Account takeover up tenfold in past year

Security statistics for 2017 paint a worrying picture of the account takeover landscape, according to passive biometrics firm NuData Security, a Mastercard company.

NuData security helps businesses identify users based on their online interactions and stops all forms of automated fraud.

Of the roughly 200 billion events monitored by NuData Security in the past year, 40% were flagged as high-risk, up from just 15% in 2016.

The data also shows that account takeovers increased tenfold in 2017, and comes just days after the latest report by UK fraud prevention service Cifas revealed that identity fraud hit a record level of 174,523 cases in 2017, with 95% of them involving the impersonation of an innocent victim.

Account takeover is notoriously difficult to combat, according to NuData Security, because companies cannot discern between legitimate and fraudulent users as they are both presenting correct credentials.

“As data breaches continue to break records year over year, more and more PII [personally identifiable information] becomes readily available for fraudsters to access on the dark web,” said Ryan Wilk, vice-president at NuData Security. “With the password and credential reuse, and the wealth of available credentials, it is not surprising that we have seen such a stark increase.”

According to the Cifas report, as some targets become harder to crack, criminals are turning to what they consider softer targets. For example, the report said more than one-third of bank account takeover victims were over 60 years old.

NuData Security also identified that the total purchases across their client base had doubled from 2016 to 2017, with the number of purchases made with flagged credit cards also doubling.

However, the report notes that roll-out of EMV (chip and pin) cards in the US has made it harder for bad actors to commit fraud in the card present environment, resulting in a shift towards card not present where they can try different techniques.

“Traditional models of account access are being bypassed by bad actors over and over,” said Wilk. “Companies should review their authentication frameworks and make sure they have multi-layered solutions that include physical and passive biometrics technology.”

NuData also released statistics about mobile phone events, which showed a 150% increase in total mobile phone events, with 30% of those being considered high-risk.

The Cifas report said member organisations prevented more than £1.3bn in fraud losses through non-competitive data sharing in 2017. Cifas believes sharing fraud information is key to blocking attempted fraud and reducing the overall level of fraud.