Account takeovers have increased by 112% over the past year. Biometrics can make account takeover more difficult, but they aren’t a foolproof solution.

On July 15, 2020, high-profile Twitter accounts with millions of followers posted a message about wanting to give back to the community. Entrepreneurs like Elon Musk and Jeff Bezos seemingly asked people to send cryptocurrency donations to receive double the amount they donated. (1)

Hackers were behind these messages. 

It’s unclear how many people fell for the scam, but it’s safe to say that no one saw their donations doubled. Criminals were able to target these high-profile accounts through a technique known as account takeover fraud.

Account takeover goes beyond social media. Fraudsters can target online banking, credit card or shopping accounts. It’s a growing problem, and contrary to popular belief, biometrics aren’t a bulletproof solution.

What does account takeover typically look like?

A criminal can target an online banking account to transfer money, take over a shopping account to make a large purchase, or gain access to an email address and use password reset features to take over additional accounts.

There are an assortment of account takeover methods to be aware of:

  • Phishing attacks can trick the victim into entering their login credentials into a spoofed version of a website.
  • Stolen credentials can often be purchased on the dark web following a data breach.
  • Once a criminal has taken over the victim’s email account, they can reset passwords for their various shopping and social media accounts.
  • Some criminals use social engineering and contact customer service to impersonate a user locked out of their account.
  • Hackers can launch DDoS attacks to overload servers with requests and bypass credential verification systems.
  • Once a criminal has access to a password, they can use a technique known as credential stuffing and test this password on other sites since internet users often reuse passwords.
  • SIM swapping allows fraudsters to bypass two-step authentication systems by transferring the victim’s phone number to a device they can access.

A growing concern

Account takeovers have increased by 112% over the past year. The number of companies saying they experienced account takeovers increased by more than 50% worldwide over the same time period, and phishing attacks went up by more than 70%. (2)

This increase in scope and frequency is tied to several factors:

  • Hackers can automate some aspects of account takeover, like using DDoS attacks or credential stuffing or bypassing CAPTCHA, allowing them to target a larger number of accounts.
  • Too many internet users have poor cyber hygiene. They might reuse passwords or open phishing emails.
  • Mega data breaches are more frequent and keep exposing more records. In 2019 alone, 1,400 reported breaches exposed over 164 million records. (3)
  • Businesses prioritize customer service and want to make the process of accessing online accounts and resetting passwords easy and seamless.

Can biometrics prevent account takeover?

Biometrics can make account takeover more difficult by introducing an additional verification step or relying on an authentication method that is hard to spoof or steal:

  • Two-factor authentication systems often verify that a user has physical access to another verified device by texting a PIN to their phone or using the device’s fingerprint scanner.
  • Behavioral biometrics can look at factors like the device a user is logging in from and compare activity to historical data specific to that user.
  • New technologies, like voice recognition, facial recognition, and wearables, could open more possibilities for biometrics.

Biometrics aren’t a silver bullet for stopping account takeover

Stil, biometrics aren’t a foolproof solution for preventing account takeover and other forms of fraud, especially when used in isolation.

Any authentication system that relies on a single factor is flawed. Biometrics can introduce an additional level of difficulty for account takeovers, but they aren’t sufficient on their own. They can yield false positives, and the accuracy of behavioral biometrics depends on the quality of the existing dataset about the user.

The need for a comprehensive fraud prevention system

The best way to prevent account takeover and other types of fraud is to develop a system that establishes a comprehensive view of a user’s online behaviors and compares new activities to a baseline to flag any deviations.

AI and machine learning. AI and machine learning can connect the dots between millions of data points in real time. AI can review several factors, like a user’s login credentials, biometrics, behaviors, location and activities, to assess the threat level. This approach reduces false positives and helps you catch fraudsters based on behavior, which isn’t something they can spoof easily.

Collective intelligence. You can implement another level of protection with collective intelligence. A collective intelligence network allows several merchants to share data in real time. Once someone is blacklisted as a fraudster by one merchant, other members of the network will be alerted and can blacklist the user as well.

Continuous Vigilance Required

Account takeover is a growing concern, and taking steps to prevent this type of fraud should be a priority for your organization. You need a system that:

  • Incorporates biometrics into a broader, multi-layer authentication system.
  • Leverages AI and machine learning to analyze multiple data points during user interactions and assess threats based on how their behaviors differ from a baseline.
  • Relies on collective intelligence to fight fraud with a network of merchants who share data as they acquire it.

Learn more about Fraud.net and how our solution leverages AI to help you manage risks.

 

Article Sources:

  1. https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/
  2. https://fraud.net/s/account-takeover/
  3. https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/