Empowering businesses with ATO prevention strategies

96% of banks admit that account takeover (ATO) is a type of fraud among their top concerns. It’s no coincidence that the ATO prevention market is projected to see massive growth over the next five years, with an estimated increase of 60% according to recent studies.

A

ccount takeover (ATO) is a form of cyber fraud in which an attacker gains unauthorised access to a user’s online account. This can happen in various ways, such as through credential theft (username and password), brute force attacks, phishing, or other methods that we will detail further on. 

ATO remains a rampant threat for any industry operating in digital environments, although banks and fintech companies are particularly affected by its consequences. 

Account takeover is just the beginning of the problem. Once the attacker has access, they can carry out various fraudulent actions, such as

• Personal and Financial Information Theft: The attacker can access sensitive data such as the victim’s full name, address, phone number, credit card information, medical records, or banking details. 

• Making Unauthorised Purchases: The victim’s credit card details or banking information can be used to make online or in-store purchases. 

• Sending Fraudulent Emails: In a chain reaction, the attacker might use the stolen email account to send phishing emails to other users, aiming to obtain more personal or financial information. 

• Damaging the Victim’s Reputation: Another risk faced by victims is the possibility of the attacker posting false or defamatory content on the victim’s social media accounts or other websites. 

ATO: A confluence of frauds threatening the security of digital transactions 

Account takeover (ATO) employs increasingly sophisticated and widespread techniques. It is crucial to understand the diversity of the ATO phenomenon to implement effective security strategies that protect users. 

• Credential Stuffing: This is an automated ATO method that involves testing stolen or leaked credentials on multiple websites. Attackers obtain these credentials through data breaches, malware attacks, or by purchasing databases on the dark web. These breaches are more common than we think and affect large companies that invest heavily in security. Examples include the attacks in May on giants like Telefónica, Iberdrola, Santander, and Ticketmaster, which exposed millions of records. Once attackers have a list of credentials, they use automated tools to test them on different websites. These tools can test millions of combinations quickly. If a username and password combination works on a site, the attacker gains access to the user’s account. Credential stuffing is highly effective because it is fast and easy to carry out. To prevent it, methods beyond passwords are being implemented, such as biometric authentication and device-based authentication. 

• Phishing: This well-known method involves tricking users into revealing their credentials or personal information. Attackers often send fake emails or text messages that appear to come from a legitimate company or organisation. These emails or texts typically contain a link to a fake website that looks like the real site of the company or organisation. When the user clicks the link and accesses the fake site, they are asked to enter their credentials or personal information, which the attacker then captures and uses to access the user’s account. Phishing is highly effective because it relies on social engineering. Attackers often create very convincing emails or text messages that can trick users into revealing their personal information. 

• SIM Swapping: This involves transferring the victim’s phone number to a new SIM card controlled by the attacker. Once the attacker has control of the phone number, they can intercept two-factor authentication (2FA) codes and other text messages sent to the victim, allowing them to access the victim’s accounts. 

• Malware: Malware is malicious software that can be installed on the victim’s device without their knowledge. Various types of malware can be used to carry out ATO attacks, such as keyloggers that record the victim’s keystrokes, allowing the attacker to capture the victim’s credentials when entered on a website, or trojans, malicious programs that disguise themselves as legitimate software to steal confidential information, including the victim’s credentials, once installed. 

• Man in the Middle (MitM): A MitM attack occurs when the attacker positions themselves between the victim and the legitimate server they are trying to access. The attacker can intercept the traffic between the victim and the server and steal personal data and login credentials. 

• Social Engineering: Social engineering techniques are diverse and always play on the user’s psychology to alter their behaviour. Cybercriminals might create a false pretext to contact the victim and request personal information (e.g., posing as a customer service representative) or create a sense of urgency. For instance, to make the victim act without thinking, they might send an email stating that the account has been hacked and prompt them to click a link to reset a password. 

• Selling and Monetising Accounts: In some cases, attackers do not access victims’ accounts to steal personal or financial information. Instead, they sell the accounts to other criminals who can use them for illicit activities, such as sending spam or launching denial-of-service (DoS) attacks. 

