Five Strategies to Safeguard Customers Against Account Takeover Hacks

By Steven Freidkin, CEO of Ntiva, an MSP providing IT and cybersecurity services, and IT consulting for financial institutions and other organizations.

The financial sector has seen cybersecurity threats grow rapidly in volume and strength since the beginning of pandemic lockdowns.

One of the most worrying of these new threats are what’s called account takeover fraud, commonly known by the acronym ATO. This is where hackers gain access to a customer’s account by obtaining their login credentials, usually through phishing emails or stolen database information. Financial ATO, which now accounts for a third of all financial account attacks, targets bank and credit card accounts to ultimately access bank clienteles’ funds.

To protect account holders, the Financial Industry Regulatory Authority (FINRA) recently published a regulatory notice to help firms better protect their customers’ data and identity. While it’s not mandatory for financial firms to implement this new FINRA advice, they should still take the time to assess their current cybersecurity practices to ensure their clients are adequately protected.

Unfortunately, cybersecurity is always a hot topic in the banking sector as financial firms spend an estimated $18.5 million each year on defending themselves and their clients from hacks, which is the most of any industry.

Whether it be updating password policies or improving ID verification methods, there are a few tips that the finance sector can immediately implement to make sure their customers are better protected from ATOs.

Rethinking Password Policies

One of the major vulnerabilities that ATOs take advantage of is reused passwords. And there are lots of holes to exploit as more than 50 percent of people use the same password for multiple accounts, and 13 percent use the same for every account they have, per a recent Google study.

The National Institute of Standards and Technology (NIST) recommends that organizations have automated password checkers in place that screen passwords against a blacklist of commonly used codes or ones that have been exposed. Then, customers are immediately told to come up with a new combination that will better protect them. This is one of the most effective ways to prevent takeover hacks and modern software services allow organizations to screen passwords in real time, without causing delays for customers.

Alternatively, organizations should also rethink making customers change their password every year. On top of the process being tedious for the customer and leading to lots of lost passwords, it also becomes more likely that clients will continue to choose weaker and weaker passwords.

Case in point, researchers at the University of North Carolina discovered that if a hacker has access to a previous password, they can successfully predict up to 41 percent of the time what a user’s new password will be in less than three seconds.

Verifying ID During Account Creation

Being able to successfully monitor incoming customers as they open accounts can stop an ATO attempt at its source. Considering that ATOs aren’t easily identified once they’ve begun, financial institutions can protect themselves and their clients by closely surveilling applications that are deemed high risk.

It’s important for organizations to make sure they get as much upfront info from the client during the onboarding process as possible, while making sure it doesn’t negatively impact customer experience or turn clients away.

Companies can then use this biographical information – like a social security number or home address – to verify a customer’s ID and make sure everything checks out. FINRA also recommends for organizations to ask customers for any additional documents that can then be cross-checked with credit bureaus, like home purchases.

Organizations that may not have the bandwidth to take this on within their own teams can always hire vendors that are able to discover red flags in the application or account creation process.

Authenticating ID During Login

Requiring added protection through ID and login authentication can go a long way to making sure customers are safe from takeover hacks. Many banks and financial institutions are now directly encouraging their users to take up multi-factor authentication, which uses a second factor on top of a common password, usually a code sent via text or email.

There’s a reason that the multi-factor authentication method has become so widely adopted. According to Microsoft, it prevents 99.9 percent of hacking attempts.

Organizations should also consider adaptive authentication, which personalizes the best types of multi-factor authentication based on a specific users’ risk profiles. For example, if a customer wants to complete a more serious transaction – like transferring money to a foreign country or logging in from an unknown device – the authentication system can be triggered to require additional information beyond just the account password.

Monitoring the Back End

Organizations should also be prepared to surveil client accounts on the back end to make sure there is nothing out of the ordinary. If there is a dramatic spike in failed login attempts by certain accounts in a span of minutes or hours, that’s a clear warning sign. That can often signal that an ATO hacker is trying to get control of a user’s information through credential stuffing. This is where bots rapidly try out different combinations of stolen passwords or usernames.

Other red flags in this area include an abnormal number of transfers or big purchases made at suspicious times, like immediately after an account is created. IT teams can also monitor for phishing emails coming from customers’ accounts or emails, as compromised accounts could be easy to detect by telltale communications that are misspelled or include suspicious attachments.

Controls on the back end that further require ID verification for suspect behavior are a great way for organizations to identify and weed out an ATO. Organizations can install a list of security questions for transaction attempts that trigger the authentication system or require a phone call confirmation if a purchase or wire transfer would be abnormal.

Those in the finance sector may look beyond their own platform and hire trusted third party monitors to track down passwords and account information that is available on the dark web. This way, an organization can screen for bad passwords that should automatically be blocked during account creation or password resets.

Using AI to Detect Threats

The more automated processes a financial institution has in place, the more likely they are to prevent and respond to threats.

A web application firewall (WAF) can be set up to automatically stop ATO attacks by working in tune with an organization’s existing software infrastructure. WAFs are particularly adept at preventing credential stuffing, which account for nearly half of the attacks aimed at the financial industry.

And because ATO bots use VPNs and proxies to mask their locations, firms can install automated triggers that block any activity coming from a country where the organization does not have any customers. Suspect IPs can then be separated into a distinct category, often called a sandbox, that freezes their account activity until the matter is resolved.

Unfortunately, takeover hacks will only continue to grow in popularity as we move further towards a cashless world. It will be up to financial institutions to have the proper safeguards in place to ensure their clients are appropriately protected.

By setting up these automated solutions that can monitor ATO attempts or stronger password and authentication policies, banks can successfully stave off these increasingly common attacks.