Digital account fraud is a major problem. Michael Lynch of InAuth discusses how organisations can thwart bad actors.
Account opening fraud has become a serious problem among financial institutions (FIs), banks and online merchants. Growing consumer expectations for 24/7 digital access, as well as competitive pressures, have forced many organisations such as FIs and merchants to abandon more stringent manual application review processes to open accounts quickly, to generate more revenue and increase market share. This may be helping create an insecure environment for fraudsters to exploit.
Fraudsters are using stolen identity data combined with bots to open accounts at a very fast rate. For example, after a data breach at a company, fraudsters may gain access to consumer data and use a bot to quickly open accounts in large volumes of consumer names.
Account opening fraud takes many forms, from amateur fraudsters using stolen credentials to obtain credit cards fraudulently, to extremely sophisticated and far-reaching operations netting high-value losses.
‘Digitally enabled organisations are stuck between a rock and a hard place: wanting to meet consumer expectations, thwart the competition and leverage new opportunities, while at the same time recognising the inherent financial and reputational risks’
Fraudsters may hijack a victim’s identity altogether by linking fraudulently opened accounts with legitimate ones to control access to and the movement of funds between the good accounts and the fraudulent ones. They can also use access to a victim’s accounts to enable additional access to funds, such as ‘turning on’ cashless ATM functionality, setting/changing PINs and removing account limitations.
More sophisticated and better-organised fraudsters are increasingly using automated bots to generate a torrent of new account applications in a short time. This type of fraud is extremely difficult for banks and card issuers. Digitally enabled organisations are stuck between a rock and a hard place: wanting to meet consumer expectations, thwart the competition and leverage new opportunities, while at the same time recognising the inherent financial and reputational risks involved with enabling online account opening capabilities.
Close the door before fraudsters gain access
The best way to prevent account opening fraud is to close the door on fraudsters before they can gain access to any account opening processes. Watching for bot attacks is critical, since they involve velocity attacks enabled by automation – usually hijacking a computer to attempt to open hundreds of accounts in a short amount of time, often using the same device repeatedly to perform the fraudulent transaction until the device is detected and disabled. Due to the large volumes of activity generated by a bot attack, simple observation for a spike in traffic can help identify it.
‘Armed with even a few key pieces of compromised information, fraudsters can create a fake ID and open a fake account with a real identity’
Device authentication is also an important way to thwart fraudulent account opening, as it enables organisations to verify the identity of a device by its unique characteristics. Device authentication technology uses certain unique attributes in each device to create a device ID. By creating and calling on this device ID for subsequent transactions, organisations can more quickly authenticate trusted consumers with the least amount of friction, providing a positive customer experience. And, transactions from risky devices can be flagged for next-level review or denied altogether. If the same device ID is opening many accounts in a short amount of time, this is potentially a harmful bot.
Personally identifiable information (PII) plays an important role in this issue. There’s the sheer volume of PII available on the black market for fraudsters to use as a result of thousands of data breaches over the years. Armed with even a few key pieces of compromised information, fraudsters can create a fake ID and open a fake account with a real identity. Fraudsters have also begun creating synthetic identities created with different pieces of real data from multiple sources to create a new identity.
Though this is a very challenging situation, consumers do have options for protecting themselves. They can try to limit the amount of personal information they share online. They should make sure to always use sophisticated passwords on their accounts and not use the same password for multiple accounts. Additionally, they should also only conduct mobile financial transactions on secure networks, and never use public Wi-Fi networks.
As dire as things seem for financial institutions, they are making good progress in this area. Unfortunately, so are the fraudsters, who are adept at staying ahead of the latest security measures. It’s a never-ending battle.
Michael Lynch serves as chief strategy officer at InAuth, where he is responsible for leading the company’s new products strategy, along with developing key domestic and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting and Fortune 500 companies, specialising in security and technology leadership. Prior to joining InAuth, Lynch served as a senior vice-president for Bank of America, responsible for authentication strategy.