In this exclusive Cyber Talk article, CEO of SEON, Tamas Kadar, shares insights into the newest fraud nightmares, including account takeovers, and what businesses need to know in order to effectively fight fraud.
As we move into 2023, account takeovers are becoming an increasing concern – for almost any type of online business. In 2022, we saw some notable cases of account takeover fraud – when a criminal obtains the login details of a legitimate customer and uses the account as if it were their own. What’s more, fraudsters are adapting to the rise of fintech. We’ll uncover some of their new tactics and how you can prevent fraudsters from taking advantage of you and your customers.
Account takeover attacks are diversifying
Fraudsters are adapting their techniques. Just a few months ago, the online betting company DraftKings lost $300,000 dollars as a result of being the target of credential stuffing attacks. With attacks like this on the rise, it’s worth getting to grips with why they’re becoming popular with criminals – and of course what you can do about it.
What are credential stuffing attacks?
Fraudsters will use lists of breached usernames and their passwords from previous breaches and cyber attacks in the hopes that account holders will continue to use the same username and password combinations for other sites (without updating them in light of the breach). This makes it a kind of account takeover, as it involves using the pre-existing account details of a legitimate customer (rather than constructing an identity from different victims, as is the case with synthetic identity fraud). E-commerce sites take note: annuity program Due discovered that 90% of login attempts on e-commerce platforms were made by hackers using stolen credentials.
As Paul Liberman, the president of DraftKings, told DARKreading: “We currently believe that the login information of these customers was compromised on other websites and then used to access their DraftKings accounts where they used the same login information.” Credential stuffing therefore can affect any company regardless of whether they’ve experienced a breach themselves – all it takes is for the same account login information to be breached on another website for your customers (and you) to become immediately at risk. DraftKings weren’t alone in being a target of credential stuffing this year – in fact, Fast Company found that Dunkin’ Donuts also suffered two of these types of attacks in 2022.
Fortunately, however, you can mitigate credential stuffing-based account takeovers. Haveibeenpwned for example uses k-anonymity with its constantly updated list of leaked passwords to anonymously confirm whether a password is part of a leaked set or not (without having to provide the actual password itself). However, you have to implement it in order for it to be useful. K-anonymity is a property of some kinds of data and tells you whether you can re-identify it or not. In this case, data is anonymous because it’s been pooled into a larger group of data with similar information, meaning that data could be ascribed to any individual in the pool. This makes it harder for it to be traced back to any one person.
Why are criminals focusing more and more on account takeover?
If you’re trying to get inside the mind of a criminal, DraftKings as a target of account takeover makes sense – you can use a customer’s account details to access the funds that they’ve deposited via their mobile payments app or bank wiring. This makes the DraftKings wallet very much like an e-wallet.
The fintech boom has seen a rise in e-wallet usage, with customers increasingly likely to use Google accounts, e-shop accounts like Amazon or even those smaller independents that use Shop (which also stores a customer’s card details so that they can reuse them again on future purchases via the app). According to a survey, mobile payment adoption is set to reach 4.8 billion by 2025, with Apple Pay being the most popular mobile payment service in the U.S. Also, the Federal Reserve Bank of Atlanta found that the share of customers “…making at least one online purchase in a typical month increased from 59 percent in 2019 to 66 percent in 2020”. When you aggregate this research, it’s clear that customers are becoming more and more invested in online transactions.
E-wallets (and any website that allows a user to store their card credentials for that matter) are incredibly appealing to criminals, as it means that they have direct access to a customer’s card information – from which they can drain any funds.
How to prevent account takeover fraud from affecting your bank (or any other business)
Whether you’re a financial institution or an e-commerce site, it’s worth looking into how you can prevent this form of attack from causing your budget and reputation major damage. In SEON’s guide to banking fraud prevention, we explain how banks can protect their customers’ accounts from account takeover fraud in part by monitoring customer transactions closely as well as at the log-in step.
As you might already know, financial institutions and banks have to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, meaning that this has to be a stage of your fraud detection and prevention process. You might be doing this via document verification or biometric scanning, to find out whether a customer is exactly who they say they are on registration.
However, you can combine this with data enrichment in order to give you even more information to help you catch fraudsters earlier on. Regardless of whether you’re a financial institution or e-commerce site, data enrichment can give you a much bigger picture of your customer and their digital footprint.
If you’re trying to catch a criminal as they log in to a user’s account, you might only have a few clues suggesting that these attempts are suspicious. So, what information do you have during login? You gain 1) an IP address 2) the device used to log in 3) actions that a user is taking on the website. With IP lookup tools and device fingerprinting, you’re able to monitor these data points and draw on them to provide a much bigger picture of the user who has tried to access that account.
How does device fingerprinting work? Device fingerprinting creates a unique ID or hash for each user logging in with a specific device. A unique ID draws on information about a user’s device, including which browser they’re using as well as if they’re using any virtual machines or emulators. You can create a blacklist for users who are trying to log in via an unknown device or browser, or ask them to provide more information.
You can combine this with IP analysis too – by enriching a user’s IP address, you can find out whether it’s via a VPN or Tor browser. As this is suspicious, you can ask the user to provide further information to confirm that they are who they say they are. This can come in the form of triggering Two Factor Authentication (2FA) when needed. It could also involve the user providing some form of verification like a selfie or video/voice call with your support team.
In addition, you can remind your customers to update their passwords regularly (especially if they haven’t in a long time), or to use a completely new password for registration with you.
What to remember
Whether you’re a financial institution, bank or e-commerce site, account takeover – particularly credential stuffing – is important to look out for as more customers turn to making payments online. Businesses of all sizes have lost considerable sums of money due to this increasingly problematic type of attack, as we’ve seen from reports this year. However, adequately strengthening your defenses and educating your customers on the need to update their login details can help protect you against this type of account takeover.
About the Author
The Co-Founder of SEON Fraud Fighters, the Hungarian startup that broke funding records, Tamas Kadar is also the founder of Central Europe’s first crypto exchange. In fact, it was serendipitous events right then that led him to start working on his own fraud prevention company, when he realized what was already on the market didn’t cover his needs. Starting with the bold idea of utilizing digital footprints and social signals to assess customers’ true intentions, SEON promises to democratize the fight against fraud. Today, the company protects 5000+ brands around the world as an industry-agnostic, fully customizable yet intuitive end-to-end fraud prevention solution that’s highly ranked in the industry.