In the News

Preventing Account Takeover and Social Engineering Attacks

May 5, 2020 HelpNet Security

In this podcast Angie White, Senior Product Marketing Manager at TransUnion, explores ATO and social engineering attacks and offers some suggestions on how to address these threats including device-based authentication.

Episode Transcript (Excerpt):

Hello. This is Angie White, Senior Product Marketing Manager for TransUnion Global Fraud and Identity Solutions. Today we’re going to dive into how COVID-19 is driving an increase in account takeover as well as providing some suggestions on how to combat.

Before we get too into the weeds, let’s just quickly level set on a definition of account takeover or ATO. Account takeover is when a legitimate customer’s account is accessed through illicit means for the purpose of committing fraud. Account takeover isn’t a new phenomenon. It’s something that’s been around in financial services and banking for a long time, but we’ve seen a rapid increase in segments such as e-commerce, insurance, telecommunications in recent years.

How is COVID-19 driving an increase in account takeover? We’re seeing two primary factors. First off is just the increase in volume, as consumers have been forced to turn to digital channels because they can no longer go to their local bank, go to their local store. It’s really made it easier for fraudsters to hide in that uptick of volume. Secondly, you see that fraudsters are taking advantage of the chaos using the uncertainty to victimize consumers.

Looking at our data, we’re seeing big spikes for sectors such as banking, telecommunications, e-commerce. As an example, we saw a 23% increase in e-commerce traffic the week of March 11th to 18th, so that was the week following the declaration by the World Health Organization of the pandemic. This left many businesses trying to shore up work from home operations, secure their sites and deal with increases in volume both on their sites but also in their contact centers.

The Aite group estimates that banks have seen spikes in call center volume at around 40%, so that’s quite the increase. Likewise, telecommunications providers have seen spikes ranging around 25%. Never missing an opportunity, fraudsters have also taken advantage of a chaos to perpetrate more fraud, and in an analysis of transactions we protect, we found a 14% increase in risky transactions for financial services since March 11th. So, we’re definitely seeing that already play out for our customers.

Also, looking at the consumer impact, TransUnion pulled over 3000 Americans, 18 and older, on how COVID-19 is impacting them. 28% of respondents indicated that they had already been targeted by a digital fraud scam related to COVID-19, and this was up from the previous week where 23% had indicated that they had already been targeted. So, a 5% increase in one week. This really highlights that this trend is likely to accelerate. Of those consumers, 10% of Gen-Z and 9% of Millennials indicated that they had already fallen victim to a COVID-19 scam. So, we’re seeing approximately a third of those scams be successful.

There are a number of attack methods used to perpetrate account takeover, but for our purposes I’m only going to hit on three of the most common methods: phishing scams, social engineering and credential stuffing.

Phishing scams. You’ve likely all seen these emails, they look very legitimate or it could be a phone call or legitimate looking website. Fraudsters are using the current crisis to send out prevention tips for COVID-19, news updates, promising information about stimulus checks, using that to steal login credentials and personal data through various means. Unfortunately, consumers have a bad habit of reusing login credentials. That means that such compromises will likely lead to an uptick in account takeover across all industries and across the board.

Social engineering can come in a number of flavors. One attack method is to gather information that is publicly available about a consumer, from sources such as social media or that have been gained from phishing attacks. In the age of social media, consumers have gotten in the habit of oversharing, so publicly posting about things like attending a high school reunion, that makes it very easy for a fraudster to then go and search on that high school, find out who their mascot is, find out what their hometown is. Those are all pieces of information that can be used in social engineering to answer KBA questions, to socially engineer contact center agents and gain access to an account.

Another flavor of social engineering that we see is what we term romance scams. This is where a bad actor ingratiates themselves with an intended victim. We actually had a real use case with one of our customers, a very large telcom provider, where fraudsters were going out ingratiating themselves with lonely people on dating sites and getting them to give them their login credentials with the promise that they would go and add a phone line, get a phone so that they could talk more.

Of course, the fraudsters go in, they add 10 lines, order 10 new phones and create big losses for the business and a lot of dissatisfaction for that customer. I’ll talk through some ways that they shut that down in just a moment.

Lastly, credential stuffing. This is when fraudsters, they take stolen credentials, gained through phishing attacks or in many cases simply bought off the dark web, and they test those stolen credentials against a site to see what accounts they can gain access to. These attacks are often automated using bots. When they find a good account, they go in, they can take it over. And what’s more is they use those good credentials, not only on that site, they move from site to site, seeing if they’ll work on other platforms.

So again, with the attacks that we’re seeing due to COVID-19, with the increase in phishing scams, increased breached credentials, personal data, that’s all going to drive more credential stuffing attacks.

There’s a number of measures that businesses can take to mitigate account takeover. I’m going to break it out by customer touch points. So let’s start at login.

You really do need to go beyond username and password to secure customer accounts. With all the breaches, all the phishing attacks, you really do need to move forward with the assumption that your consumer’s credentials have been compromised. There’s a number of options that are easy to layer onto existing authentication solutions depending on the need of your business. Things such as one-time passcodes, or OTP, multifactor authentication, captcha. At TransUnion, we recommend device-based authentication. This essentially pairs the consumer device to their account using it as a mode of authentication.

I touched on the romance scams a little earlier. This is exactly how that telcom provider shut down account takeover in their service, so they implemented device-based authentication. They were able to pair good user devices to their accounts, that way, if a fraudster came in, even with the correct credentials, they could see that that device was not authorized to access that account, so very effective for them in shutting down account takeover.

Device-based authentication also gives you a lot of risk insight that isn’t available for most other authentication methods. Things like unusual velocities, geolocation mismatches, or the use of anonymizing proxy, so somebody’s trying to make it look like they’re coming from a mobile device when you can really see that they’re using an emulator and coming from a laptop.

The next point of risk is account management. Once fraudsters have gained access to an account, they of course want to change account details such as email or shipping address so they can take over the account.

Again, there’s a number of methods where you can protect account management. You can add verification checks such as verifying email, phone, address. Another very effective method is using push authentication. With this, you can push an authentication request to the user’s device to authenticate with, say, a thumbprint or a PIN that they did initiated that change to their account.

One of the benefits of this is that you can use it for any channel. So, if somebody is requesting changes via the web, via your application, or even via the contact center, you can push that authentication request directly to the user’s device to authenticate before proceeding with the change.

As your business starts to operate in the new normal that is COVID-19, it’s really important to think through what are your points of risk across your customer journey and how can you add protection without adding too much friction. Unfortunately, there isn’t a silver bullet for shutting down ATO because there are many points of risk across the customer journey and many different attack methods.

Businesses are really going to have to examine what are their points of risk in the customer journey, how can they protect those points of risk without adding too much friction and create the new normal in the COVID-19 era. Stay safe out there.