4 Advanced ATO Techniques You Should Be Aware of


Account takeover (ATO) is commonly thought of as a fraudster using someone’s genuine but stolen credentials to access and steal funds from their online account. However, technological advancements, combined with the increasing sophistication of cybercrime and organized crime gangs, are spawning new, more complex ATO techniques.

One of these methods is impersonating or manipulating legitimate users. They can not only outwit legacy authentication techniques, but some of them can even outwit a victim’s own friends and family.

Here are 4 advanced ATO techniques you should be aware of right now.

Deep Fakes

Deep fakes are a sure sign that we’re living in a time when technologies previously reserved for science fiction are becoming a reality. Is it really so strange that machines can replicate someone’s voice or even reanimate a photo of a deceased relative in a world where Spotify can analyze a user’s emotions to offer them calming music when they are stressed or where robots can cook burgers?

What’s to stop someone who looks and sounds like you from attempting and succeeding in gaining access to your personal information? Because of this, deep fakes are one of the most complex ATO techniques used today.
Deep fakes can be so convincing that Russians used deep face filters on video calls to fool senior European parliamentary members into thinking they were speaking with different people. As a result, it’s not a huge leap for fraudsters to take advantage of this technology.

Deep fakes can support a synthetic identity, a type of false ID commonly used by criminals that combines false and genuine information in order to circumvent financial services security. They can also compromise call centers by convincing agents that they are someone they are not.

SIM Swap Fraud

Changing your old phone number to a new one is a simple process. Unfortunately, bad actors can use the same process to commit SIM swap fraud, a particularly dangerous type of scam, and gain access to almost anyone’s account. They use deception or stolen information to trick mobile providers into transferring someone’s legitimate number to another SIM card.

They then insert this SIM card into their phone to gain access to bank verification information. Fraudsters reap the benefits of their access before account holders notice anything is wrong. Criminals can even reset all other account information, locking the legitimate owner out of their own accounts.
SIM card fraud requires only basic information, such as a person’s name, date of birth, and address. Fraudsters gain access to this information through data breaches, phishing scams, and information sold on the dark web. Before registering the new SIM, fraudsters can also conduct simple online searches to gather the information they need to answer a call center agent’s security questions.
Fraudsters can even clone the legitimate user’s voice, giving the impression that they are the true account owner. This type of fraud has grown in popularity in recent years. SIM swap fraud has increased significantly in recent years, resulting in losses of more than £10 million to UK consumers alone in the first half of 2020, according to the UK’s Action Fraud.

SMS Fraud

Sending a one-time passcode (OTP) to a user to ensure they are who they say they are appears to be a good authentication measure at first glance. However, given how simple it is for bad actors to pull off a SIM swap scam, it may not add much security. It’s simple to port someone’s phone number to a device and intercept the OTP.

The threat increases with malware capable of intercepting OTPs and resending them to attackers. Your smartphone can intercept a text message and copy and paste the OTP to the requesting app. Malware can also intercept messages and send the OTP to fraudsters.
A more insidious threat is criminals compromising a mobile provider’s servers and intercepting all text-based OTPs. Instead of enhancing authentication security, mobile numbers used for two-factor authentication unwittingly provide a back door for fraudsters to exploit.

Because of vulnerabilities like these, SMS-based authentication has been listed as a method “to be avoided” in the European Banking Authority’s Strong Authentication Requirements for Internet Payments (EBA). While criminals continue to use advanced technologies to commit crimes, the security community understands what some institutions are hesitant to admit: it’s time for organizations that use SMS OTPs to move on.

Session Hijacking via RATs

Remote Access Trojans (RATs) are legitimate-looking apps that contain malware and can be unintentionally downloaded onto a device. RATs sneakily attach themselves to seemingly legitimate files. They allow hackers to take administrative control of the targeted device once downloaded.

After users have legitimately logged into their accounts, fraudsters use RATs to perform remote overlay attacks on target online banking sessions. This type of malware is commonly referred to as a Rat-in-the-Browser (RitB), a third-generation Trojan attack that can work in conjunction with a RAT to hijack a session. When the customer logs on, the installed RAT notifies the cybercriminal.

The attacker can then place their window over the target app. Victims enter data such as login credentials and bank card numbers. Instead of dealing with their banking app, they are giving the bad actors their personal information, allowing them to take over their accounts and steal their funds.

The Solution

As fraudsters use increasingly sophisticated technology that can learn and adapt to bypass security systems, financial institutions need to fight fire with fire. Companies need to know their customers through analyzing their behavioral biometrics. Implementing artificial intelligence and deep learning to know each and every customer through their online behavior enables FIs to answer the question “are you really you?”.

By profiling them at a granular level and using deep learning mechanisms to ensure the solution gets smarter and more accurate with each login, FIs can protect their customers from people who look and sound exactly like them.

account takeover

More Articles

Top Features to Look for in AML Software: Everything You Need to Know

Reputational Risk in Financial Compliance

Sanction Screening Quick Guide

Transaction Monitoring In a Nutshell