Remote Deposit Capture RSS Feed
Remote Deposit Capture Newsletter
Remote Deposit Capture Group on LinkedIn
Remote Deposit Capture Group onTwitter
The Green Sheet

Email Page 
Print Page 
 Add to LinkedIn Add to Twitter Add to Facebook Add to Reddit Add to StumbleUpon 
Add to Tumblr
Account Takeover Frauds on the Rise, Leverage Mobile Deposit

Thursday, October 12, 2017 ( / Patti Murphy)

Massive data breaches are fueling a surge in financial account takeover (ATO) frauds. Financial institutions can combat ATOs by understanding how the frauds work, and by leveraging RDC risk management applications. –Part 1 of a 2-part series-
Account takeover fraud is a multi-billion dollar problem that threatens the economic integrity of individuals and businesses alike. And it will almost certainly intensify in the wake of massive data breaches like the one revealed recently by credit reporting agency Equifax. That breach allowed fraudsters to purloin personal information on 143 million consumers, or over 40% of the population.
The Equifax breach, while large, is not the largest ever reported. Yahoo has revealed that hackers stole information on 3 billion of its registered users in 2016, and EBay revealed in 2014 that hackers had stolen information on 145 million registered users. But unlike the Yahoo and EBay breaches where hackers lifted passwords and credit card numbers, those who hacked into Equifax came away with a trove of sensitive personally identifiable information (PII), such as Social Security Numbers. Bottom line: fraudsters have the information needed to impersonate unsuspecting consumers and get through routine identity verification checks to takeover those consumers’ accounts at financial institutions and elsewhere.
“[A]rmed with the stolen up-to-date PII data, criminals can more easily impersonate their target victim in order to get into their account,” Avivah Liten, Vice President and Distinguished Analyst, Garner Inc., explained in a recent blog post.
Angel Grant, Director, Fraud and Risk Intelligence at the security firm RSA, a security firm owned by Dell Technologies, explained that recent large-scale hacks are indicative of shift in the way fraudsters operate. Traditionally the underground forums where fraudsters buy and sell financial information were focused on scooping up credit and debit card numbers. U.S. implementation of EMV security protocols for credit and debit cards has diminished the profitability of these so-called “carding” schemes, however. “They’re rebuilding the economic model. They’re looking at targets where they can steal information with longer shelf lives,” said Grant. Information like legal names, birthdates and SSNs. “What they can do now is correlate that data [taken in breaches like Equifax] and gain a fuller picture of a user’s profile,” she said.
An account takeover occurs when a fraudster uses another individual’s PII to impersonate that individual and access their financial accounts. Stolen PII such as legal names, addresses, birthdates and SSNs allow them to make changes to the victim’s account settings, such as billing address or mobile phone numbers.
Javelin Strategy & Research recently reported surges in both the number of ATO incidences and associated losses. According to the firm’s 2017 Identity Fraud Study, there were 31% more ATO frauds in 2016 than in 2015; financial losses tied to those ATOs totaled $2.3 billion, a 61% increase over 2015, illegally taken from consumer accounts.
Al Pascual, Senior Vice President and Director of Fraud and Security Research at Javelin, said the increases follow several years of “relatively small growth or even decreases in fraud,” but added that fraudsters are adapting. Grant said she expects ATOs and other frauds that rely on synthetic IDs to increase significantly in the wake of the Equifax hack.
Opportunistic Fraudsters Seek Out Lax Controls, Mobile Deposit
Meanwhile, there have been several reported cases of fraudsters taking over individuals’ demand deposit accounts, and leveraging financial institutions’ mobile RDC offerings to make fraudulent deposits. We reported on a case here where fraudsters paid accountholders to handover account access information. While frauds involving complicit accountholders may continue, the economics of anonymous ATOs are pretty compelling, most experts agree. “The risk of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters,” said Pascual.
“Fraudsters are opportunistic,” said John Leekley, Founder and CEO of “Mobile deposit is relatively new and very popular with consumers and businesses. Fraudsters are seizing on the opportunities presented by this popularity and by the lack of emphasis some financial institutions have placed on managing risks associated with RDC, to make duplicate and / or fraudulent deposits.”
The 2017 mRDC Industry Study, just completed by, reveals the risk management strategies and tools used by financial institutions, including availability, limits, types of duplicate detection and many other systemic capabilities. “Risk management capabilities which are (or should be) readily available from solution providers can prove useful in spotting anomalies that suggest potential deposit frauds” said Leekley. View the 2017 mRDC Industry Study Results & Insights webinar by clicking here. will be making an urgent industry webinar available by the end of October (2017) detailing how to use RDC risk management technologies to thwart these types of account takeover schemes. An announcement will be made when the webinar and associated article is available.
While FIs may be slow to adopt new technologies and business models, fraudsters typically are not.
“As this new [fraud] model evolves we’re seeing new Internet tools being developed, like credential-stuffing tools,” Grant said. Credential-stuffing software allows fraudsters to test purloined user names and passwords in rapid succession across multiple websites simultaneously. The premise being that many people rely on the same user names and passwords across multiple websites they access for financial services and shopping. Grant recounted how RSA detected one credential-stuffing attack on a client firm that provided fraudsters with entre to 18,000 of 200,000 accounts targeted. “That’s about a 5% success rate,” she noted.
There is one potential weakness in fraudster attitudes that could help FIs combat ATOs, though. “Some fraudsters are being lazy and using their own mobile devices to communicate freely” with victims’ FIs and other service providers, Grant said. Remote deposits to a customer account originating from a mobile phone number that differs from what that customer has used historically to make deposits should be a red flag indicating potential fraud. “The likelihood of fraud is 3 times higher coming from a new mobile device,” based on RSA’s experience, Grant said.
In part 2 of this article (to be published before the end of October 2017), we will provide more detail on how these ATO schemes work, and provide a summary of the urgent webinar How to Thwart Account Takeovers with Remote Deposit Capture.

Click here to view the webinar "How to Thwart Account Takeovers with Remote Deposit Capture".

Click here to read part 2 of this 2-part series.

Email Page 
Print Page 
 Add to LinkedIn Add to Twitter Add to Facebook Add to Reddit Add to StumbleUpon 
Add to Tumblr

Please register/login to post comments