Account Takeover: Secret Scams

Online Weaknesses Aren't Only Links That Lead to Fraud
Account Takeover: Secret Scams
Online fraud is getting quite a bit of attention these days, as it relates to incidents of so-called account takeover, typically the result of phishing attacks waged against retail and commercial bank accounts.

Last month, the Financial Services Information Sharing and Analysis Center, better known as FS-ISAC, released positive results about steps banking institutions are taking to ensure they're adequately thwarting commercial account takeovers via the online channel. [See ACH Fraud: The Impact on Banks.]

Takeover incidents related to ACH and wire fraud are a growing concern for regulators as well.

In June, the Federal Financial Institutions Examination Council issued updated guidance for online authentication practices banks and credit unions should implement for retail and commercial accounts. [See FFIEC Authentication Guidance.]

Errol Weiss, a member of the FS-ISAC and head of its Account Takeover Task Force, says financial losses associated with takeover incidents are decreasing, despite increases in the number of online attacks the industry battled between 2009 and 2010. "Banks and customers are recognizing the situation sooner and are getting into response mode quicker, and so they're able to retrieve the funds before the transactions are irreversible," Weiss says.

But in the larger picture of account takeovers, which includes both retail and commercial accounts, is the focus on online fraud giving banking institutions an accurate picture of fraud? Phil Blank, part of Javelin Strategy & Research's Security, Risk and Fraud Practice, says many incidents of account takeover are actually perpetuated via relatively low-tech means, not phishing.

According to Javelin's annual Identity Fraud Survey report, a consumer-based survey released in February, account takeover most often results from fraudulent changes to physical mailing addresses and the fraudulent addition of registered account users. [See ID Fraud: New Accounts Most at Risk.]

"The No. 1 takeover in 2010 was change of physical address, and adding a new registered user fell to second place," Blank says. "It doesn't surprise me that if you make the assumption that many account takeovers are done through things like man-in-the-browser attacks, that as more technology to mitigate man-in-the-browser attacks is out there, those takeovers would go down. ... But what banks need to be aware of is that much of this fraud is occurring on the consumer and business-customer side, and not all of them will invest in technology that catches these attacks."

Account Takeover: The 360 View

According to Javelin, which has seven years of comparative data from its annual Identity Fraud Survey, takeovers that result after physical mailing address changes are by far the most prevalent, according to consumers. In 2008, among those consumers who reported falling victim to account takeover schemes, 42 percent said change of physical mailing address was the cause. In 2009, 24 percent blamed fraudulent address changes, and in 2010, 44 percent said an address change was to blame.

Second to physical address change was the fraudulent addition of a registered account user. "We've seen this happen over and over again," Blank says. "If they can find information about the accountholder, like the mother's maiden name and birth date, information they can easily gather from social networking sites like Facebook, then they have enough to change the phone number affiliated with the account or add a new user just by calling the bank's customer service department."

According to Javelin's research, 13 percent of surveyed consumers in 2008 said their accounts were taken over after an unauthorized user was added to the account. In 2009, 31 percent blamed the addition of an account user, and in 2010, 25 percent said unauthorized user additions led to fraud.

Here is the other point, Blank says: Once phone numbers affiliated with account management are changed, out-of-band authentication practices, such as calls or texts to landlines or mobile numbers for ACH and/or wire transfer confirmation, can easily be foiled. "That actually happened to a bank in the midwest," Blank says. "Banks used to not alert customers when a phone number was changed, but they do now."

"Banks are learning," Blank says, a reality the FS-ISAC research also supports.

According to the FS-ISAC's March survey about commercial customer fraud, of 77 U.S. financial institutions that responded, 21 suffered from account takeover attempts sometime in 2009 and the first half of 2010. Among those 21, 108 takeovers were reported during the first 6 months of 2010. In 2009, only 86 takeovers were reported, though FS-ISAC did not say how many institutions were affected.

But, despite increases in takeover incidents in 2010, banking institutions said 36 percent of fraudulent wire attempts were stopped before transfers were approved. In 2009, only 20 percent were detected and stopped before funds left the institution.

In fact, FS-ISAC found that in 2010, completed transactions occurred only 27 percent of the time after a takeover. In 2009, those fraudulent transactions were completed 63 percent of the time.

Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of the FS-ISAC, says those results are heartening. "It shows that when you put together an approach that tries to address the threat, not only at the bank level, but also at the customer level, you can have an impact on the environment and diminish the fraud."

Blank says the results from both surveys complement one another, and should serve as reminders to banking institutions that protections for consumer and commercial accounts should be viewed within the same context, if not under the same light.

"This is why Javelin is saying more controls are better, and limiting the options consumers and commercial customers have to change options and features, especially over the phone, is a good thing," Blank says. "There is always a limitation to what the analytics can do behind the scenes, so we have to think about the big picture. There's only so much education and so much customers are going to do on their own. ... These types of controls could be applicable to consumers and commercial accountholders. They would all benefit from more controls, and the bank would benefit from that, too."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.