In the UK, total financial fraud losses across payment cards, remote banking and cheques were estimated to have been around £770 million in 2016 by Financial Fraud Action UK. Of the various subcategories, card ID theft stands out as being on the rise. Card ID theft fraud occurs when a criminal uses fraudulently obtained card details, along with stolen personal information, to open or take over an account held in someone else’s name. This type of fraud is split into two categories, third-party application fraud and account takeover fraud. Application fraud, when criminals use stolen or fake documents to open an account in someone else’s name, is a topic for a future post. In this post, I am going to delve into account take over (ATO) fraud. This is not a new fraud scheme but it is now growing at an unprecedented scale. In the UK, incidents of identity fraud (and ATO by implication) hit their highest levels ever recorded in 2016. Over 170k identity frauds were recorded in 2016 more than in any other previous year. According to CiFAS, a not-for-profit fraud prevention organisation, identity fraud now represents over half of all fraud recorded by CiFAS, of which 88% is perpetrated online.
What is account take over (ATO) fraud?
ATO means a fraudster or other bad actor gaining access to a target’s online account or personal profile. We often colloquially refer to this type of activity as ‘hacking’, assuming that some sophisticated technical techniques are being used to break into a computer system and into users’ account. The reality is however that the majority of ATOs are generally achieved by simply acquiring a user’s access credentials such as their username and password pair. Other terminologies used to describe ATO include words like breach or account compromise but they all start with an account being accessed by a bad actor.
Once inside the account, the fraudster can commit fraud in various ways. Actually often the intention may be broader than fraud and include other malicious behaviours such as posting material etc. Hence, attackers are more generally referred to as ‘bad actors’. Examples would include hacking into a Facebook or Twitter account and posting nasty photos or tweeting something inappropriate. The motive in these instances varies but often boils down to black mail.
How do criminals gain access to accounts?
It’s the ease with which bad actors can now obtain password credentials that have led to the proliferation of ATO. So how is it done and why has it necessarily become any easier? There are a number contributing factors.
First, large-scale data breaches are a growing source of sensitive personal data including but not limited to passwords. Data breaches release other PD into the criminal community such as date of births, addresses, mobile phone numbers, social security numbers and more. All of these find their way onto dark web marketplaces (such as Alphabay and many others) where they are then sold to other criminals. We may undoubtedly all have heard of the dark web and very few of us have seen it. In fact, even if we were motivated to visit a dark web marketplace, we would find it very difficult to get there. We would need to know the specific URL of the dark net site and then, in an effort to keep out law enforcement, in most cases access to the content is based on invitation only. If we were to be invited, dark net marketplaces have evolved into sophisticated e-commerce sites which look and feel like any other e-commerce site featuring site search, listings by categories, shopping carts and checkout flows and even customer reviews and ratings!
Secondly, credential stuffing – or password cracking or hacking – software tools have evolved tremendously over the last few years. Credential stuffing uses automation to test stolen usernames and passwords. The technique has, for the most part, remained the same and boils down to an algorithm attempting to login into an account by trying every possible combination of an initial password guess. These so-called ‘brute force’ techniques require significant computer processing power which has, of course, become highly available and accessible over the past decade. The faster the machine the faster the cracking process will be. Many target systems will use ‘captcha forms’ to try to prevent this type of password cracking technique, but captcha forms can, for the most part, be bypassed by cracking software. Sophisticated fraudsters will connect up numerous cracking tools and perform simultaneous brute force attacks at scale, testing combinations of stolen usernames and passwords hunches across multiple sites until they register a hit.
Often data breaches and password cracking go hand in hand. Fraudsters will purchase combo lists or a database of username/password pairs, from a dark net marketplace. These lists are typically obtained from breaches on other websites. They then test these pairs using the cracking software. Because ‘we’, the general user community, have a habit of reusing username/password pairs across our multiple accounts, the success rates can be very high. According to Shape Security, this technique can yield up to a 2% success rate.
Shape Security says that “In other words, if an attacker has a combo list of 1 million credentials, they may be able to hijack in the neighbourhood of 10,000 accounts on any popular website …with relative ease.”. Shape Security maintains that according to their research and others in the security industry, there are literally hundreds of millions of username/password pairs for sale on dark net marketplaces, a figure which is growing rapidly as more sites are breached.
ATO Example: Music & Entertainment Ticketing Platforms
Once inside the account, the fraudster can wreak havoc. To start with a criminal may block access to the real account holder by changing passwords and emails. Then he may add stolen credit cards to the account and change delivery address details. The criminal is then ready to start making purchases of goods and services which he will then sell for cash. Part of the motivation for ATO, is that as an established and known account, it is deemed ‘a trusted account’ by the merchant who may initially be no wiser than the user that the account has been taken over.
Let’s look at an example. ATO fraud techniques are widely used on music and entertainment ticketing platforms. In the UK, popular ticketing sites including TicketMaster, Stubhub, Viagogo and GetMeIn have all been affected. (In a separate issue – the UK’s Competition and Markets Authority is investigating the online secondary ticketing market for malpractice)
Typically, fraudsters will break into an established account, amend the account details including adding stolen credit cards and use these to purchase tickets on the platform. They then immediately re-list these tickets for resale on secondary ticketing sites and receive a cash payout into an external account under their control.
Data gathered by the Society of Ticket Agents & Retailers (STAR) suggests that this fraud scheme, which starts with an ATO attack, is increasing dramatically. STAR, a self-regulatory body for the UK entertainment ticket industry which has been providing a dispute resolution service for its members and their customers for twenty years, works closely with law enforcement and government to combat ticketing fraud. Data collected by STAR in conjunction Action Fraud, the UK’s national fraud and cybercrime reporting centre, suggests the number of reported incidences of this kind of music and entertainment ticket fraud has risen by nearly 40% over 2 years with the total value of ticket fraud jumping from £2.3m in 2015 to over £3m in 2017. This is based on reported incidences only – a data point that often considerably understates the actual size of the problem.
£3m is of course still a small problem compared to the total £770m fraud losses in the UK. Yet according to Financial Fraud Action UK, fraud losses attributable to card ID theft overall are in the region of £40m and this figure is card ATO only and does not include a slice of the £100m total fraud losses from online banking related fraud – a growing proportion of which is ATO related. Nor does it include application fraud for non-card services such as personal loans, mortgages, insurance and other financial services. Moreover, in the post PSD2 and Open Banking environment, fraud problems associated with ATO are clearly not going to go away any time soon.
By definition, an ATO attack is not transactional and so will often go undetected by transactional fraud detection systems. Once PSD2 style Strong Customer Authentication comes into force, fraudsters will undoubtedly gravitate towards ATO more and more. Going forward, merchants need to focus their attention on spotting suspicious log-on attempts as well as flagging up unusual account profile behaviour (such as changing mobile phone numbers, address details or email addresses) and then setting risk-based rules such as requesting further security steps. A classic case is if accessing IP address is in a completely unexpected location or the accessing Operating System differs from the usual one. There are numerous other metrics that can be scanned and monitored. Tools are coming into the market all the time often now equipped with self-learning AI qualities which do however require suitable data sets to ‘learn’.
ATO is the next big challenge facing fraud professionals. It’s a challenging topic that requires careful consideration.