Account Takeover Fraud (ATO) is a form of identity theft where a third party fraudster gains access to user’s online accounts. The fraudster then poses as the real user, creating changes to account details, making purchases, withdrawing funds or using the stolen information to access other accounts.

Account takeover attacks through the use of stolen user information are a staple of the illegal fraud-as-a-service economy. Stolen information is leveraged for attacks of various forms, including attacks through retailers, financial services, mobile games and reward programs.

– Today, account credentials may sell for as little as $0.20 up to $15 USD.

– An abundance of stolen account credentials, coupled with the ease in which they can be obtained by cybercriminals at a low cost, is helping to fuel a rise in account takeover attacks. In fact, according to the latest 2018 Identity Fraud Study by Javelin Strategy & Research, account takeover losses more than tripled in the last year to $5.1 billion.

How does ATO occur?

Fraudster’s don’t need access to highly sensitive information such as a person’s social security number or PIN. The danger of account takeover is that it can potentially occur from the smallest bit of a user’s personal data — a user’s full name, DOB or email address.

Identify thieves will steal personal data on a large scale and sell the data on the dark web. However, the theft of information also often occurs on a relatively small scale. A “friend” gets access to your email address, guesses your password correctly and goes on to make an online purchase.

What do fraudsters do with the info?

Once a fraudster has access to an account, they may quickly transfer funds from the victim's account to one they can more easily access, or they open and max out a new credit card account with the stolen information.

Once they have gained access to a user’s information, fraudsters can make changes to the user’s profile, preventing suspicion by averting communications that would’ve previously been sent to the account holder.


Consequences of ATO?

Money isn’t everything when it comes to ATO. Gaining access to a consumer’s credentials at one eCommerce merchant makes it easier for a fraudster to access other digital stores at which to exploit the user.

An often overlooked consequence of stolen information is the difficulty of regaining control of the information. For example, a fraudster makes a purchase with a stolen credit card number. The actual user can file a chargeback and get their money back, but regaining control of their lost personally identifiable information is basically impossible.

Regaining control of compromised accounts is an arduous process. The user must prove his or her identity to the security and customer service team, which is easier said than done, as the fraudster will change the password and security questions on the account.

How a Business Lost $20K

A well known alternative investment platform recently reached out to AgilePayments regarding best practices around ACH verification/authentication. The platform explained that the new customer entered their platform, and funded their account in the amount of $10,000, via an ACH debit to bank account.

Three days later, the same customer reached out and claimed they had a change of heart and wanted a refund. The customer asked that a different bank account than the one previously used for debit would be designated to receive the ensuing ACH credit of $10,000,

The investing platform initiated credit to new account — this was a huge mistake!

Why was this such a big mistake? The individual receives the $10,000 credit  and withdraws it from the bank account. They then initiated a chargeback on the initial $10,000 debit to the first bank account. Their bank upheld the chargeback and made $10K available to the fraudster.

What started out as potential new customer with $10K to invest into their platform turned into a $20,000 loss!

This situation could have easily been prevented.

First, never credit a different bank account than one used for initial debit. And make sure your authorization to debit the customers bank account offers maximum protection. Capture IP address, geo locate etc.

Second, platforms absolutely must implement a checking account ownership authentication and verification component for onboarding.

How does Check Verification mitigate associated risks?

Checking Verification services allow a business to validate that an account is open and in good standing prior to the account being loaded into a recurring billing engine. Data entry, potentially closed accounts or even fraud can be caught before “booking” the sale.

Merchants can also mitigate check acceptance risk at the point of sale, with account verification options ranging from negative database inquiries and automated routing number checks, to near real-time inquiries into current checking account status (e.g. open/closed).

Unlike credit cards, the ACH realm lacks an authorization component. Credit cards allow for authorization at the time of payment, ensuring that a customer has the requisite funds on their cards, and reserving those funds for capture and settlement.

For some businesses this lack of an authorization means that ACH Check Verification is necessary to mitigate payment acceptance risk, and prevent your newly onboarded customer from needing to perform a significant amount of work to obtain correct or valid checking account information.

How does AOA mitigate associated risks?

A Checking Account Owner Authentication Service (AOA) provides businesses a new fraud mitigation tool that provides real-time insight into whether the person or business whose check payment you want to accept or enroll in a recurring billing plan owns that bank account.

The ability to verify bank account ownership plays a key role in reducing the risk of enrolling a new customer with bad check information.

For less than one dollar per inquiry these risks can be significantly reduced.

The AOA service also validates other data elements such as DOB, drivers’ license numbers and phone numbers, among others. There is no other service available today that matches and validates data against records held at the customers financial Institution.

Here is an example: Fraudsters go to an online payday loan store and use stolen bank account info to get a $500 deposit. They enter a valid bank account to be debited via ACH processing network for paying back the loan. They redirect loan proceeds to an account they control. Payday loan company debits the account fraudulently provided for payment. The true owner disputes and the loan company is out the $500

What can be done?

Recent tech advances have now made a Checking Account Owner Authentication Service available. Real-time checking account verification and account owner authentication services can confirm a consumer or business owns the account and is authorized to transact.

Key account owner and status information such as name, address, social security number, driver’s license, date of birth and other relevant data points can help authenticate the consumer or business DDA information.

Benefits:

  • Reduce unauthorized access to customer accounts
  • Eliminate the need for account-owner login credentials
  • Improve customer experience and reduce abandonment rates
  • Reduce unauthorized and administrative ACH and check returns
  • Reduce Account Takeover risks

Summary

The aforementioned platform lost $20,000 to a simple scheme. The scary reality is that the loss could have easily been $100,000 had the initial debit been S50,000.

Platforms need to ask themselves if being exposed to this type of risk is the best practice for businesses when risk mitigation tools are so readily available.

account takeover fraudATObank account