OneSpan: how to protect from account takeover fraud

By Matt High . Apr 24, 2020, 12:32PM

Account takeover (ATO) fraud is one of the top threats facing financial institutions, according to a new ebook from OneSpan

The new guide, Account Takeover Fraud: How to Protect Your Customers and Business, sets out the top techniques that cybercriminals use to take control of a bank account.

Account takeover, which is an identity theft crime, can be initiated in several ways, with criminals using a variety of weapons and methods to harness personal data.

These can include data breaches, phishing, SIM swapping and malware - all of which can cause serious damage to an enterprise.

However, by employing a multi-layered security approach, account takeover fraud can be protected against and customers cared for at every stage of their digital journeys.

This, together with several best practice steps, is explained in OneSpan’s new ebook

Data breaches

ATO attacks can be initiated by criminals harvesting personal data, says OneSpan. Typically, this is achieved through the purchasing of personal data leaked as part of a data breach that then allows cybercriminals to prepare targeted phishing attacks.

To combat this, financial institutions should use multi-factor authentication processes, such as fingerprint technology or one-time password capability.

Phishing

Typical phishing attacks include:

Classic email phishing
Spear phishing
Whaling
Vishing
Smishing
Overlay attacks

While all of these phishing methods can be used, according to OneSpan, the most common continues to be by email.

Phishing takes advantage of trust. Messages typically create a sense of urgency that encourages the recipient to click links or open them. These redirect them to a fake banking portal or install credential-harvesting malware.

Malware and banking trojans

Malicious software - or malware - is installed on a victim’s computer as a result of specific user actions. According to OneSpan, they carry out different types of attacks, including intercepting everything type by the victim and infecting web browsers through an add-on.

Mobile banking trojans have been growing in complexity, says OneSpan. The continued tendency towards mobile banking means that this trend is likely to continue.

The attacks present their own screen on top of the legitimate banking app, thus capturing a user’s log in and personal details.

Other forms of attack outlined by OneSpan include man-in-the-middle attacks, in which criminals position themselves between a user and financial institution to intercept data, and SIM swapping.

OneSpan: protecting your business

OneSpan’s guide sets out several recommendations and best practices to protect financial institutions from ATO. These are based around a multi-layered approach that covers:

Protecting the user: OneSpan’s Cronto visual transaction signing solution can protect users from social engineering and man-in-the-middle attacks. It does this by displaying a unique visual challenge that contains transaction details - these cannot be modified by an attacker.
Protecting the device and banking session: The company’s Mobile Security Suite applies a 360 degree approach to mobile security. This includes factors such as app, device, interface, communications and more, and includes app shielding and runtime protection. The suite also includes encrypted, secure communications channels and storage.
Proactive fraud detection: OneSpan Risk Analytics is designed for this specific purpose. It provides financial institutions with the ability to proactively detect signs of an account takeover before there is any damage. It does this through continuous analysis and scoring of numerous data points in real time.
Flexible, dynamic authentication: a flexible approach to authentication can prove fruitful, says OneSpan. Steps should include supporting a wide range of risk-based authentication methods and the assessing of every action taken by a user.

OneSpan understands the complexity of ATO. The company’s guide provides an in-depth insight into the risks that company’s in the financial services sector face, as well as the steps they must take to mitigate them.