2017 was bad enough in the world of fraud, with identity theft reaching “epidemic levels”. But 2018 is panning out to be a whole lot worse: identify theft rates have now hit a record high. Gone are the days when shredding letters from the bank and credit agencies before discarding them is enough; more than four in five identity theft cases are now committed online, and nobody is safe from the damage.
Fraudsters have come up with clever and methodical ways to steal personal information on unassuming victims in order to carry out their online scams. Some of their methods include scouring social media sites for password hints and other information (a mother’s maiden name, for example), remotely hacking computers, and outright buying valuable information on the dark web. And these sinister actions are only the beginning.
Rampaging with stolen data
Once identity data has been stolen, fraudsters are able to create new accounts online or, even worse, use the personal information to hijack existing accounts. The latter, known as account takeover fraud (ATO), allows the fraudster to use the registered payment information and other privileges connected to the account to gain access to money and goods.
It’s a very difficult type of fraud to detect because the fraudster masquerades as the legitimate user, hiding behind his or her good history. Add into the mix the fact that the fraudster’s activity is sometimes even interspersed with transactions made by the legitimate owner, and you can see how incredibly complicated spotting ATO fraud can be.
Another tactic fraudsters commonly use is targeting email accounts, which often act as the anchor to victims’ entire online lives. Once a crook gains access to an email account, he or she can then break into multiple accounts across a vast range of online businesses, as email accounts contain everything from addresses to birthdays to saved payment information. These details alone constitute everything one needs for online fraud, and the resulting losses and damage are often irreparable.
Consumers need to tighten their defences
Successfully thwarting ATO criminals who pose as trusted users is becoming one of the largest headaches in the fraud prevention world — especially given how the problem with account takeover fraud originated.
As a way to reduce customer friction and boost sales, businesses around the world started allowing consumers to store payment details online for subsequent purchases. This benefits users, who enjoy convenience, as well as merchants, who enjoy customer satisfaction and repeat purchases. But the user ID/password combination often used to secure customers’ accounts created a vulnerability that fraudsters were quick to exploit.
Every website requires login information, so for simplicity’s sake, consumers frequently choose common passwords and reuse the same password on multiple sites. The problem with this laissez-faire approach to online security? If a fraudster is able to acquire the user ID/password combination for one account, he or she can use the same information to infiltrate all of that person’s online accounts.
As it stands, larger companies tend to suffer disproportionately here: if a fraudster obtains a stolen password for an Adobe account, they’ll next try it on PayPal, Amazon and HSBC — not the website of a local florist.
Other organisation leaks will cause you headaches
Customers could improve the security and strength of their passwords by using different passwords for each site and/or using a password management tool like 1Password.
Meanwhile, businesses could transition to more secure customer authentication methods like using biometric solutions. This will definitely put a significant dent in overall fraud rates. However, identity theft and ATO fraud have unfortunately grown to be much more complicated than merely a password issue.
Over the last few years, hackers have stolen extremely sensitive customer data from Equifax, Yahoo, Uber and numerous other companies around the world. Credit records and other valuable information from 140+ million consumers has been leaked in the last year alone, and banks and businesses ultimately paid with an upsurge in loan applications and payments using stolen credentials.
Game of cats and mice
Unfortunately, there’s no magic switch that can be flicked to erase fraud. In fact, in light of emerging technologies and the continuation of data breaches, both fraud levels and the evolution of new types of fraud are expected to keep rising. The quality of stolen identities is consistently improving — fraudsters can now buy full internet profiles for individuals, including access to all major accounts and personal information, on the dark web.
As mentioned above, social media has enabled a broad range of consumers (particularly younger generations) to share information, unaware that even the simplest bit of personal information made public could open a flood of criminal activity in their name.
Fortunately, digital tools are getting better and better at helping businesses detect both established and new fraud tactics. For example, fraudsters will often use the same device – laptop, tablet or mobile — for multiple illegitimate transactions in order to maximise their gain in a short amount of time. Anti-fraud software solutions that use high-quality device fingerprinting in combination with specially formulated transaction-based rule sets can zero in on this type of common criminal activity with the utmost precision.
Fraudsters work overtime to stay invisible for as long as possible, but it is achievable to spot them early and prevent extreme damage. Innovative fraud prevention software can recognise behavioural data of customers and flag deviations from normal activity.
Features like number of recent login attempts, elapsed time since last email or address change, average time spent on product pages and average shopping cart value can be assessed in order to determine how risky each transaction might be.
In the end, it’s not a question of “winning” against fraud – no one wins. It’s a cat-and-mouse game and you have to up the stakes for the attackers. The harder you make it for them, the less likely you will be hit.
Sourced by Roberto Valerio, CEO of RISK IDENT