Transcription
ACCOUNT TAKEOVERFRAUDHOW TO PROTECTYOUR CUSTOMERSAND BUSINESSeBOOK
IntroductionAccount takeover fraud (ATO) is one of the topthreats to financial institutions (FIs) and theircustomers. An identity theft crime, accounttakeover comes in many different forms. In thiseBook, we explain the top techniques criminalsuse to take control of a bank account.Fraudsters have a variety of weapons andmethods of harvesting personal data andcausing serious damage, which makeseffective protection a challenge. The rightmulti-layered security approach, however,can help block account takeover fraud andprotect customers at every stage of their digitaljourneys. This guide outlines a best practicesapproach to detecting and preventing accounttakeover fraud with proven technologies thatshield users, devices, and transactions.“89% of FI executives believe ATO fraud is the mostcommon cause of losses in the digital channel.”AITE Group 1ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 2
ATO TECHNIQUES:DATA BREACHESSome account takeover attacks begin withfraudsters harvesting personal data. This canhappen long before a fraudulent transaction takesplace. Bad actors simply purchase personal dataleaked as part of a previous data breach. The manyrecent breaches of large corporations have exposedbillions of usernames, email addresses, passwords,credit card numbers, and social security numbers.With this leaked data, cybercriminals canprepare targeted phishing campaigns. Theycan also gain unauthorized access to accountsby using an automated attack (or in the caseof less experienced fraudsters, by manuallytyping in combinations of credentials). If an FI’sauthentication mechanisms rely on weak securitymeasures such as static passwords, criminals willuse a technique known as credential stuffing.Credential stuffing is when an army of bots checksa list of stolen credentials against a range ofwebsites hoping for a match. If the authenticationprocess includes multi-factor authentication (e.g.,fingerprint and one-time password), gainingunauthorized access to an account will requiremore effort.“Only requiring a username/password for accessto online or mobile banking systems is grosslyinsufficient for account security.”KuppingerCole 2ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 3
Common Phishing TechniquesATO TECHNIQUES:PHISHINGClassic email phishingSpear phishingWhalingScam targeting aspecific individual orgroup (e.g., Bank X'scustomers)Scam targeting ahigh-net-worth individualto maximize profitVishingSmishingOverlay attacksPhone fraud where afraudster impersonates abank employee under thepretext of calling to warnabout account access issuesSMS text messagescontaining a link to a fakebanking portal; can alsotake the form of amessenger-based scamOverlay attacks on Androiddevices leverage phishingtechniques, creating fakescreens to collect bankingcredentialsEmail sentto a large databaseAccording to MCSA, there are approximately 15.2million texts sent every minute of every day. Morethan 90% of them are opened within 3 seconds,making it a very attractive channel for fraudsters.Phishing scams are a form of socialengineering that take advantage of thenatural human tendency to trust.Phishing scams impersonate well-knownbrands and trusted individuals, and oftenappear deceptively legitimate. Whilephishing is executed in multiple ways,including SMS text messages (smishing),messaging services (e.g., Skype), and socialmedia messages, the most common formof phishing is email.A phishing message aims to create a senseof urgency, often by alerting the user thattheir account is at risk. Recipients arethen persuaded to click links that redirectthem to a fake banking portal or to openan attachment that will install a piece ofcredential-harvesting malware. In the caseof mobile users, they don’t even have todownload an attachment: a link within anSMS can direct a user to a web page thatautomatically downloads malware to theirdevice.Midwest Cyber Security Alliance 3ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 4
