Despite years of investment in anti-fraud measures, account takeover (ATO) issues continue to plague financial institutions and consumers. Traditional authentication methods have left too many gaps for cybercriminals to exploit, often through easily compromised or acquired credentials.
Fighting this type of fraud has become a major concern for many financial institutions, often with diminishing returns. A report from Javelin Strategy & Research, ATO Fraud: Why It Remains FIs’ Greatest Fraud Risk, explores why a short-term focus on identity verification and authentication is adversely affecting FIs’ ability to dramatically reduce ATO.
A Resurgence of ATO Fraud
When COVID-19 forced more business to be conducted online, new account fraud became the scam of choice for cybercriminals. But as businesses returned to more face-to-face interactions, there has been a resurgence in ATO fraud. In 2023, consumer losses from ATO fraud increased by 15% from the previous year, totaling $13 billion.
“In an area like car loans, you had a lot of loan origination and new accounts being open in a digital environment online during the pandemic,” said Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research. “Unfortunately, those platforms did not have technology in place to adequately verify the authenticity of many of these individuals through an online platform. That face-to-face verification was lost.”
The financial services space quickly responded by investing in technology to address those authentication gaps. In turn, cybercriminals shifted from exploiting vulnerabilities in online onboarding back to account takeovers, often facilitated through social engineering.
Many FIs have since implemented robust authentication measures, but gaps still remain that criminals continue to exploit. Part of this issue stems from an overreliance on consumers to protect their own data.
“Anytime you have the consumer involved in the authentication process, you’re opening yourself up to vulnerability,” said Kitten. “When consumers have to remember passwords, they have a tendency to reuse them. They don’t change them often enough. They have a tendency to write them down. The more you can take the consumer out of the equation, the better off authentication is going to be.”
Deeper Data
A better approach for FIs is to implement measures like biometrics, such as fingerprint scans, facial recognition, or iris scans. On the back end, organizations can also consider factors like IP address and consortium data, which involves transactional monitoring in the background. For example, if a shopper attempts to make a purchase from a merchant they’ve never used before, and the transaction exceeds their typical spending patterns, the retailer can use these data points to help authenticate both the user and the transaction—without requiring any action from the user.
FIs have to tread lightly when addressing user privacy concerns. Consumers are unlikely to allow biometric and behavioral data to be collected unless they know it is being used for their own security. They are rightfully leery of surrendering personal information, fearing it may be sold to marketing firms.
“Financial institutions—and increasingly retailers too—have to be transparent with consumers about the fact that you have to track more information about them in order to do this right,” said Kitten. “Consumers have to understand that in order to enable some of the data analytics on the back end, they have to allow certain information about themselves to be tracked.”
“If consumers understand what’s being tracked and why it’s being tracked, they’re much more likely to opt in than if they feel like you’re tracking information to sell it to a data broker or to a third party,” she said.
Automatic Enrollment
Going even further, Kitten recommends that institutions should enforce automatic enrollment for critical consumer alerts. In their most recent examination of U.S. banking institutions, Javelin found that most FIs have abandoned mandated or automatic enrollment in critical alerts, resulting in many consumers being unaware that their FI offers account alerts. Any changes to account profile information, payment amounts or due dates, and/or new bill pay information should trigger an alert.
There’s a paradox at play here, where the bank aims to protect the consumer from account takeovers, yet the consumer remains the weak link in the protective chain.
“We have to keep in mind that like accounts, people’s identities do get taken over,” Kitten said. “So financial institutions should be asking themselves, what are we doing on a regular basis to determine whether or not an account has been taken over? What kind of flags are in place to suggest that the person who’s conducting these transactions isn’t the real person?
“That’s where bringing in some of those back-end analytics makes a difference. You’ve got to have additional analytics on the back end to help verify the authenticity of not just the individual but also the transaction,” said. “That’s the way to fight these account takeovers.”