And One Way to Fight Back

5 Things Fueling Account Takeover

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 2

CREDENTIAL RE-USE

Consumers have numerous online accounts that they access on a regular basis, each requiring a unique, and often complex, password to remember. The inability to remember and manage multiple credentials leads consumers to resort to reusing the same password to access multiple accounts. A recent study by Google1 found that 65% of consumers use the same password across most or all of their online accounts. The common practice of credential re-use makes it easy for fraudsters to access online accounts with compromised credentials, typically obtained through phishing or data breaches.

CREDENTIAL STUFFING

Credential stuffing is a form of account takeover where fraudsters initiate automated attacks against popular websites to gain access to consumer accounts at massive scale. With the wide availability of stolen credentials for sale in fraud forums, as well as credential re-use, it does not require a high login success rate for fraudsters to realize considerable rewards. BioCatch has recently observed fraudsters targeting APIs to perform credential stuffing and hide their attacks behind trusted sources. They are also testing in smaller batches in hopes of evading detection, with success rates up to 23%. Aside from potential fraud losses, businesses run the risk of downtime and outages during these attacks as many websites are not designed to handle the enormous increase in traffic.

Account takeover fraud remains an ongoing problem for financial institutions, e-commerce

merchants, and virtually any organization that offers products or services that can be

monetized. Account takeover is a form of identity theft in which a fraudster gains access to

a victim’s account and uses it to make unauthorized transactions or purchases.

There are several different ways account takeover attacks can be perpetrated. Some of the most common are:

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 3

MALWARE ATTACKS

Many popular financial malware families contain functionality that enable Man-in-the-Middle (MitM) or Man-in-the-Browser (MitB) which interfere with a legitimate user’s session in order to circumvent traditional fraud prevention tools. Some malware is designed to grab device fingerprints or one-time passcodes needed to authenticate. Other malware is capable of modifying transaction details, redirecting user sessions, or injecting additional fields in order to harvest credentials or other personal information.

1 out of 4 account takeover fraud cases involve a social engineering or impersonation scam

REMOTE ACCESS TOOL ATTACKS

Remote Access Tool (RAT) attacks allow a fraudster to take administrative control over a user’s device. This type of attack can be originated via Trojan malware that installs a remote access tool on the device or via social engineering attacks convincing users to download RATs. These attacks pose significant challenges to fraud teams as they often take over after login, meaning a session is authenticated, and by design circumvent traditional fraud detection tools that look for the presence of malware, bots and blacklisted devices or IP addresses.

SOCIAL ENGINEERING VOICE SCAMS

One of the more sophisticated versions of account takeover and most difficult to detect, social engineering voice scams are on the rise worldwide. In this type of attack, which relies on psychological tactics and clever scripts, a fraudster acts as a legitimate representative of a bank or other organization in order to trick users into initiating a payment or money transfer to a bank account controlled by the fraudster, often in real-time. There are several other versions of impersonation fraudsters use such as romance scams, Help Desk scams, and lottery or sweepstakes.

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 4

DATA BREACHESA data breach to a fraudster is like a treasure chest to a pirate – full of gold. There are more than 15 billion account credentials available for sale in the dark web, mostly email addresses and username-password combinations, providing fraudsters with a continuous supply of data to commit account takeover. The number of credentials that have been stolen or exposed has increased 300 percent from 2018 as the result of more than 100,000 separate breaches.2

FRAUD AUTOMATIONFraudsters are continuously working to innovate and develop the tools, technology, and methods they use in cybercrime attacks. One example is the use of fraud automation tools, such as SNIPR and Sentry MBA, in automated attack such as credential stuffing. These tools enable fraudsters to check the validity of high volumes of credentials against any website in minutes. According to a study by the Ponemon Institute, even if only one percent of compromised accounts resulted in fraud as a result of credential stuffing, an organization would stand to lose $500,000 in a single attack.

SOCIAL ENGINEERINGHumans are the weakest link. Whether it’s clicking on a link in a phishing email or unknowingly authorizing a fraudulent transaction, every successful fraud attack relies on the ability to exploit human vulnerabilities. Advanced social engineering scams, such as authorized push payments, are the most difficult type of attacks to detect and nearly impossible to recognize with traditional fraud prevention methods.

EXPANSION OF DIGITAL BANKING SERVICESThe financial services industry is shifting to a digital-first strategy to simplify banking, optimize the user experience, and expand their product portfolio and revenue streams. The pressure on traditional banking from emerging challenger banks and FinTechs has created an innovation race. From mobile and cloud to instant payments and P2P platforms, financial institutions are faced with balancing the benefits of innovation against the potential new risks of an expanding attack surface.

EXISTING SECURITY CONTROLSWith a near universal reliance on passwords, most fraud prevention tools are designed to provide an additional layer of strong authentication based off parameters such as device identification, IP, geo-location and one-time passcodes. However, fraudsters have learned to circumvent many of these security controls. Today, 100% of fraud occurs within authenticated sessions making visibility beyond login based off user behavioral parameters critical to minimizing fraud risk.

