Threat of the Week: Account Takeovers Multiplying
Identity theft may get the ink – even a recent movie – but a nasty cousin is account takeover, and that’s now emerging as a crime growing at a steroid-driven rate.
The company also noted “a rise in the sophistication of account takeover attempts.”
Worse news: “We see fraudsters moving down market where the defenses against account takeovers are not as sophisticated,” said David Britton, an executive with security firm 41st Parameter.
His point: the money center banks have been spending aggressively on technologies to outsmart account takeover artists and the thieves are heading to institutions with less formidable barriers.
That may mean you.
Are you ready?
Michelangelo Sidagni, chief technology officer at security firm NopSec, related that he knows of a case where the CEO of a financial institution personally fell victim to account takeover. “This is a fast-growing problem,” he added.
Which brings us to the other, pertinent question: Are you really you?
That is the account takeover question. Where it differs from identity theft is that in the latter a crook uses legitimate credentials belonging to a victim to open a new account which, typically, is used to incur debt that the thief never intended to repay.
What is especially maddening about an account takeover is that you, the victim, effectively cease to be. And the takeover artist can simply loot the account, making this potentially a lightning fast, in-and-out crime.
The onus, said the experts, is on financial institutions to prevent this – but that is not always easy, in part because victims frequently handover their login credentials to criminals.
That’s unwittingly of course but via Zeus, phishing email, or other scams, many of us are all too ready to part with our sign in credentials, which makes the account takeover as simple as a few clicks on a computer mouse.
“This used to be rooted in dumpster diving. Now it is about malware,” Brian Riley, an expert with CEB TowerGroup. He added: “Account takeover is growing because it is a relatively easy fraud to commit.”
“There is only so much a bank can do to stop account takeovers,” said Denis Kelly, author of The Official Identity Theft Prevention Handbook. He added: “If they have your name and password and Social Security number, how can the bank decline?”
Criminals also are getting sophisticated in the looting. A smart crook, with a victim on the line, will frequently open his own account with the victim’s institution. He then will transfer a few dollars from the victim account to his. Maybe he will do a second, slightly larger transfer. Then he will pounce, emptying the victim’s account and quickly transferring the balance in his account to another U.S. bank, then it will fly out of the country and, for all practical purposes, it is gone.
Add this up and the sharp conclusion is that the burden is on financial institutions to up their defensive game when it comes to account takeovers. How?
“Banks need to be more proactive in their monitoring,” said Glen Sgambati, chief risk and security officer at Early Warning. Monitor for anomalies -- such as wire transfers and changes of address or cellphone numbers -- that correlate with account takeovers and, just possibly, institutions can go far toward minimizing this crime.
Meantime, at 41st Parameter, Britton preaches a doctrine of device identification and authentication and it gets granular. This company’s argument is that doing anomaly detection on transactions is too late, that security has to catch the thief before the money begins to move.
How? The 41st Parameter technology will check not just the device ID, but what the computer’s time zone setting is (a setting for Ukraine is a red flag on an account registered to a Peoria, Ill., home address). It will also look for language settings and many dozens of other, subtle identity clues found on any computer.
How long does the check take? A fraction of a second, said Britton.
Still other experts urge putting more of a security burden on the members’ backs, encouraging them, for instance, to sign up for SMS alerts regarding high-value transactions and also imploring them to activate two factor authentication before high value transactions are processed.
Yes, those are burdens – and credit union executives have shied away from heaping burdens on members – but the payoff is another layer of protection.
A bottom line: probably there is no silver bullet. Account takeover criminals are slick and smart and it is unlikely any one step will be a cure all. But wary financial institutions are already implementing multiple steps because this is one species of crime that is not going away.