Key Strategies to Combat Sophisticated ATO Attacks

In times of uncertainty, criminal activity abounds. This has certainly been the case during the global pandemic. E-commerce merchants and FIs alike are seeing an increase in both the number and value of account takeover (ATO) attacks. But instead of petty thieves stealing credit card details to make a quick buck, organized crime rings are using automation tools to run complex operations across multiple jurisdictions and rack up huge gains in a short time.

Here’s a closer look at some recent findings on ATOs from Aite Group and how an ATO fraud detection platform can be part of the solution.

Data breaches are high and the bar to access is low

Data obtained in a breach is the catalyst for crime rings. Aite Group notes that despite sophisticated technologies to combat data breaches, such as tokenization and point-to-point encryption, data breaches are still at an all-time high. In 2019 alone, there were more than 15.1 billion breached records–a 284% increase from 2018. Data exposed in a breach typically include personal identifying information like names, addresses, email, credit card numbers, and username/password combinations.

The bar to access these details on the dark web is fairly low. For example, login details for online banking averaged $35 per record as of June 2020, while credit card details ranged from $12 to $20 per record.

Fraudsters are turning to automation to gain an edge

After a data breach, one of the next steps is to engage in credentials stuffing. This is where criminals automatically test breached username/password combinations on websites the consumer has visited to find which ones are still active. To do this quickly and at scale, cybercriminals are favoring sophisticated automation tools. As evidence, one bank executive interviewed by Aite Group noted that for every valid login his bank sees, there are 10 malicious attempts. 

To conduct ATOs without detection, criminals are using tools to evade device fingerprinting and even bypass CAPTCHAs. Some crime rings use tools that combine emulated human behavior with proxy rotation, while others hire human click farms to manually enter credentials to avoid detection looking for automated credential stuffing.

When tools are able to bypass traditional fraud detection software, it takes organizations more time and effort to recognize the attack and stop it to mitigate the damage.

More users, more channels, more attacks

More businesses are migrating to digital channels, which means more users are increasingly relying on them. For example, Aite Group mentions that 46% of loans and 75% of service transactions from Wells Fargo have been taking place online during the pandemic. What’s more, 340,000 customers enrolled in digital banking during the first two months of the pandemic.

As more users and more channels become available, the available surface area for attack also expands. This creates greater complexity in detecting and mitigating fraud, as there is now a larger battleground to cover.

Using an ATO fraud detection platform as a combat strategy

Because of the sophisticated nature of today’s ATO crime rings, it’s more important than ever for your fraud detection software to understand the action and context of inbound transaction requests. Protecting user accounts without adding friction to the customer experience requires assessing behavioral changes early and with high accuracy. DataVisor’s solutions distinguish good users from bad actors who mimic good user behavior to protect customer accounts before an attack occurs—and without the use of legacy knowledge or historical labels.

DataVisor tracks out-of-pattern behavior associated with individual accounts and uses UML to identify group-level, large-scale takeover behaviors in real time. Holistic analysis against a vast Global Intelligence Network of more than 1 trillion events enables proactive protection at the point of compromise—whether the attack is distributed, bot-powered, or human-operated—stopping fraudsters in their tracks, reducing false positives, and providing good users with seamless, friction-free account access.

DataVisor customers have reported up to 45% increases in detection accuracy and false positive rates as low as 0.7%. Using DataVisor’s comprehensive solutions, banks and merchants can identify and deter ATO attacks before transactions are complete and further mitigate financial and reputational damage. 

Want to see DataVisor’s ATO fraud detection platform in action? Watch DataVisor Fight Fraud. Get a free demo.