Things Fueling Account Takeover5

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 5

$6 Billion

£479 Million

87%

59%

1,041 Total losses attributed

to account takeover fraud in 2020 in the U.S.5

Total losses attributed to authorized push payment fraud in 2020 in the UK3

Increase in account takeover involving social engineering or impersonation scams in 20216

of consumers who experienced identity theft in 2020 experienced account takeover across multiple accounts4

Number of user accounts targeted on average in a credential stuffing attack7

Account Takeover in Numbers

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 6

A large bank detected

90%of mule accounts before a fraud could occur with behavioral biometrics

Mule Detection Proves to Be the Weak Link in Stopping Account TakeoverMule accounts are the most critical link in the fraud supply chain infrastructure. After all, cybercriminals can’t steal money if they have nowhere to send it. According to Europol, more than 90% of all money mule transactions are directly linked to cybercrime.

The financial industry recognizes that mule accounts are a significant problem, however only six percent of financial institutions have actively invested in mule detection, according to a recent study by Aite Group. Combine that with a lack of industry standards for detection and monitoring and the increase in P2P platforms and faster payments, and suddenly an ideal environment is born for mule activity to flourish.

Some financial institutions have turned to technology to solve the problem. BioCatch behavioral biometrics leverages risk models to detect mule accounts before fraud is perpetrated in both the new account opening process and at the point of payment. A large bank in Asia leveraging behavioral biometrics technology detected and shut down 90% of mule accounts before a fraud could occur.

Only 6% of financial institutions actively invest in mule detection

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 7

Behavioral biometrics offers a fresh approach to account takeover protection across an authenticated user session. Behavioral biometrics identifies users by how they do what they do, rather than by what they are (e.g., fingerprint, face), what they know (e.g. secret question, password) or what they have (e.g. token, SMS one-time code).

Here are some of the top account takeover threats, capable of bypassing traditional fraud prevention and authentication defenses, that behavioral biometrics help expose.

One Way To Fight Back: Behavioral Biometrics

MANUAL ACCOUNT TAKEOVER

When cybercriminals attempt to access user accounts through manual login requests, behavioral biometrics observes numerous risk indicators associated with expert user patterns and lack of familiarity with data. For example, a cybercriminal, most likely working off a list of stolen credentials, will use copy and paste to input a username and password while a genuine user will type it in without interruption or use the AutoFill feature.

FINANCIAL MALWARE

Most financial malware families are designed with the ability to take over a session while mimicking the trusted device and location of the genuine user. Behavioral biometrics provides a deeper level of insights by finding anomalies in behaviors such as interaction and navigation patterns, scrolling preferences and hand-eye coordination.

REMOTE ACCESS TOOLS (RAT)

Account takeover attacks using remote access tools are very difficult to detect because the RAT is initiating a transaction from the genuine user’s device. Evidence that a RAT is present in a session is readily spotted with behavioral biometrics by observing behaviors such as mouse movements and scrolling patterns. For example, a legitimate user will demonstrate no interruption of hand-eye coordination and show smooth mouse movements whereas a RAT session shows jumpy, inconsistent mouse motions. Interestingly, many BioCatch customers have reported that after deploying behavioral biometrics, they saw cybercriminals had used remote access tools to perform reconnaissance on an account and user’s activity prior to initiating a fraudulent payment or transaction.

SOCIAL ENGINEERING VOICE SCAMS

Social engineering voice scams are perhaps the most difficult to detect as the transaction or payment is being conducted by the genuine user who is logging in from their own device and a valid location. In addition, even if required to provide additional authentication credentials, such as a one-time passcode, the legitimate user will be able to provide them. Behavioral biometrics looks for changes in behavior that indicate a user’s intent and emotional state in context of the activity being performed. For example, changes in behavior can determine with statistical significance whether a user is acting under duress or the coercion of a cybercriminal.

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 8

One Way To Fight Back: Behavioral Biometrics

2+ billionThe number of monthly sessions analyzed by BioCatch

200+ million The number of users protected by BioCatch

60+The number of patents attributed to BioCatch technology

HOW IT WORKS

The BioCatch Behavioral Platform leverages machine learning algorithms to analyze physical and cognitive digital behavior of users across digital channels. The model analyzes real-time physical interactions such as keystrokes, mouse movements, swipes and taps, and profiles both genuine users and fraudsters on the user level and population level to learn about patterns associated with genuine and fraudulent activity.

For example, patterns such as high familiarity with data is associated with genuine users, while high computer proficiency is often associated with fraudulent behavior. In other cases, such as authorized push payment voice scams where fraudsters trick users to transfer money in real-time while guiding them on the phone, signs of

hesitation combined with numerous other fraud indicators suggest high-risk activity.

