Payments Security

Online Authentication: When Fraudsters Take Advantage of Gaps

Authentication – using facial recognition, fingerprints, usernames, passwords and other methods – verifies that individuals are authorized to access a platform or system, including their phones, computers, email accounts, online banking services and investment accounts. It is designed to prevent unauthorized users from gaining access to accounts or devices. However, what happens when a criminal is an authorized user, poses as the authorized user, or manipulates the authorized user to access the system?

Fraudsters sometimes can bypass or exploit authentication gaps – for example, by leveraging compromised usernames, passwords or answers to verification questions they find on the dark web. Criminals also may attempt to convince consumers to send fraudulent payments to them. They will take advantage of the complexity of authentication requirements to find vulnerabilities, allowing them to gain access to and control our systems so they can fraudulently move funds.

New Account Fraud

New account fraud (NAF) occurs when criminals use stolen and/or fabricated information to apply for new accounts, such as demand deposit accounts or credit cards. How do they commit NAF?

  • Identity theft occurs when a criminal uses a person’s personal or financial information without their permission to commit fraud. This information can be obtained through multiple methods, such as data breaches, social engineering deceptions, deployment of malware (malicious software) – even theft of bills, account statements or checks from mailboxes. This information may be used for personal gain by the criminal who stole it, or it may be sold on the dark web to other criminals.
  • Synthetic identities are created using a combination of personally identifiable information (PII) to fabricate a person or entity. Once created, these identities are used to open accounts in the name of the newly created identity.

In both of these cases, the criminals who create these new accounts know they will be the ones who are authenticated for future account access. Furthermore, they can use the new accounts to apply for other services, such as loans, credit cards or checks. Criminals may use their new accounts to receive funds generated from fraudulent activity, or they can evade detection for a time by using them as a pass-through for funds. Ultimately, the fraudsters’ goal is to withdraw the fraudulent funds from the accounts.

Account Takeover Fraud

Account takeover occurs when a third party gains access to an account without the legitimate account owner’s consent. This typically occurs because of identity theft, where personal information or online login credentials have been obtained through phishing (fraudulent emails), malware and/or data breaches. Usernames and passwords can be stolen or easily guessed – for example, a login name that defaults to a consumer’s email address. Other vulnerabilities include:

  • Users often establish passwords that are easy for them to remember, are based upon personal attributes or are used across multiple platforms.
  • Password rules may require few periodic changes, or none at all. This type of static authentication is harder to defend from fraud than constantly changing (dynamic) one-time passwords or two-factor authentication (e.g., a password and a separate one-time passcode).
  • When fraudsters gain access to accounts, they can change the legitimate user’s password to prevent access and update contact details, such as email address, phone number and physical address, so all future communications and alerts are routed to the criminal and they entirely control the account.

Subscriber identity model (SIM) swapping is another mechanism for account takeover fraud. Criminals use stolen information to pose as the legitimate account holder and ask the mobile phone carrier to transfer the mobile number to a new SIM card. The criminals then can use a device they control to access mobile wallets, purchase goods and services, and receive texts with one-time passcodes to initiate and approve payments.

Scams Bypass Fraud and Authentication Controls

A scam is defined as the use of deception or manipulation intended to achieve financial gain. Over the last few years, scam losses and events have increased even as the payments industry has focused on improving fraud controls and authentication methods.

For example, consumers and businesses are being deceived into sending payments from their own accounts. Criminals try to persuade people to send them money by posing as romantic interests, government agencies, businesses, banks, and family members; they also use offers for fake goods, services and investments. They use scam tactics to manipulate consumers and businesses to provide personal or financial information, such as Social Security numbers, birthdates, account login credentials and account numbers. This information then can be used to open new accounts or take over existing accounts.

In general, authentication successfully verifies the fraudster’s identity in these scenarios, as he or she is the authorized user, or the criminal posing as the authorized user, who is accessing the accounts.

Balancing Authentication Needs

The rapid shift to digital channels for many everyday consumer, business and financial functions has attracted criminals who seek to profit from the expanded attack surface of more devices, platforms and payment options. This evolving payments landscape presents new fraud challenges, making it clear that the industry needs to take an authentication approach that is proactive, well-balanced, provides a positive customer experience and protects a customer account from fraud.

This article is part of a series on authentication and its critical role in payments. Read the initial article, Introduction to the Lifecycle and Methods of Online Authentication.