NEWS on Payments

Contact ICBA Bancard
Tel: 800-242-4770
Email: [email protected]

Account Takeover Fraud – Where Does the Buck Stop?

Jun 17, 2019
Alan Nevels, SVP, Operations & Card Risk

Insidious with far-reaching consequences for its victims, account takeover fraud (ATO)Alan Nevels 1 continues to challenge consumers, businesses, and the financial services industry. According to ThreatMetrix’s Q2 Cybercrime Report, ATO attacks on financial services rose by 40 percent from just Q118 to Q218. And although payment processors have wised up their platforms to detect and combat ATO in its traditional methods, both the entire payments industry and consumers continue to see increased attacks in this pervasive fraud type.

What Is Account Takeover Fraud?

Simply put, ATO occurs when a criminal (or more often organized criminal gangs) gains unauthorized access to an individual’s account data with the intent to exploit the information for financial gain. And because the criminal is posing as the online account holder, the typical ATO fraud is difficult to spot. Couple traditional ATO fraud with the current rise in synthetic identity fraud (SID), and you have a fruitful breeding ground for offenders to thrive. Typical ATO involves the criminal use of stolen legit consumer data, while SID fraud entwines legit data with invented data to make up what appears to be a real person.

How Does ATO Happen?

Data breaches, phishing, skimming, phone scams, stolen documents, and many other schemes afford opportunities for bad actors to gain access to personal data. And the increased use of social media by all parties makes these opportunities limitless. While consumers have gotten savvier about safeguarding critical information like social security or bank account numbers, they are still notoriously bad about password management. Despite educational efforts, many consumers use the same log-in credentials across multiple online accounts; a practice that can have cascading and devastating consequences. A confirmed username or email address is enough for a criminal to get started. This information alone is typically enough to create impostor profiles that can be used to open new accounts.

Is ATO a Fraud or a Security Issue?  

ATO is both a fraud and security issue, which means that the energies used to prevent these attacks doesn’t fall on one individual or entity, but rather all stakeholders.

Consumers Protections:   

  • Create a unique password for each online account so that even if an account is compromised, only one account is affected. (There are numerous free and subscription-based products that can create and manage unique account passwords).
  • Social media is a treasure trove of personal data for fraudsters. Quizzes and games that ask for personal information such as the make and model of your first car should be avoided.
  • When available, consumers should enroll in security programs that send them text alerts to receive the fastest indication of suspect activity.
  • Consumers should enroll in a service that notifies them when new accounts are opened on in their name and/or with their social security number.

 Merchants Protections:  

  • Merchants and online e-Comm platforms/portals should invest in services and/or embed security triggers that can detect and identify suspicious activity or impostor behavior(s).
  • Always ask for the CVV security code at check out.
  • Hire outside help. There are numerous reputable cybersecurity companies that offer merchants tools and systems to help identify and prevent fraud and ATO.
  • Enlist tools and methods that make it easy for consumers and card issuers to quickly communicate and report strange activity.
  • Remain vigilant. Fraud continues to evolve so one must understand the difference between ATO fraud (where the shipping address changes) and friendly fraud (where the address does not change, but the consumer repeatedly challenges transactions).

Financial Institutions Protections:

  • FI’s have an inherent duty to protect customers from ATO related fraud, given the tools and resources available to them, beyond what’s availed to the above two sectors. FI’s best protection from ATO fraud involves KYC (Know-Your-Customer). There are usually signs in transactional and device behaviors that can trigger doubtful customer activities.
  • Enlist communication and alerting methods that make it easy for customers to quickly communicate and report odd activity.
  • Card issuers should be mindful of the increase in friendly-fraud and related behaviors.
  • Develop processes that appropriately challenge customer’s access, without impeding their ability to transact accordingly.
  • A unique token, which is only used once and contains no information that a fraudster could exploit, is technology that FI’s should keep their eyes on.
  • Bio-metrics, which rely on physical identifiers, are making advances in many sectors where consumer authentication is pertinent. Some financial institutions have already employed the use of fingerprint scans for ATM and mobile banking apps.
  • Current and ongoing education on trends and protection best practices, are one of the most effective means for FI’s to prevent ATO fraud.

 As noted in article penned by, “Place a stone in a stream and the water will flow on around it – diverted from its path but not its destination." This holds true for many of today’s fraud schemes that are making a comeback, in more wily and penetrating ways. ATO fraud is back with a vengeance, and until all stakeholders change their defense hygiene, criminals will continue to prey and make headway with impostor fraud. A layered approach, which involves detection, prevention, easy and effective two-way communication, and ongoing education are vital for moving forward in the fight against ATO fraud.