ATO TECHNIQUES:SIM SWAPPINGSwapping a SIM card is a legitimate serviceoffered by mobile phone operators when acustomer switches to a new device, and theold SIM card is no longer compatible.Fraudsters can abuse this service. While thefraud requires research and preparation,the hack itself is relatively simple. In what isknown as a SIM swap scam, fraudsters usesocial engineering techniques to transfer thevictim’s mobile number to a new SIM card.All of the victim’s SMS messages are thenredirected to the fraudster.“By diverting your incoming messages, scammerscan easily complete the text-based two-factorauthentication checks that protect your most sensitiveaccounts. Or, if you don’t have two-factor set up in thefirst place, they can use your phone number to trickservices into coughing up your passwords.”Wired 4This enables the fraudster to target bankingsolutions that use the mobile phone as partof the authentication flow. For example,if enrollment of a mobile banking apphappens through SMS, fraudsters can useSIM swapping to impersonate the victim andactivate the banking app on the fraudster’sphone. Also, if the bank’s authenticationmechanism includes text messages as ameans of delivering one-time passwords(OTP), then taking over the victim’s numberbecomes an attractive way for a criminal toauthenticate fraudulent transactions, addpayees, or perform other operations withinthe banking session.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 5
“Banking Trojans accounted for almost 59% ofall malicious email payloads in Q1 2018.”Proofpoint5ATO TECHNIQUES:MALWAREAnother way to take control of a bankaccount is through malware. This malicioussoftware may be installed on the victim’scomputer or mobile device through a widerange of user actions. These include visitingrisky websites, opening attachments fromphishing emails, or downloading mobileapps from untrusted sources. It can alsobe bundled with other programs (e.g.,masquerading as a Flash Player update).Malware programs can perform differentkinds of attacks. Some will installconfiguration files on the infectedcomputer in order to redirect the victimto a malicious website. Some, called keyloggers, will intercept everything the victimtypes, including their banking credentials.Others can infect a web browser byinstalling as an add-on. Known as a Manin-the-Browser attack, they are capableof intercepting credentials or modifyingtransaction details or other data.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 6
ATO TECHNIQUES:MOBILE BANKING TROJANSMobile banking Trojans have been growing involume and complexity. With as much as 50% ofthe entire global banking population using theirmobile devices for banking services 6, we willcontinue to see mobile banking malware in theheadlines.One of the functionalities of a mobile bankingTrojan is an overlay attack. In an overlay attack,the Trojan presents its own screen on top of thelegitimate bank application. The Trojan’s fakelogin interface mimics that of the legitimatebanking app, so that the user is none the wiser.This malware will monitor running applicationsand wait for the targeted mobile banking appto launch. At that point, it will activate and pushthe legitimate banking app to the background todisplay its own login interface. The malware thencaptures the victim’s authentication credentials.The damage doesn’t end there. Mobile bankingTrojans can remain active while the victimperforms other actions during the bankingsession. For example, the malware can modifytransaction data by intercepting a funds transferand redirecting the money to a fraudulentaccount. Some versions of overlay malware,including the newer iterations of BankBot, areeven able to intercept text messages.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND 00289761974820,000189121360610,0000“Q2 2017Q3 2017Q4 2017Q1 2018Q2 2018Q3 2018The number of mobile banking Trojan installationpackages increased 138% over Q2 and Q3 2017- Kaspersky Lab 7“BankBot now targets over 420 leading institutionsin countries such as Germany, France, Austria, theNetherlands, Turkey and the United States.”PaymentsSource 8FOLLOW US 7
ATO TECHNIQUES:MAN-IN-THE-MIDDLEMan-in-the-Middle ScenarioIn this type of attack, fraudsters positionthemselves between the financialinstitution and the user in order tointercept, edit, send, and receivecommunications without raising suspicion.Taking over the communication channelbetween the user’s device and the servercan be done by setting up a maliciousWi-Fi network as a public hotspot (knownas a rogue access point). People takeadvantage of public hotspots, not realizingthey may be transferring their paymentdata through a network controlled by abad actor.Card number589 425 971 565Password* ************21Transaction data isintercepted by theMan-in-the-MiddleUser connects to thebank and sends thetransaction data3Fraudster modifiesthe transaction data4Modified transactionrequest sentto the bankACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSA Man-in-the-Middle attack can also takeplace through the use of a mobile bankingapplication. Mobile banking apps shouldapply certain security measures whencommunicating with a server. However,improper design can make an appvulnerable. Incorrect configuration or lackof a secure channel for mobile data-intransit also increases the risk of this typeof attack.FOLLOW US 8
