Account Takeover Fraud , Fraud Management & Cybercrime , Video
Account Takeover Fraud Declines in Financial Services
Tighter Security Controls Help Stop Fraud, But Fake IDs and Web Scraping Are RisingAccount takeover fraud in the financial services industry is declining in contrast with other industries such as retail and hospitality. Researchers at Human Security attribute the nearly 50% reduction to one of the basic controls in cybersecurity: multifactor authentication.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Human Security, which blocked more than 352 billion attempts at account takeover, carding attacks and web scraping across its customer base in 2023, said the percentage of ATO attacks against banks fell from 49% in 2022 to 26% in 2023, as attacks on the travel and hospitality industry jumped from 32% of traffic on login pages to 52% of traffic during the same period, according to a new report.
The decline of ATO attacks in financial services is not due to new silver bullet technologies. Instead, the trend is the result of the combination of industry regulation forcing the adoption of robust security tooling and methodology and the broad solutions financial services organizations have deployed to protect against attacks, said Gavin Reid, CISO at Human Security.
"Collaboratively, these forces push companies handling a customer's finances to take every precaution possible to safeguard accounts, resulting in an overall reduction of ATO activity," he told Information Security Media Group.
Instead of just needing a pool of IP addresses to hide their presence, attackers now need tools to get beyond rate-limiting, multifactor authentication protocols, CAPTCHA, TLS checks and one-time passwords. These layers of security have forced attackers to invest more time and energy, leading to a plunge in attack frequency, Reid said.
Fraud executives draw a clear line between data breaches and the rise in identity theft and ATO incidents. The number of reported data breaches in the U.S. rose to a record 3,205 in 2023, up 78% from 2022 and 72% from the previous high-water mark in 2021, according to the nonprofit Identity Theft Resource Center. Trends are similar in other parts of the world.
Financial institutions have widely adopted dark web threat intelligence as a control measure, ranging from periodic briefings to real-time automated feeds. They also use device fingerprinting, which remains popular despite some fraud executives saying it is declining in effectiveness as fraudsters develop ways to spoof device profiles.
Fake Account Fraud and Web Scraping
The report also addresses fake account fraud, transaction abuse and web scraping.
Fake account creation and post-login account fraud are major concerns. There have been more than 200,000 attempts to create fake accounts and 40,000 compromised accounts per company. Transaction abuse, especially carding attacks, continues to plague financial services. Carding involves testing stolen credit card information through small purchases before making larger fraudulent transactions. Although the rate of carding attacks decreased, the total number of incidents rose by 33%, indicating that these attacks still hold significant value for cybercriminals despite increased security measures in the banking sector.
Web scraping remains a popular attack method, and it significantly affects business metrics and decision-making in the retail and e-commerce industries.
The report also highlights the growing role of AI in cyberattacks. AI-assisted credential cracking and content manipulation are emerging threats, and AI is being used to generate convincing disinformation and manipulate online content. Also, cybercriminals are increasingly targeting loyalty and incentive programs to exploit their pseudo-currency value.