Customer Resource Centre
News and insights
Elavon Customer Service: 0818 20 21 20
Opayo Product Support: 01 240 8731
News and insights
Visa is providing information about common account takeover fraud techniques, along with best practices to mitigate the risk of such fraud.
Account takeover (ATO) fraud is a type of identity theft where fraudsters gain access to their victims’ accounts, then make non-monetary changes that may include modifying personally identifiable information (PII), requesting a new card or adding an authorised user. This can allow criminals with stolen credentials open access to victims’ accounts. ATO fraud has rapidly accelerated, with fraud losses growing from $4 billion in 2018 to $6.8 billion in 2019.
Below is an overview of different types of account takeover fraud techniques.
Digital attacks continue to pose challenges to the payments ecosystem. The proliferation of payment platforms / channels and the growing list of Internet of Things (IoT) devices provide fraudsters with an easily available and rapidly increasing range of targets. Two-factor authentication protocols requiring either email or text authentication for login have increased the criminal’s need for diversion or interception of messages.
How does a digital attack work?
Phishing, Vishing and Smishing
Phishing is the fraudulent attempt to obtain sensitive information or data such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Vishing uses phone calls and smishing campaigns use text or SMS messages to achieve the same end. Email, phone calls, social media and text messages are all solicitation methods by which criminals persuade individuals to divulge sensitive personal information.
Digital campaigns targeting public anxiety
The global health crisis has opened up new opportunities and avenues for fraudsters to take advantage of individuals by leveraging public anxiety. In April of 2020, Microsoft intercepted and stopped a phishing campaign appearing to offer information related to the United States government’s COVID-19 stimulus programs. The campaign generated approximately 2,300 unique HTML attachments over the course of a single day. In the same month, the UK’s National Fraud Intelligence Bureau (NFIB) unearthed another phishing campaign directing consumers to a fraudulent site to make donations in support of the UK’s National Health Service. A third campaign uncovered in Germany was more successful, diverting up to €100 million in stimulus funds into accounts controlled by fraudsters. That phishing campaign pointed consumers toward registration at a fraudulent replica of the official government stimulus registration website. Applicants who registered had their personal information stolen. Fraudsters used the harvested information to register at the legitimate government site but modified the registration information to include alternative banking information, directing stimulus funds to be wired into bank accounts controlled by the fraudsters.
Digital campaigns targeting corporations
“Spear phishing” campaigns target employees of companies with access to sensitive or valuable information and can lead to business email compromise. This type of opportunistic fraud often involves criminals impersonating high-level executives distributing instructions to subordinates. These types of scams can include instructions for payments to known suppliers or transfers of funds to bank accounts controlled by fraudsters. Business email compromises involving individuals in the human resources function of an enterprise can serve as the first step for more damaging attacks when the hacked account is used to send batch requests to employees for PII. Hacked email accounts of company CEOs and presidents have resulted in the theft of employee W-2 and tax information including names, addresses, and Social Security numbers.
Devices are now a significant vulnerability in the battle against ATO fraud. Device cloning, or porting, refers to the unauthorised transfer of a phone number or merchant ID number to a device controlled by a fraudster (also known as SIM swap fraud). With merchants now commonly using mobile devices to facilitate transaction processing, the number of device takeovers reported has doubled every year since 2014.
Cloning consumer devices
Devices such as mobile phones are inexpensive and easily available, and identity verification requirements for new account setup can be satisfied with compromised information available to fraudsters. This allows criminals to use stolen identities to open new accounts or port over existing legitimate phone numbers. This grants threat actors access to OTPs sent out as part of two-factor authentication. Digital wallets stored on devices now store large amounts of valuable information, including account numbers, passwords, phone numbers and email addresses. Furthermore, phone hacking software is now easily available online, eliminating or reducing technical expertise as an impediment to fraud.
How does device cloning work?
Cloning merchant devices
Merchant device cloning and payment gateway takeover is increasingly common. This fraud vector unfolds in a two-step process, occurring through the cloning of POS devices along with the use of illegitimately acquired credentials. Fraudsters obtain POS devices or terminals through theft, online resellers or directly from acquirers by impersonating legitimate merchants. Once in possession of POS devices, threat actors connect these terminals to third-party processor hosts, fraudulently authenticating the connection between the host and the cloned POS devices. This fraud type also requires access to compromised merchant credentials including merchant descriptors, merchant identification numbers (MIDs) or terminal identification numbers (TIDs). Merchant credentials can be stolen through phishing campaigns or brute force campaigns, where fraudsters send high volumes of authentication credential variations to the host. The takeover of the payment gateway allows criminals to push through large volumes of fictitious purchase return transactions. The fraud is monetised when the proceeds are posted to gift cards or credit cards and rapidly cashed out at ATMs.
Technological advancements in the payments industry have led to the automation of fraud attacks. New, inexpensive tools are now easily available, allowing for coordinated and multi-prong attacks. Fraudsters use bots to attack multiple servers simultaneously, running scripts using login credentials stolen during prior security breaches. The exponential growth of low-cost credentials available for purchase has led to decreasing costs and increasing pay-off potential in this fraud vector. This in turn has attracted more sophisticated, well-funded and better-organized fraud rings, increasing the difficulties associated with controlling this type of fraud.
How does credential stuffing work?
Given the common practice of consumers using a single “favourite password” across most of their accounts, credential stuffing is an attractive and successful method for fraudsters.
Call Centres and Consumers Social engineering exploits human psychology rather than technology to gain access to sensitive information. It relies on persuasion, manipulation or deception to induce individuals to break normal security procedures and best practices.
Call or contact centres remain an essential component of the customer service experience, with 35% of customer contact channelled through inbound calls to contact centres.
Fraudsters use persuasion or phone spoofing to impersonate clients in order to manipulate call centre employees into divulging sensitive information. Tasked primarily with the handling of problems and disputes, and focused on customer satisfaction, call centre service representatives are not always well-trained or equipped for the detection of fraud.
Caller identification and authentication should happen before any customer call reaches a telephone agent. Criminals are increasingly going beyond call / contact centres to target consumers directly. Direct-to-consumer social engineering involves fraudsters getting sensitive information directly from consumers through phone calls in which they pose as representatives of banks or government institutions. For example, a fraudster in possession of enough information on a consumer’s account could call the consumer directly and convince them to provide the OTP received on their phone, effectively bypassing identity authentication protocols.