SOLUTIONSTO PROTECTYOUR CUSTOMERSAND BUSINESSACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 9
MULTI-LAYEREDPROTECTIONFinancial institutions apply various securitymeasures to protect customers from becomingvictims of account takeover fraud. For example,many educate customers on topics such as howto recognize phishing and how to protect theirmobile devices against malware. Despite suchpreventive measures, the amount of accounttakeover fraud is growing, with the financiallosses now in the billions of dollars.That is why FIs need additional layers ofprotection. A multi-layered security approachcan minimize the risk and impact of accounttakeover fraud – protecting a bank’s customersand operations, without any negative impact onthe user experience.The next part of this guide explores solutionsdesigned to: Protect the user Protect the device and the banking session Proactively detect fraud across all digitalchannels Provide flexible and secure authenticationjourneysACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 10
A MULTI-LAYERED APPROACHProtectingthe userWith attack scenarios increasing in variety and complexity, it is important for FIs to implement solutionsthat help minimize the risk of customers interacting with a fraudster and becoming victims of socialengineering or Man-in-the-Middle attacks.Protecting thedevice andthe bankingsessionMobile devices inject risk into the banking journey – but with the proper security, they can actuallybecome an asset and contribute to a safe user experience. Therefore, it is important to include mobilesecurity capabilities, such as app shielding, in the app design.Proactivefrauddetectionacross alldigital hannelsIt is possible to detect the signs of an account takeover before the customer is affected. To do this, FIsneed a solution that can review and act on data collected from users’ actions. Within this user data, thereare often clues that a customer may be under attack. A modern, comprehensive fraud detection andprevention solution will score every action and every user in all digital channels by gathering knowledgeon all actions before, during, and after the session to create a complete overview of the transaction.Dynamicand flexibleauthenticationflowsA modern approach should support a wide range of authentication methods across different channels.For each transaction, the fraud prevention system should evaluate risk in real time and apply the preciselevel of security necessary for that specific transaction. Every user action should be treated uniquely andshould dynamically trigger the most appropriate authentication challenge. This creates an additionalbarrier for a fraudster while providing the best possible experience for legitimate customers.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 11
Cronto Technology in ActionPROTECTING THE USEROneSpan’s unique, patented Cronto visual transaction signingsolution helps protect customers from social engineering andMan-in-the-Middle attacks that lead to account takeover.As explained on page 8, in a MitM attack a bad actor intercepts thecommunication between the customer and the bank and altersthe details of a transaction. Such an attack could change a genuinepayment into a rogue transfer to an imposter.To thwart these attacks, Cronto technology displays a unique visualchallenge that contains the transaction details. When the userwants to make a payment or funds transfer, they:Start the Crontoapp on yourphone. scan a Crontoimage on thescreen. check paymentinfo and use aunique securenumber toauthorize it.Learn about Cronto in this eBook:Social Engineering: Mitigating Human Riskin Banking Transactions 9ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESS1. Enter the payment information into the online bankingapplication. The banking server uses that data to generate acolored cryptogram displayed on the customer’s screen.2. Scan the cryptogram using their phone’s camera or a dedicatedhardware device. This decodes the cryptogram, decrypts thepayment data, and shows it to the user as clear text.3. Authenticate to their device, and Cronto calculates theauthentication response code using a cryptographic key storedon their device. This confirms to the bank that the amountand payee are correct and have not been tampered with. Thetransaction can proceed.A bad actor cannot modify the contents of the transaction sincethe cryptogram is uniquely connected to the transaction details.Any change will invalidate the code. This creates a secure virtualchannel between the FI and the legitimate account holder,preventing a MitM scenario.FOLLOW US 12
