Deloitte’s Middle East Fraud Survey 2021 revealed that 48% of participants witnessed more fraudulent incidents in the last year than earlier years.
With the ever-increasing prevalence of fraud, businesses worldwide are always on the lookout for new ways to tackle it. This appears to be an ongoing escalation process and a cat and mouse game between anti-fraud efforts and the advanced tactics used by bad actors to prey on the unsuspecting.
Account Takeover Fraud (ATO) is one of the most common tactics fraudsters regularly use. ATO fraud is a tried and tested method for fraudsters and one that shows no signs of subsiding. Although the ideas, methodologies, and attack vectors are well-known and recognised, corporations are still losing upwards of $26 billion annually.
Even though ATO fraud has been around for a long time, fraudsters are only getting savvier, and their range of tactics and methods is growing.
A fraudster favourite
ATO is hugely cost effective from the perspective of fraudsters. Access to high-value accounts with authentication methods that are relatively easy to circumvent equals a substantial ROI.
Businesses often depend on passwords and usernames, accompanied by possession factors like OTPs provided through SMS messages. All of these pose essentially no obstacle to fraudsters — the former can be avoided by credential stuffing, while the latter can be evaded through SIM swap and SS7 attacks. This is a sobering reminder that SMS was never created to be secure.
However, this isn’t the only tactic that bad actors will employ. Remote Access Trojans (RATs) – and increasingly, MRATs, their mobile version – bots, automated attacks, and social engineering are just a handful of the ever-changing ways that threat actors effectively employ on an ongoing basis. RATs, which are used across online and mobile devices, are frequently downloaded by mistake via SMS and email links, false adverts, or fraudulent apps, granting fraudsters remote access to consumer devices.
Changing priorities
It is essential to consider which accounts are being targeted by scammers. Unfortunately, the answer is “all of them.”
It’s natural to link ATO with accounts that are thought to have direct monetary worth, such as bank accounts. However, bad actors will target any account if obtaining access to it will result in a profit, no matter how downstream the account is.
Let’s take for instance, the large number of loyalty and incentive programmes run by firms all over the world. It’s tempting to dismiss them as low-value targets.
However, some schemes allow users to amass significant value, ranging from discount certificates to plane tickets. The true worth of unused reward points is hundreds of billions of dollars. That makes the perfect incentive for criminal actors: high value and weak security.
Understanding the actual cost of account takeover
In 2020 it is estimated that ATO cost $26 billion globally, that sum should be enough to make anyone pay attention, and this is only the beginning.
Fraud victims are unlikely to remain silent; they have numerous options for raising their complaints if they have been deceived.
They may also communicate their unhappiness through social media. Thus, any organisation that allows ATO to happen risks tremendous damage to its reputation and, as a result, its revenues.
Laying ATO to rest
ATO makes the news every week, which shouldn’t be the case in 2022, businesses can safeguard themselves, their customers, and their reputations by taking precautions.
It is crucial to close the security gaps existing around account access. Digital-first experiences require digital solutions. Analog authentication mechanisms such as usernames and passwords, which are easily exploited, are just too easy to circumvent. Moreover, adding SMS OTPs as a secondary authentication step isn’t going to help. In fact, it may exacerbate the problem by putting companies on dangerous ground by authenticating through the same channel fraudsters use to execute their crimes.
What is required is a transition towards positive identification – a shift that enhances security and saves costs and improves the user experience.
By layering intelligence and combining elements such as behavioral biometrics with device and threat information, enterprises can ensure that only the right users have access to the right accounts. Moving beyond passwords and OTPs creates a strong barrier for bad actors, who will quickly shift their focus to easier targets.