I recently responded to an inquiry from a bank in Nigeria who wanted to understand how our solutions specifically address the types of fraud currently affecting their region and institution. We examined each of the fraud types in detail, and shared how our modern authentication solutions could shield the bank and its customers from common and newer fraud schemes that are becoming more sophisticated with today's technology.
Since the always-on nature of digital banking and e-commerce broadens the attack surface for financial institutions (FIs), these insights are valuable for all FIs.
In this blog, I discuss three fraud tactics we’ve found that often link to account takeover (ATO) fraud, and how advanced scams, like payer manipulation extend beyond the dangers of ATO. More importantly, I share recommendations for technology that can protect FIs and their customers from these costly attacks.
Since the always-on nature of digital banking and e-commerce broadens the attack surface for financial institutions (FIs), these insights are valuable for all FIs.
In this blog, I discuss three fraud tactics we’ve found that often link to account takeover (ATO) fraud, and how advanced scams, like payer manipulation extend beyond the dangers of ATO. More importantly, I share recommendations for technology that can protect FIs and their customers from these costly attacks.
1. Phishing schemes
Today, criminals have technology at their disposal like generative AI and Phishing-as-a-Service (PhaaS) toolsets to make their Business Email Compromise (BEC) and other phishing schemes more believable and scale them quickly. They trick consumers or businesses into sharing sensitive information like their banking credentials and then leverage these to siphon funds from their accounts.
"AI provides augmented and enhanced capabilities to schemes that attackers already use and increases cyber-attack speed, scale, and automation. Cybercriminals are leveraging publicly available and custom-made AI tools to orchestrate highly targeted phishing campaigns, exploiting the trust of individuals and organizations alike." – FBI, 2024
Fraudsters can easily steal customer credentials because of their transferrable nature across multiple devices. In other words, static passwords, one-time passwords (OTPs) – SMS, soft token or hard token, and PINs are all compromised by this same transferrable vulnerability.
Therefore, one of the core ways that Entersekt protects banks from phishing attacks is via security credentials that are non-transferrable, such as the mobile-app device identifiers (IDs). These credentials create a cryptographic link between the customer's mobile device hardware and the customer's banking profile. This prevents the fraudster from accessing the customer's profile since their device is not cryptographically linked, even if they possess the legitimate transferrable credentials, such as passwords, PINs or OTPs. With support for linking multiple mobile devices and even web browsers, banks can protect against phishing while giving customers flexibility.
Therefore, one of the core ways that Entersekt protects banks from phishing attacks is via security credentials that are non-transferrable, such as the mobile-app device identifiers (IDs). These credentials create a cryptographic link between the customer's mobile device hardware and the customer's banking profile. This prevents the fraudster from accessing the customer's profile since their device is not cryptographically linked, even if they possess the legitimate transferrable credentials, such as passwords, PINs or OTPs. With support for linking multiple mobile devices and even web browsers, banks can protect against phishing while giving customers flexibility.
2. Identity theft
When financial criminals acquire customer identity information, they're able to falsely identify as customers and inflict massive losses on banks. From impersonating customers to taking loans on their behalf or gaining access to customer accounts to siphon funds, identity theft exposes banks to ATO.
These impersonations succeed when a bank is not able to explicitly verify the customer's identity during onboarding or at the point of making high-security actions like requesting a loan.
With this use case, Entersekt’s strategy is to employ advanced identity verification solutions through identity document proofing with 4D facial liveness verification. This approach ensures that a customer's identity documents are legitimate and the individual presenting these documents is the true customer.
The advanced nature of these technologies enables detection of AI deep fakes, generated identities, and even differentiates between identical individuals. For high-security actions, such as onboarding a new device, requesting a loan, changing a card PIN, or increasing a standard transaction limit, FIs can use the 4D facial verification to compare the face of the customer behind the device with the customer's face credential stored in a database.
These impersonations succeed when a bank is not able to explicitly verify the customer's identity during onboarding or at the point of making high-security actions like requesting a loan.
With this use case, Entersekt’s strategy is to employ advanced identity verification solutions through identity document proofing with 4D facial liveness verification. This approach ensures that a customer's identity documents are legitimate and the individual presenting these documents is the true customer.
The advanced nature of these technologies enables detection of AI deep fakes, generated identities, and even differentiates between identical individuals. For high-security actions, such as onboarding a new device, requesting a loan, changing a card PIN, or increasing a standard transaction limit, FIs can use the 4D facial verification to compare the face of the customer behind the device with the customer's face credential stored in a database.
3. Man-in-the-middle attacks
Man-in-the-middle (MiTM) attacks will probably stay in the fraudster's toolbox for a while yet. They can easily lead to ATO as a hacker gains access to customers' personal information in real-time, enabling them to immediately change things like the main account email address and login credentials.
