the attack vectors and how these crimes are actually being executed, they're all very similar,” explained Fooshee. “There's not a whole lot of diversity. Once crooks find a bank and an attack pattern that works, they just rinse and repeat over and over and over again—keep on pulling that slot machine lever.”
What also has sped up account takeover crimes is the greater use of P2P, and the emergence of Zelle. Fooshee said that P2P gave fraudsters much easier, direct access to accounts, as well as the ability to grab funds quickly, almost in real time.
“This is when these attacks became very much industrialized,” said Fooshee. “Going after large volumes of consumers in a very methodical, and often automated manner.”
‘Tougher Nut to Crack’
Compared to defending against card attacks, preventing account takeover crime is much more difficult, said Fooshee. “It’s a tougher nut to crack and harder to deploy countermeasures to effectively insulate you against these criminal efforts.”
One of the strongest defenses, stressed Fooshee, is educating account holders on the dangers of using the same login and password for many of their banking and non-banking needs.
“The bad guys count on that,” he said. “More than 60% of consumers reuse existing passwords for online banking. Fraudsters load those credentials into their bots and go to town. Credit unions should encourage their members to change their logins and passwords often and don't always use the same for login and password for online banking as they do for Amazon. That will go a long way to preventing account takeover fraud.”
The Other Risk
Fooshee emphasized the reputation risk credit unions face with this fast-growing crime.
“If a credit union member is a victim of card fraud, there is enough knowledge in the marketplace that this kind of thing goes on. So it’s generally not unexpected by victims when it when it happens to them,” explained Fooshee. “In that way it’s a semi-forgivable offense and most CU members will look the other way and not hold the credit union accountable. But account takeover is different. It’s a crime that’s not well publicized… And when almost the entirety of your account is drained and you go for several days without any money, that’s an exceptionally traumatic experience. Members won’t likely be as forgiving about that.”