Traditional controls are unable to detect such attacks that leverage deep social engineering tactics as it is the genuine user taking action. On the user level, BioCatch profiles unique characteristics for each user and compares current sessions to historical profiles to detect changes and anomalies. Fraud and genuine feedback is incorporated to continually enhance the accuracy of the model and adapt to new attack patterns. The BioCatch Behavioral Platform returns a risk score and top risk indicators to provide better visibility into risk. The scores can also be used to determine the appropriate action to take.

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 9

Top U.S. Financial Technology Provider Prevents $5.8 Million in Card and ACH Fraud Monthly With Behavioral BiometricsOVERVIEW

One of the largest U.S. providers of financial technology for businesses and consumers was experiencing a significant drain on resources from manual review of suspicious transactions. In addition, transactions were being blocked creating frustration for both buyers and suppliers and greatly impacting the customer experience.

SOLUTION

BioCatch behavioral biometrics was deployed at the online payment checkout flow to provide deeper visibility into the payment flow that would enable transaction risk decisions to be made off more than just the data entered. Using only session checkout data, and no prior user knowledge, BioCatch was tasked with accurately detecting fraud in real time by analyzing physical and cognitive behavioral patterns.

CASE STUDY

RESULTSThe solution provider achieved the following results following implementation of BioCatch:

70% Decrease in fraud after auto-declining using BioCatch

$3.6 Million Average fraud losses prevented per month from payment card fraud

$2.2 Million Average fraud losses prevented per month from ACH bank fraud

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 10

Top 5 UK Bank Drastically Reduces Account Takeover Fraud and Enhances Customer Experience with Behavioral BiometricsOVERVIEW

A Top 5 UK bank experienced an increase in account takeover attacks targeting their customers. The attacks leveraged advanced social engineering and Remote Access Tools (RAT) to bypass existing fraud prevention controls. In addition, the solutions and controls deployed across multiple layers of the account lifecycle were generating high levels of friction. For example, a one-time passcode was still being sent via postal mail to confirm account changes. The bank was looking for a solution that could work on top of existing solutions to reduce account takeover and eliminate friction in an effort to improve the digital experience.

SOLUTION

The bank deployed BioCatch behavioral biometrics initially to protect against threats targeting the payment process. After realizing the tremendous value behavioral biometrics brought to the payment flow, they started to look for ways it can help them solve other security challenges across the account lifecycle. The use of behavioral biometrics was expanded to protect additional activities such as password resets, account changes, loans and login.

RESULTSThe bank achieved the following results following implementation of BioCatch:

Saved £300K in monthly fraud savings by detecting authorized push payment fraud

Reduced friction by 95% during the credential re-enrollment process

Decreased fraud alerts by up to 30%

Realized £4 in fraud savings for every £1 invested in behavioral biometrics

CASE STUDY

FIVE THINGS FUELING ACCOUNT TAKEOVER AND ONE WAY TO FIGHT BACK / 11

Large LATAM Bank Adopts Behavioral Biometrics to Prevent Account Takeover and Reduce False PositivesOVERVIEW

A large bank in Latin America was facing significant fraud losses from account takeover attacks. While the bank had implemented a transaction monitoring solution and fraud controls to minimize risk, the system was only preventing less than half of their fraud and generating an unmanageable number of alerts and high false positives.

SOLUTION

The bank deployed BioCatch as an additional layer to their fraud prevention stack to enhance fraud detection rates. BioCatch instantly helped elevate their fraud detection rates to over 90% and cut false positives by two-thirds. Through innovative collaboration, the BioCatch team worked with the bank to create a custom solution that would also stop fraud in real-time.

RESULTSThe bank achieved the following results following implementation of BioCatch:

Over 90% boost in

fraud detection rates from

less than 50% with transaction

monitoring only

70% decrease in fraud alerts

requiring investigation

Reduced false positives by 66%

after implementation

CASE STUDY

ABOUT BIOCATCH

BioCatch pioneered behavioral biometrics which analyzes an online user’s physical and cognitive digital behavior to protect users and their data. Protecting more than 100 million users, organizations around the globe leverage BioCatch’s unique approach and insights to more effectively fight fraud, drive digital transformation and accelerate business growth. With nearly a decade of data, more than 50 patents and unparalleled experience analyzing online behavior, BioCatch is the leader in behavioral biometrics. For more information, visit www.biocatch.com.

1 Google Online Security Survey, February 2019

2 Security Magazine, July 2020

3 Source: UK Finance

4 Javelin Strategy and Research, 2021 Identity Fraud Study, March 2021

5 Javelin Strategy and Research, 2021 Identity Fraud Study, March 2021

6 BioCatch

7 Source: Ponemon Institute, Cost of Credential Stuffing, 2019

© 2021 BioCatch. This content is a copyright of BioCatch. All rights reserved. Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:

• You may print or download to a local hard disk extracts for your personal and non-commercial use only.

• You may copy the content to individual third parties for their personal use, but only if you acknowledge the document and BioCatch as the source of the material.

• You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system without our express written permission.