Account takeover is a persistent issue that costs companies millions each year.* It will likely continue to grow with the proliferation of publicly available personal information, the increasing number of data breaches and an increasing number of online black markets for private data.
In one example of an account takeover scheme, cybercriminals may assume control of a consumer’s account, order physical goods using the debit card number on file, ship to an alternate address, and subsequently sell the stolen goods on another website and pocket the proceeds. Fair or not, consumers often view the organization that allowed the fraudster access to their account to be at fault.
With more fraudsters determined to commit account takeover, organizations are looking for ways to shore up the gaps in their account takeover defenses. Traditional fraud detection and prevention tools have some weaknesses when used to detect account takeover related activity:
- Anomaly Recognition – The majority of anomaly recognition tools are driven off of a company’s internal data, limiting their view of a consumer’s behavior to their interaction with a single organization, rather than looking at a more comprehensive data set
- Device Recognition – Device recognition only works for online transactions and may not flag a device with no previous connections to online fraud.
- Malware Recognition – Malware protection and virus detection solutions have a limited shelf life as providers are in a never ending race with cybercriminals to combat the latest threats.
- Voice Recognition – Companies often spend considerable resources to integrate these solutions into the enterprise’s risk controls. In addition to time and expense, other drawbacks are that voice recognition tools may apply only to the call center channel and focus on preventing access to an account rather than evaluating the legitimacy of account changes requested by a caller.
- Knowledge-Based Authentication (KBA) – KBA requires consumers to provide answers to questions that, theoretically, only the actual customer knows the answers to. Unfortunately, criminals often use social media sites or other sources of publicly available information to gather personal data that they can then use to pass these quizzes or tests and access the consumer’s accounts.
While these solutions can all play a role in protecting against fraud, they can’t singlehandedly protect against account takeover. Companies must adopt a new layered approach that requires a comprehensive, real-time understanding of normal and abnormal account maintenance activity across the organization’s channels and product areas. They need to focus on assessing the legitimacy of requested account changes through real-time, cross-industry data that will enable a comprehensive assessment of consumer behavior. This approach will enable them to evaluate a requested account change in several ways, including:
- Has the account holder made similar changes at other organizations?
- Holistically, does the full set of requested account changes match a pattern of account takeover?
- For changes to personally identifiable information (PII), does the new information being added to the account (e.g., new address or phone) have a history of high risk behavior?
- For PII changes, does the comparison of old and new information reveal a high-risk behavior?
Given the damage that account takeover fraud can cause, and the likelihood these problems will continue to grow, investing in a solution that incorporates identity-based data and information makes sense, especially one which can demonstrate a return on investment by avoiding losses associated with fraud and customer attrition.
Read more about solutions for account takeover fraud in our white paper: Best Practices in Account Takeover
Ken Meiser is the Vice President of Identity Solutions at ID Analytics.
*Source: “2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters.” Javelin Strategy & Research, February, 2013.