Being able to conduct banking transactions from a personal computer or mobile phone is quick and convenient. There’s no more waiting in a queue at a bank branch to deposit or withdraw funds.

However, research conducted by US-based Security.org has found that a third of all log-in attempts for financial services companies were actually suspected account takeover attempts. Cyber criminals were trying to access the accounts of legitimate customers to steal funds.

The rise of account takeover fraud 

Account takeover fraud attempts usually begin with a cyber criminal making use of compromised credentials that have been stolen, found on the dark web, or obtained through phishing attacks in a practice known as credential stuffing. Because many customers reuse and share their passwords, the risk of account takeover fraud is growing all the time.

Once they have obtained legitimate account credentials, a cyber criminal will often begin by making small changes to an account. This can often include changing the password so the legitimate account owner no longer has access.

The cyber criminal then moves on to conducting unauthorised financial transactions, including money transfers, until either the illegal activity is detected or the customer's account is drained of funds. In many cases it can take the defrauded customer months or even years to recover.

Ongoing fraudulent activity

Often, a cyber criminal who has gained access to a customer’s bank account can use the personal details they obtain to go even further. This could be other accounts at the same institution or accounts at different institutions where the customer has used the same credentials for access.

Cyber criminals can also use the captured personal details to create new fraudulent accounts using the victim's information. This can be very problematic and cause additional losses for the victim.

The cost for financial institutions

As well as causing issues for customers, the impact of account takeover fraud is also being felt by banks and other financial services firms. They incur direct costs as a result of each event as resources are allocated to assisting victims and other financial institutions or partners connected to the victim's account.

There can also be a loss of Customer Lifetime Value (CLV) if customers and their networks of friends and family move their accounts to other institutions as a result of the fraud attack.

If attacks are widespread or involve significant sums of money, a financial firm can also suffer from brand damage. This occurs not only from word-of-mouth or social media reports but mainstream media coverage.

How MFA can help to prevent account takeover fraud

Multi-factor authentication (MFA) provides banks and other financial institutions with an added layer of security to prevent cyber criminals from using stolen credentials to access customer accounts. In fact, the Open Web Application Security Project (OWASP) lists Multi-Factor Authentication as the single primary control to mitigate against the risk of credential stuffing attacks. 

MFA requires users to provide proof of their identity from more than one authentication category. These are typically:

  • Knowledge: This will be something the customer knows and includes things like passwords, PINs, and answers to security questions.
     
  • Possession: This category uses something a customer will have. This could include a one-time password or PIN or other types of soft tokens that are sent to a smartphone. It can also involve what are known as hard tokens such as USB-based devices or separate code generators.
     
  • Biometric: The third category is a trait that is unique to each individual. This can be confirmed through fingerprint scans, facial and voice recognition, or retinal scans.

Deploying a comprehensive security platform

MFA has been widely deployed by financial institutions. Unfortunately however, it is still common practice to use authentication factors such as SMS that are susceptible to SIM-swap attacks, and introduce friction to the customer experience.

By implementing MFA as part of a holistic customer identity and access management (CIAM) platform, these institutions could provide MFA solutions that use modern authentication factors such as biometrics or push authentication. This provides customers with an easier, more secure experience.

Security can be further enhanced through the inclusion of online fraud detection tools that can identify abnormal behaviour if a cyber criminal gains access to an account. These tools make use of sophisticated artificial intelligence technology to detect signs that may go unnoticed by humans.

By taking these steps, banks and other financial institutions can be much better placed to prevent fraud and maintain effective security for their customers. Online banking will continue to be an important part of modern life, and so ensuring both users and banks can maintain faith in the systems is vital.

Steve Dillon, head of APAC architecture, Ping Identity