Account takeover (ATO) is commonly thought of as a fraudster using someone’s genuine but stolen credentials to access and steal funds from their online account. However, technological advancements, combined with the increasing sophistication of cybercrime and organized crime gangs, are spawning new, more complex ATO techniques.
One of these methods is impersonating or manipulating legitimate users. They can not only outwit legacy authentication techniques, but some of them can even outwit a victim’s own friends and family.
Here are 4 advanced ATO techniques you should be aware of right now.
Deep Fakes
Deep fakes are a sure sign that we’re living in a time when technologies previously reserved for science fiction are becoming a reality. Is it really so strange that machines can replicate someone’s voice or even reanimate a photo of a deceased relative in a world where Spotify can analyze a user’s emotions to offer them calming music when they are stressed or where robots can cook burgers?
Deep fakes can support a synthetic identity, a type of false ID commonly used by criminals that combines false and genuine information in order to circumvent financial services security. They can also compromise call centers by convincing agents that they are someone they are not.
SIM Swap Fraud
Changing your old phone number to a new one is a simple process. Unfortunately, bad actors can use the same process to commit SIM swap fraud, a particularly dangerous type of scam, and gain access to almost anyone’s account. They use deception or stolen information to trick mobile providers into transferring someone’s legitimate number to another SIM card.
SMS Fraud
Sending a one-time passcode (OTP) to a user to ensure they are who they say they are appears to be a good authentication measure at first glance. However, given how simple it is for bad actors to pull off a SIM swap scam, it may not add much security. It’s simple to port someone’s phone number to a device and intercept the OTP.
Because of vulnerabilities like these, SMS-based authentication has been listed as a method “to be avoided” in the European Banking Authority’s Strong Authentication Requirements for Internet Payments (EBA). While criminals continue to use advanced technologies to commit crimes, the security community understands what some institutions are hesitant to admit: it’s time for organizations that use SMS OTPs to move on.
Session Hijacking via RATs
Remote Access Trojans (RATs) are legitimate-looking apps that contain malware and can be unintentionally downloaded onto a device. RATs sneakily attach themselves to seemingly legitimate files. They allow hackers to take administrative control of the targeted device once downloaded.
After users have legitimately logged into their accounts, fraudsters use RATs to perform remote overlay attacks on target online banking sessions. This type of malware is commonly referred to as a Rat-in-the-Browser (RitB), a third-generation Trojan attack that can work in conjunction with a RAT to hijack a session. When the customer logs on, the installed RAT notifies the cybercriminal.
The attacker can then place their window over the target app. Victims enter data such as login credentials and bank card numbers. Instead of dealing with their banking app, they are giving the bad actors their personal information, allowing them to take over their accounts and steal their funds.
The Solution
As fraudsters use increasingly sophisticated technology that can learn and adapt to bypass security systems, financial institutions need to fight fire with fire. Companies need to know their customers through analyzing their behavioral biometrics. Implementing artificial intelligence and deep learning to know each and every customer through their online behavior enables FIs to answer the question “are you really you?”.
By profiling them at a granular level and using deep learning mechanisms to ensure the solution gets smarter and more accurate with each login, FIs can protect their customers from people who look and sound exactly like them.