Account takeover (ATO) fraud is a common type of identity theft. Fraudsters gain access to victims’ accounts, and make non-monetary changes that include modifying personally identifiable information (PII), requesting a new card or adding an authorized user. This allows criminals with stolen credentials access to victims’ accounts. ATO fraud is not new; however, it is hard to detect, and can happen in a variety of ways. It also allows attackers longer windows to monetize fraud, making ATO an increasingly attractive fraud avenue.
Billions of stolen user names and passwords are being sold on the dark web. Hackers use enumeration as a way to validate a user name on a database. They accomplish this through automated programs or bots that take milliseconds to respond. Payment account enumeration is automated testing of common types of required elements–such as card number, expiration date, or CVV2. ATO is increasing at alarming trends and continues to target e-commerce merchants that offer digital goods.
The pandemic, and the ensuing lockdown, caused e-commerce sales to skyrocket. This upward trend continues today. Merchants and issuers are trying to stay ahead of the bad guys by implementing EMV and contactless payments to make it more difficult for hackers to obtain card numbers. The never-ending battle continues, as hackers have developed digital skimming devices on merchant’s web pages.
Cyber criminals have developed web shells. They install these small pieces of malicious code onto web servers to find remote access and then send commands to steal your data. They scan the web looking for vulnerabilities and gaps in security. These web shells are difficult to detect, making them an attractive tool for criminals.
Data can also be stolen as users type in Personally Identifiable Information. The business is unaware that there is a problem because this data is taken directly from the customer’s computer. This prolongs the attack and allows cyber criminals to harvest more debit and credit card numbers.
There are several ways to reduce account takeover. You’ve heard them before, but they are worth repeating:
- Do not use the same log in and password on multiple sites. If you tend to use the same login and password you are making the attackers job easier.
- Take advantage of Multifactor authentication. This is a one-time passcode by email or text.
- Incorporate biometrics like facial or fingerprint recognition.
- Monitor accounts for unusual activity and activate transaction notifications.
Payment fraud is evolving and happens quickly. Fraud prevention and detection are more important than ever. A layered approach and education will help to reduce fraud losses.