The vulnerability here is that the session between the customer and the bank is hijacked, and since authentication credentials, such as passwords and OTPs are sent in the hijacked channel the fraudster gets access to these credentials and can use them in real-time (or at a later stage) to carry out transactions on the customer's profile.
Luckily, FIs that use out-of-band authentication tools can reduce the success rates of these attacks through stronger, phishing-resistant security measures. Out-of-band authentication, like a push-notification, Fast IDentity Online (FIDO2) or network-initiated USSD (NI-USSD), provides a separate communication channel for authentication.
The vulnerability here is that the session between the customer and the bank is hijacked, and since authentication credentials, such as passwords and OTPs are sent in the hijacked channel the fraudster gets access to these credentials and can use them in real-time (or at a later stage) to carry out transactions on the customer's profile.
Luckily, FIs that use out-of-band authentication tools can reduce the success rates of these attacks through stronger, phishing-resistant security measures. Out-of-band authentication, like a push-notification, Fast IDentity Online (FIDO2) or network-initiated USSD (NI-USSD), provides a separate communication channel for authentication.
With modern authentication methods – like biometrics, PINs, device IDs, facial verification, and QR verification – implemented out-of-band, FIs can mitigate these attacks while delivering intuitive user experiences.
Beyond ATO: Customer manipulation
Customer manipulation, payer manipulation, or authorized push payment (APP) fraud is one of the more advanced fraud methods FIs are exposed to today. It is a more subtle, difficult-to-detect method that bypasses ATO, where the accountholder is convinced to make a payment under false pretenses.
In this scenario, fraudsters use social engineering and emotional manipulation to trick a customer into initiating a transaction that will result in the customer authorizing the transfer of funds to a "mule account," an account set up for the purpose of receiving illegal funds. Since these transactions are initiated and authorized by the legitimate customer, banks find it difficult to prevent them.
As generative AI technology becomes more widespread, it complicates this scenario even more, with fraudsters using deepfake videos to convince customers that they are relatives or friends, tricking them into paying funds to the fraudster.
Entersekt leverages AI and machine learning tools to combat this advanced threat. By collecting various risk data attributes, we determine whether the customer transaction is outside the baseline normal profile of the customer as an indicator of the possibility of fraud. Some risk signals, such as the customer being on a phone call when making the mobile app transaction, historical spending patterns, third-party confirmed fraud data, and behavioral analytics feed into fraud models and rule bases to determine the risk score (low, medium or high) in real-time and the appropriate authentication response.
In this scenario, fraudsters use social engineering and emotional manipulation to trick a customer into initiating a transaction that will result in the customer authorizing the transfer of funds to a "mule account," an account set up for the purpose of receiving illegal funds. Since these transactions are initiated and authorized by the legitimate customer, banks find it difficult to prevent them.
As generative AI technology becomes more widespread, it complicates this scenario even more, with fraudsters using deepfake videos to convince customers that they are relatives or friends, tricking them into paying funds to the fraudster.
Entersekt leverages AI and machine learning tools to combat this advanced threat. By collecting various risk data attributes, we determine whether the customer transaction is outside the baseline normal profile of the customer as an indicator of the possibility of fraud. Some risk signals, such as the customer being on a phone call when making the mobile app transaction, historical spending patterns, third-party confirmed fraud data, and behavioral analytics feed into fraud models and rule bases to determine the risk score (low, medium or high) in real-time and the appropriate authentication response.
Learn how real-time risk signals can prevent modern fraud without interrupting the user journey with Entersekt’s risk-based and Context Aware™ Authentication in this video.
In addition, our emerging fraud detection tools gather data about the destination account, providing insight into the legitimacy of the receiving account so the FI and customer can make an informed decision whether to cancel the transaction.
The bottom line on ATO and evolving fraud prevention
Advances in banking technology are exciting and present an opportunity for FIs to offer more secure, trusted and user-friendly customer journeys. However, FIs that don't partner with modern authentication providers — committed to investing and innovating ahead of new fraud risks — are putting a lot on the line.
At Entersekt, we continually monitor emerging fraud tactics and develop modern solutions that prevent these exploits, always with a focus on optimizing the customer experience.
Check out Liminal's 2024 Link Index for ATO Prevention in Banking in which Entersekt is recognized in the report as a "Leading Vendor" and the highest-rated authentication-focused vendor:
At Entersekt, we continually monitor emerging fraud tactics and develop modern solutions that prevent these exploits, always with a focus on optimizing the customer experience.
Check out Liminal's 2024 Link Index for ATO Prevention in Banking in which Entersekt is recognized in the report as a "Leading Vendor" and the highest-rated authentication-focused vendor:
