PINDROP BLOG

How Account Takeovers Threaten Bank Security

There are many different kinds of attackers in the cybercrime ecosystem, and they each carry their own motivations and tactics. Some groups are politically motivated, while others are in it strictly for fun and games. But for fraudsters who target banks, insurance companies, and other financial institutions, the goal is one thing: money, and lots of it.

For that group, the most efficient route to all of that cash is the account takeover. That’s a scary sounding term, and it means exactly what you think it does. Fraudsters today use a variety of different tactics and methods for either stealing a victim’s credentials or tricking an institution into resetting them, thereby gaining complete control of the victim’s account. In some cases, this is a simple process, but in others it can be a long slog that takes weeks or months of research, multiple attempts, and a lot of persistence. In others, it’s a hit-and-run attack that succeeds quickly.

But the end goal is always to get control of the target’s account. Account takeover fraud is a major concern for 55% of executives at the top 40 banks in the U.S., according to recent data from the Aite Group, and it’s a critical issue for 17% of those banks. Banks and other financial institutions often are the ultimate target for attackers in account takeovers. There may be intermediate stops along the way, with the attackers gaining control of a victim’s email or cell phone account, but the bank is almost always the real target.

A key piece of these fraudulent operations is often an attack on a contact center, whether it’s at the bank itself or one of the other stepping-stone targets. Contact center staff play a big role in this process because they have the ability to reset victims’ credentials.

“An impersonator who is able to successfully convince a contact center agent that he or she is the customer may request that his online credentials be reset so he may access his accounts. The contact center agent resets the credentials, and the fraudster may now access the entire relationship and initiate various types of transactions to remove funds from the account or bank. This type of fraud is similar to obtaining an access device in that it enables cross-channel fraud,” Ate Group said in its report.

“Unless root cause analysis is performed, the resultant fraud losses will be attributed to the online or mobile channel instead of the contact center, where they truly belong.”

One of the things that makes account takeover attacks so difficult to defend against is that there are many different parts to them. Fraudsters who perform these attacks use a variety of tactics, tools, and methods, and they only need to find one weak link anywhere along the chain in order for their attacks to work. And if the attack succeeds, it’s very difficult to undo the damage to the victim and the financial institution involved.

Putting defenses such as anti-fraud technology in place in the contact center is a vital part of defeating these attacks and preventing the financial and reputational losses that come with them.

Image: Images Money, CC By license.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed