Account takeover is EMV’s ‘silent’ risk
I don’t think anyone anticipated the amount of account takeover (ATO) and new account fraud (often referred to as application fraud) that would occur in the wake of the EMV changeover.
Banks have seen challenges on the new account side in particular with synthetic identities.
In a recent study, we found that 31% of fraudsters committing application fraud are using synthetic identities—this, compared with 41% who are using a true identity. A synthetic identity is what a perpetrator of fraud manufactures by taking Person A’s name and social security number, Person B’s address and the fraudster’s phone number, and synthesizing these into a new bogus identity. The challenge is trying to separate the good guys from the bad guys— especially when bad guys look and behave like good people, but aren’t actual people at all.
How do they do it? And why? The short answer is that a mass of information is available, through shady online channels, on hundreds of millions of people. When cybercriminals pull off a data breach, whether big or small, one of their goals is to get as much PII data (personally identifiable information) on consumers as possible. This data can then be sold on the dark web to fraudsters who can use it to develop and synthesize new identities.
Many organizations think about application or new account fraud in two pillars: first party fraud and third party fraud. In first party fraud at a financial institution, someone comes into the bank attempting to open an account—this might be in the form of a bank account, credit card account or a new line of credit—and they are not who they say they are.
In our research we found that the amount of fraudulent new credit card account openings increased by 113% last year. If fraudsters have manufactured a synthetic identity, their goal is to get that identity into the financial system. Once a fake identity has made it to the point of getting that first credit line, these perpetrators of fraud—who are usually highly organized groups—are able to infiltrate further and further into the financial system.
In third party fraud, bad actors buy information, steal existing PII data or use the identities of friends or relatives to try and open as many new lines of credit as they can. Let’s say a bad guy in Chicago bought 1,000 names from a retailer data breach. He will use them to try and take over someone’s identity, and may apply at 20 different credit card companies to get an application through.
If that doesn’t work, he may manipulate the data—switch a digit on an address or social security number or use a previous address to pass an initial identity verification check. He may change small aspects of the victim’s identity, applying with an address or phone number he may be in control of, for example, to be able to receive the new credit cards without the victim knowing. This is hard to detect until the damage is done.
On the account takeover side, banks are getting hammered with bot attacks and call center fraud—which can tie up resources trying to verify an account holder while potentially impacting the overall customer experience. And here, we get back to data breaches.
What many people don’t realize about breaches is that it’s mainly the information fraudsters are targeting. We’re all aware of breaches where as many as half a billion usernames and passwords were breached.
Most people don’t care when they hear their account has been breached—they simply go into their account and change their password, forgetting that the same user ID and password that was breached is also the same ID and password that they use at their bank—and dozens of other places.
Research has shown that anywhere between 30 and 50% of the population uses the same user ID and/or password on every single account. So if a bad actor can get that information, he can take over your customer’s individual account at multiple places.
Clearly, we’re in a whole new environment. The shift to EMV has had the unintended consequence of migrating fraud from the production of fake plastic cards to new account and account takeover fraud, requiring an entirely different, not to mention more sophisticated approach to predicting and assessing risk, as well as preventing it from the outset.
First appeared at PS