There's been a lot of buzz in financial industry media and conference tracks lately about account takeover, or ATO. And financial institutions are rightly concerned. According to a study conducted last year, losses due to ATO fraud have grown 69% and account for more than $4.6 billion in losses (yes, that's billion with a B).
The growth in ATO is counter-intuitive. Financial institutions have been beefing up online banking controls since the FFIEC issued their Supplement to Authentication in an Internet Banking Environment back in 2011. You would think those sector-wide improvements in authentication and other fraud prevention controls would have stemmed the ATO tide, but they clearly have not done so.
Which begs the question: Why is ATO still a huge problem for banks, credit unions, and their customers?
Read on to get some answers.
Reason #1: The Career Cybercriminal
Modern cybercrime is big business. Cybercriminals are able to fund nice lifestyles for themselves. Much nicer lifestyles than they'd be likely to obtain otherwise. Which would be ok (I don't begrudge anyone's lifestyle), if those funds weren't obtained illegally and at the expense of legit businesses and their customers.
There's more than enough money to be had with a career in cybercrime to attract those with the right talent and expertise. They certainly aren't going into this line of business for the 401K benefits.
Cybercriminals pay very close attention to the things that can cut into their profits. Like online banking security controls. Which leads to...
Reason #2: The Half-Life of a Security Control
This is a concept that's not entirely new. But it does very much apply to ATO, and why online banking security hasn't stopped it. The concept is simple: The effectiveness of a security control (e.g. it's potency) is dependent on how pervasive it is.
The more pervasive the control, the more focus it gets from cybercriminals. This is why truly pervasive controls (think anti-virus, firewalls, etc.) are so ineffective at stopping cyber attacks.
Compliance can accelerate the deterioration. Within a year of the FFIEC's 2011 guidance, stronger authentication measures became truly ubiquitous. It didn't take long for the capabilities needed to evade these measures, such as man-in-the-middle (MitM) and man-in-the-browser (MitB), to become a common component of cybercrime operations.
Which brings me to...
Reason #3: The ATO Arms Race is Rigged
The arms race between fraud prevention controls and evasion methods isn't going to change. The good guys will continue to innovate new ways to prevent account takeovers, while cybercriminals quickly figure out ways to slip past them.
Financial institutions are at a clear disadvantage in this arms race. Cybercriminals aren't constrained by having to make a business case to innovate new attack methods. Account takeover and fraud is their business. They can launch attack after attack until they find a way past anti-fraud controls, and the only price they pay is time and effort.
The same is not true for the institutions they target. Few can afford to be early adopters of the latest anti-fraud defenses. And even if they could, the conflict between tighter controls and ease-of-use will always leave exploitable gaps. Adding more defensive barriers do little to change the overriding arms race dynamics at play.
It's tough to win a fight if you aren't willing to fight back
Financial institutions aren't going to succeed in stopping ATO over time by sitting back and relying on reactive anti-fraud defenses. They have to level the playing field, and that means that their approach fraud prevention must evolve. It can't be constrained to their own environment, and it must incorporate fighting back against the ATO attacks and the cybercrime operations that support them.
ATO isn't going away, and it is clear that fraud prevention strategies that rely purely on defensive anti-fraud controls are not enough to protect institutions and their customers. It's time for banks and credit unions to fight back.
This isn't a topic that can be addressed in a single blog post, so keep an eye out for follow-up posts in the future. You can also download our white paper "Combating Account Takeover" to learn more.