PROTECTING THE USERCronto has been designed to thwart social engineering attacks.The user can trust the security of the transaction knowing onlytheir bank can generate the code, and only their device candecrypt the contents of the code.The colored Cronto code contains all transaction data, includingthe device used, the transaction amount, and recipient accountdetails.Cronto establishes a secure communication channelbetween the bank and the legitimate user.Cronto assures the user that the transactionauthorization request is coming from the bank.BankB Y VA S C OForeign transactionCronto provides aclear-text summaryof the transaction tothe user for reviewand authorization.To avoid“authorizationblindness”, bankscan visually alertusers to high-risktransactions.TRANSACTION OVERVIEWScan & SignCard number589 425 971 565Amount 1.500,00Card number589 425 971 565Name BeneficiaryJim R.D. HuffeltonAdress Beneficiary114 Wallton RoadACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSScan & SignAmount 1,500.00The bank controlsthe transactionauthorization process.Cronto ensures thattransaction signaturerequests reviewedand authorized by theuser originate fromthe bank and canonly be viewed by thelegitimate user.FOLLOW US 13
PROTECTING THE DEVICE ANDTHE BANKING SESSIONWith OneSpan’s Mobile Security Suite, financialinstitutions gain visibility into risks in the mobile channel.The solution applies a 360 approach to mobile security,taking into account factors such as the app, device,interface, communications, storage, and users. It candetect risk factors related to the user’s device and applycountermeasures. With app shielding and runtimeprotection, it is able to provide advanced protectionagainst overlay attacks, key loggers, and other malicioustechnologies. For example, OneSpan App Shielding hasa built-in mechanism to detect if an app is put into thebackground state, which together with other criteria canhelp determine whether an overlay attack is in progress.Some FIs claim they don’t experience much fraudin the mobile channel. While possible, it is morelikely that the organization is just unable to track itappropriately. For example, a mobile overlay attackis designed to capture a user’s login credentials.The attacker could then use those credentials toinfiltrate the online channel – a classic example ofonline fraud that originated in the mobile channel.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSThe Mobile Security Suite can also identify risk factorssuch as a jailbroken or rooted device – and still maintaina secure environment for the app to operate in. Thisenables customers with a higher device risk profile tocontinue to benefit from mobile banking.The Mobile Security Suite includes encrypted, securecommunication channels as well as secure storage toprevent eavesdropping. In addition, FIs can implementflexible authentication scenarios with fingerprint, face,behavioral biometrics, and more.FOLLOW US 14
PROTECTING THE DEVICE AND THE BANKING SESSIONApp Shielding withRuntime ProtectionBehavioral BiometricsAuthenticationJailbreak & RootDetectionFace AuthenticationDevice Risk-BasedAuthenticationDevice BindingCronto AuthenticationSecure StorageSecure ChannelE-SignaturesACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSMobileSecuritySuiteQR Code SupportTransaction SigningPush NotificationFOLLOW US 15
PROACTIVE FRAUDDETECTIONOneSpan Risk Analytics provides financial institutionswith the ability to proactively detect signs of anaccount takeover before it affects users. The solutioncontinuously analyzes and scores numerous datapoints in real time across digital channels to createa full picture of user actions (before, during, andafter the session). Leveraging machine learning,the risk analytics engine can spot anomalies in userbehavior and take appropriate action based on thetransaction’s risk level.Examples of combinations of events indicating thepossibility of an account takeover attackA login from a newlocation followedby a password resetand changes incontact detailsA login from anew IP followed bychecking the accountbalance followed byrequesting a largetransferSudden passwordchange requestsfrom multiple usersAccumulation ofunsuccessful loginattemptsRisk Analytics detects certain combinations of signalsin the user, device, and transactional data, which canprovide indicators that customers are under attack. Itcan also provide an overview of customer actions tohelp identify suspicious combinations of events.Thanks to these capabilities, Risk Analytics is alsoan important security layer in the detection of SIMswapping attacks. It collects behavioral biometricsdata and other risk-based parameters, such asgeolocation, time of the day, or the number of totalrequests for reactivation. A spike in such requestscould be a sign of a SIM swapping attack.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 16
PROACTIVE FRAUD DETECTION1Risk gThird-PartyApplicationsAllowPolicies &RulesOnlineChannelReviewManualRisk tionsMobileChannelRisk Analytics collects and analyzes data from avariety of different sources, including: Devices – Endpoint-centric data monitoring at thedevice level Behavior – Analyzes interactions with the device aswell as session navigation behavior, such as the speedand time of browsing, to identify suspicious activity Historical – Analysis of user and account activity in adigital channel, on a historical basis Multi-channel – Analysis of user behavior acrossmultiple channels, devices, and applications Business applications – Analysis of financial andthird-party application dataACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESS2To determine the riskassociated with eachfinancial transaction, RiskAnalytics analyzes and scoresuser, device, and transaction datapoints across multiple digitalchannels in real time.33BlockBased on the risk score, Risk Analyticsautomatically takes appropriate action: Allow: Low risk score – Allows the financial1transaction to continue Review: Medium risk score – Creates anactivity case for review; more customervalidation is required Block: High risk score – Blocks the transactionand creates an activity case for reviewFOLLOW US 17
PROACTIVE FRAUD DETECTIONIdentification of Account Takeover IndicatorsOneSpan Risk Analytics helps identify indicators of an accounttakeover attack. It provides an overview of all users and actions;this data can help detect a new attack vector targeting customers.Risk Analytics helps to detect known and emerging fraudscenarios, which is crucial considering the ever-increasing varietyand volume of account takeover attacks. For example, by analyzingthe http referrer, the solution can indicate the probability of aphishing attack that can lead to an account takeover.Real-time, Multi-channel Fraud DetectionOneSpan Risk Analytics works in the background, collectingand scoring activities in real time based on a detailed analysis ofuser behavior, transaction details, and other key contextual dataacross multiple digital channels. It proactively protects againstfraudulent activities by identifying risk at critical steps, predictingrisk levels, and taking action when suspicious activities areidentified.Machine Learning, Risk-based AnalysisOneSpan Risk Analytics leverages machine learning andsophisticated data mining and modeling to gain the mostaccurate predictions of risk and fraud. It collects vast amountsof data from multiple sources and digital channels to ensure themost accurate risk score. These scores drive intelligent workflowsthat trigger immediate action based on pre-defined and/or bankdefined security policies and rules. The combination of intelligentautomation and risk scores streamlines processes, reducesoperational costs tied to manual review, and ultimately improvesthe user experience through fewer false positives.ACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSFOLLOW US 18
RISK ANALYTICS HELPS PREVENT:ATTACKS ON THE LOGIN PROCESSUNAUTHORIZED CREATIONOF NEW PAYEESUNAUTHORIZED USER PROFILEACCOUNT CHANGESSUSPICIOUS FUNDS TRANSFERSACCOUNT TAKEOVER FRAUD: HOW TO PROTECT YOUR CUSTOMERS AND BUSINESSPROACTIVE FRAUD DETECTIONRisk Analytics is able to help prevent these fourscenarios because it: Profiles new and existing devices, identifies devicechanges, and analyzes location and contextual data Profiles user behavior, analyzes the user’s journey ina banking session, and detects account changes (e.g.,changes in spending patterns, profile information, andlogin speed) Profiles new and existing payees (e.g., verifies payeechange details, how payees are related to other users,and whether a user has exceeded the number of savedpayees) Detects suspicious combinations of sensitive operations(e.g., change of user profile, creation of a new payee,change of contact information follo
Proofpoint 5. ACCOUNT TAKEOVER FRAUD: . between the user's device and the server can be done by setting up a malicious Wi-Fi network as a public hotspot (known . protection. A multi-layered security approach can minimize the risk and impact of account takeover fraud - protecting a bank's customers .
