Much optimism surrounds the coming of a new year – 2022, where the problems of the past twelve months will slowly fade away. But with fraud at an all-time high, businesses across the world are still constantly on the front foot in combating it.
At first glance, it’s a process of constant escalation, a tug of war between anti-fraud measures and all of the sophisticated tools that bad actors use to target the unwary.
But only at first glance. One of the prevalent tools that fraudsters are using time and again is Account Takeover Fraud (ATO), and it’s something that’s been around for a very long time. The principles, methods and attack vectors are well-known and understood; yet, it’s costing US businesses in the region of $25.6 billion a year.
Which begs the question: why is it still an issue?
The path of least resistance
From the angle of fraudsters. ATO is hugely cost effective: high-value accounts with authentication mechanisms that fraudsters find relatively easy to bypass equates to a sizeable ROI. That statement may raise an eyebrow; after all, no organization wants to hear that its security is anything other than watertight.
But all too often, businesses rely on passwords and usernames, backed up by possession factors such as OTPs sent via SMS. That presents virtually no challenge to fraudsters – the former can be circumvented by credential stuffing; the latter by SIM swap and SS7 attacks. It’s a painful reminder that SMS was never designed for security.
And of course, that’s far from the only approach that fraudsters will employ. Remote Access Trojans (RATs) – and increasingly, MRATs, their mobile equivalent – bots, scripted attacks and social engineering are just a few of the constantly evolving methods that bad actors are using on an hourly basis, successfully.
Fraudsters shift their focus
It’s also worth considering which accounts fraudsters are targeting. And the answer is, simply, all of them.
It’s understandable to associate ATO with the types of accounts that are perceived to have a direct monetary value such as bank accounts. But if gaining access to any sort of account could yield a profit for a bad actor – however far downstream – it’s going to be targeted.
A good example is the vast number of loyalty programs and incentive programs operated by businesses all over the globe. It’s easy to associate these with the occasional free cup of coffee, and subsequently overlook them as low value targets.
But some programs allow customers to accumulate serious worth, ranging from discount vouchers to airplane tickets. In fact, the real value of unspent loyalty points is in the hundreds of billions of dollars. For bad actors, that’s the perfect lure: high value and low security.
The true cost of Account Takeover
Twenty-six billion dollars. That’s anything but small change, but it was the estimated cost of ATO in 2020 alone. That is a figure that should make anyone sit up and take notice, but unfortunately, it’s just the tip of the iceberg.
Victims of fraud are unlikely to stay silent; they have ample channels available for escalating their complaints if they’ve been defrauded. The Securities and Exchange Commission (SEC) is taking strong action against businesses that allow cyber security breaches, with news of fines and payouts to whistleblowers – often in the tens of millions of dollars – coming weekly.
And they also can and will express their dissatisfaction via social media. With ATO a hot topic for the press, an organization that allows it to happen can potentially face massive damage to both its reputation and, resultingly, its finances.
Making ATO yesterday’s news
The press aspect is important. ATO makes the headlines on a weekly basis and, in 2022, that shouldn’t be the case. And in fact, it doesn’t need to be. There are steps that businesses can take to protect themselves, their customers, and their reputations.
The most important one of all is plugging the security holes around account access. Digital-first journeys demand digital solutions. Easily compromised analog authentication methods such as usernames and passwords are far too easy to bypass. Shoring them up with SMS OTPs as a secondary authentication factor doesn’t help. In fact, it arguably makes things worse: it puts organizations on shaky ground by essentially authenticating in the very same channel that fraudsters are using to ply their trade.
What’s needed is a shift towards a positive identification approach – a shift that not only improves security, but also lowers costs and improves UX: factors that resonate with both the board and the customers.
Callsign’s solution layers intelligence and combines factors such as behavioural biometrics with device and threat information, thereby ensuring that only the right individuals have access to the right accounts. That’s a quantum leap beyond passwords and OTPs, a seriously strong deterrent to bad actors – who, once again following the path of least resistance – will swiftly change their focus to easier targets.
And importantly, this works across all accounts, journeys and channels; meaning that data that’s used to secure the login can also deliver the same high level of protection at the point of payment. Whether it’s web or mobile, a holistic, unified approach is needed; and that’s exactly what Callsign can provide.
Everybody wants to embrace the new year with a positive outlook and a sense of optimism. We can accept that not all of our problems will fade away, But the potential is there to finally lay ATO to rest is just that. It’s feasible, achievable. And it needs to happen.