In any case, phishing is the most significant ATO threat factor and the most common method attackers use to access user accounts. 

Why account takeovers are especially concerning in the banking industry 

Bank accounts contain highly confidential financial information, such as banking details, credit and debit card numbers, and transaction histories. If an attacker gains access to this information, they can engage in various fraudulent activities, such as stealing funds and identity theft. The attacker could use the victim’s personal information to open new bank accounts or apply for loans in their name or sell the information to criminal organisations. 

A successful ATO attack can severely damage a bank’s reputation, causing customers affected by this type of fraud to lose trust in the institution and take their financial business elsewhere. Of course, it also results in significant economic costs for banks, which must invest in security measures to protect their customers from this type of fraud and cover the costs associated with investigating and resolving ATO cases. 

Frauds contribute to eroding confidence in the financial system in general, as if customers perceive that their data and funds are not secure in banks, they are less likely to use their services. 

Technological measures to prevent ATO in banking: authentication and prevention 

From a technological perspective, banks can implement various strategies to prevent ATO attacks, both in terms of authentication and prevention.

ROBUST AUTHENTICATION

• Two-Factor Authentication (2FA): 2FA adds an extra layer of security to the authentication process by requiring the user to enter a second factor of authentication, in addition to their password. This second factor can be a code sent via SMS or email, a fingerprint, facial recognition, or a physical security key.
• Biometrics: Biometrics uses the user’s physical or behavioural characteristics, such as a fingerprint, facial recognition, or iris scan, to verify their identity. Biometrics is a very secure authentication method, as it is difficult to forge biometric characteristics.
• Risk-Based Authentication: Risk-based authentication analyses the context of a login attempt to determine if it is legitimate or not. If the system detects suspicious behaviour, it can prompt the user to provide additional information or complete a more complex authentication challenge.

FRAUD PREVENTION:

• User Behaviour Analytics (UBA): UBA monitors user behaviour across online banking channels and looks for abnormal patterns that could indicate a fraud attempt. For example, if a user makes a series of unusual transactions or accesses their account from an unknown location, the system can block the account and request the user to verify their identity.
• Threat Intelligence: Threat intelligence, also known as Cyber Threat Intelligence (CTI), involves the process of collecting, analysing, and disseminating information about potential security threats. This information can include data on malicious actors, their tactics, techniques, and procedures (TTP), and the vulnerabilities they exploit to carry out attacks. Threat intelligence is essential for organisations of all sizes as it helps them defend against cyberattacks, investigate security incidents, and prioritise security investments. For banks, using threat intelligence helps them stay informed about the latest fraud techniques and tools used by attackers, thereby improving detection systems.
• Data Tokenisation: Tokenisation is a process that involves replacing sensitive data, such as credit and debit card numbers, with unique tokens, thereby protecting confidential information in the event of a data breach.
• Data Encryption: Data encryption protects confidential information by encoding it in a way that can only be decrypted by authorised users. This is especially important for data transmitted over the internet or stored on servers.

ROBUST SECURITY PRACTICES:

• Keep Software Up-to-Date: It is crucial to install the latest security updates for the operating system and banking software. These updates often include patches for vulnerabilities that attackers could exploit to conduct ATO attacks.
• Network Segmentation: Network segmentation involves dividing a bank’s network into smaller, isolated networks, limiting access to confidential data, and containing the impact of an attack if it occurs.
• Control Data Access: Restrict access to confidential data to only those employees who need it to perform their job. Implementing role-based access control (RBAC) can be an effective approach for this.
• Train Employees on Cybersecurity: Bank employees should be educated about the risks of ATO and how to protect themselves from this type of fraud. This training should be updated regularly to reflect the latest threats. 

Fighting the complex reality of ATO requires joint collaboration between banks, technology companies, government authorities, and users. By combining effective security strategies, risk awareness, and a proactive approach, we can strengthen digital security and protect transactions more effectively. 

Contact TrustCloud’s fraud expert team and prevent economic losses in your company