Account takeover fraud rising
Instead of merely stealing your credit card number, today’s fraudsters are moving to full-blown account takeover, partly to thwart EMV chip-card technology but mainly to maximize their return on investment.
Account takeover is a type of identity theft where a fraudster uses parts of the victim’s identity such as an email address to gain access to financial accounts, says Patrick Reemts, vice president of credit risk solutions at ID Analytics in San Diego. The perpetrator often reroutes communication about the account, keeping the victim in the dark so the thievery can continue longer. Affected accounts can include credit cards, checking and savings accounts, brokerage accounts and store loyalty rewards accounts, Reemts says.
This type of fraud has overtaken simpler types of credit card fraud, according to a data analysis released in August 2015 by NuData Security. An earlier NuData report revealed that incidents of account takeover jumped 112 percent in the first quarter of 2015 compared to the same time period in 2014.
“If you steal a credit card, you’ve stolen one relationship,” Reemts says. “With account takeover, you have the potential to access several relationships they have. You have a lot more data to use. The payoff is typically greater.”
Part of the reason for the increase in account takeover is the increasing adoption of EMV technology, which makes it more difficult for fraudsters to clone physical credit cards. As the United States catches up to the rest of the world in implementing EMV, criminals will turn to new techniques such as card-not-present theft and account takeover, Reemts says.
Click image to enlarge.
Bigger returns for
A bigger reason, though, is simple economics. Compared to a one-off theft, account takeover offers a better and longer return on investment. It's the fraud that keeps on taking.
“Fraudsters are realizing how to optimize their operations,” says Ryan Wilk, director of customer success at NuData. “Having a pile of stolen credit cards can get you only so far. On day one, those card numbers are extremely valuable on the Dark Web. But people realize they’ve been breached and cancel the card. Within two weeks, the value of that card goes down from $5 a card to pennies a card.”
By comparison, stolen account information – including usernames, passwords, email and snail mail addresses, bank account information, Social Security numbers and more – can sell for much more in shady online markets and hold its dollar value for well over a month, Wilk says.
“That’s the beauty of account takeover for criminals,” says Don Bush, vice president of marketing at online security company Kount Inc., in Boise, Idaho. “They have time to act.”
Instead of just using a stolen credit card or card number, fraudsters can use the victim's history to change the addresses for email and/or snail mail statements so that those statements now go to the fraudster’s address instead of the legitimate consumer. And they can request additional credit cards be sent to that new address.
“If you don’t get your statement for a month or two, you might not notice,” Reemts says.
For a bank account, a fraudster who has taken over an account might then clean out all the funds or pose as the true consumer and borrow money. The impact on the consumer is much more significant than when their credit card number is stolen.
“Credit card fraud is not solved, but credit card fraud is contained,” Reemts says. “With account takeover, [a fraudster] can clean out all kinds of accounts – checking accounts, investment accounts, savings accounts.”
Easy, reused passwords multiply consumer
Once a fraudster hacks one account, the next account often is easier to crack because consumers frequently use the same username and password combination on many different Web properties including email accounts, Wilk says. It’s easier for consumers to remember, but also easier to hack.
With access to an email account, the fraudster can reset site passwords on commercial websites using the victim’s trusted email address. “NuData sees the same credentials being tested across its various clients showing that the bad actors are testing the authentication credentials they acquire across multiple web properties,” Wilk says.
Compared to a one-off theft, account takeover offers a better and longer return on investment. It's the fraud that keeps on taking.
Once a fraudster accesses a victim’s e-commerce account, they now have access to all of the payment methods linked to that account. “You may have a stored account where you have linked a few of your credit cards and PayPal account to easily use when you check out,” Wilk says. “Gaining access to this account is far more lucrative to a bad actor as they now have access to your multiple stored payment methods versus trying to use a list of one-off stolen credit card numbers, which may or may not be valid.”
Rewards accounts are
Another goldmine for fraudsters is rewards points stored online in retail store accounts such as Kohl’s, which pays users store credits called “Kohl’s Cash” as a reward for spending money in the store, Wilk says. Thieves who get access to those accounts can use the stored information to buy expensive, bulky items – say, a coffee table. The thieves have no interest in the coffee table, so they have it sent to the legitimate account holder’s address – using the slowest shipping method possible.
In the meantime, the store credit for that coffee table accrues and the thieves use it to buy more items at Kohl’s. Then, they either resell or return the items for gift cards before the customer is even aware of the fraud.
The scheme works because that coffee table may take two weeks to show up on the consumer's doorstep. When it does, the customer may delay taking it to the store and clearing up the fraud because it’s a hassle, Wilk says.
More hassle, more
Compared to a credit card hack, the consequences and hassles for consumers are higher with account takeover. Federal laws and most issuers' zero-liability policies mean you usually don't have to pay fraudulent charges.
But if a fraudster cleans out your bank account or takes out a loan in your name, “Your money is gone,” Kount's Bush says. “The bank isn’t putting it back while they do their investigation. They may say that you don’t need to pay back the loan while they do their investigation, but if their investigation finds no evidence of fraud, they may charge you for interest and penalties if you didn’t pay.”
How does this all start? You may click on a link that downloads keystroke logging malware onto your computer, Bush says. That tracker will note that every time you click on your bank’s website, you type a certain set of characters and then hit enter, he says.
“It’s easy to figure out that’s your email and password,” he says. “The malware sends it to the fraudster’s network. The malware works in the background. It’s very difficult to detect.”
To fight back
Although the incidence of account takeover fraud is on the rise, you're not helpless. Here are some steps to protect yourself.
- Use different usernames and passwords for different accounts.
- Change your password every four to six weeks.
- Use a password manager such as LastPass to help generate difficult usernames and passwords and store them securely without the need to remember them.
- Reconcile or balance your bank account every month.
- Give all of your account statements more than a passing glance.
“Often, consumers are lazy,” Bush says. “We get our account statement or bill and say, ‘It looks good to me.’ We pay the minimum charge and don’t look at it in depth. Criminals take advantage of that laxity.”
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...