Account Takeover Activity and What You Can Do About It

Financial institutions are well aware of the risks posed by malicious cyber activity. However, few institutions recognize how rapidly the threat environment has evolved and risk has grown because most of this activity takes place on underground forums and the dark web.

One of the most attractive opportunities that cyber attackers focus on when targeting financial institutions is gaining control of bank and credit union customer and member accounts. In the past year, the number of accounts compromised by credential theft and fraudulent transactions tripled. Losses from account takeovers topped $5 billion in 2017, according to the research firm, Javelin, up 120% from the previous year.

Based on this trend and independent cybersecurity analyses from Fiserv partners including BlueVoyant, we expect continued growth in account takeover attempts in the foreseeable future.

There are four reasons why:

1. Cyber attackers have developed a mature and specialized ecosystem. Today’s cyber attackers are part of a highly organized global network. There are coders who develop malware, data miners who make sense of the stolen data for ease of sale, money specialists who identify ways to profit from the data, and network administrators who manage compromised systems that spread malicious payloads. The ecosystem model means that threat actors no longer need to manage the whole takeover on their own.

Some specialists even offer complete “as-a-service” bundles for their specialties. There are marketplaces to sell tools and techniques, “libraries” and chat rooms to share knowledge and information, digital wallets to store stolen funds, and even unofficial mediators to referee and adjudicate disputes.

2. Threat actors often opt for basic, low-cost tools. While sophisticated tools are readily available, many threat actors intentionally choose simple methods that are inexpensive and effective. For example, an attacker may use a simple SIM-card swap – associating the attacker’s mobile number with the compromised account – to fool a two-factor authentication scheme rather than using more technical methods like SMS-grabbing malware.

Likewise, automated tools now make it easier and faster for hackers to crunch through thousands of password combinations in basic brute force attacks, often relaying requests through open proxy servers that make each request appear to be coming from different IP addresses to avoid being flagged or locked out by financial institution controls.

3. The combination of digital networks and human accomplices allows cyber criminals to move large amounts of stolen funds without raising suspicion. One known cyber attacker (“Lixkill”) employs teams of associates to conduct physical ATM cash withdrawals in Canada, the U.S. and Australia. His accomplices deposit the money into “clean” accounts. Lixkill limits transfers to a daily maximum and sometimes even splits deposits among several accounts to prevent financial institution systems from flagging them as suspicious. For his services, he charges 50 percent of the stolen funds, then sends the rest back in Bitcoin, which are "clean", untraceable and ready to use. The whole process takes three-to-five days, according to Lixkill.

4. Insiders may be working with threat actors. A growing number of threat actors claim to be working with insiders at financial institutions to facilitate the cash-out phase of an account takeover. Typically, threat actor work with insiders to obtain customer logins that will make illegal withdrawals appear legitimate.

What you can do in response

To thwart takeover activity, financial institutions need to start by beefing up basic security practices. In addition to training employees on smart password practices, financial institutions need to mandate strict password complexity requirements while embracing tools that make it easier for employees and customers to manage and update passwords.

In-app and in-platform security controls can help financial institutions reduce the risk of credential theft. Financial institutions should deploy anti-bot (e.g., “CAPTCHA”) and anomaly detection security controls in all public-facing services. Those controls include anti-session hijacking, anti-caching, secure key generation and management, along with end-to-end encryption.

To protect against the growing number of cyber attackers and the greater range of tools and organized activity being trained against them, financial institutions must maintain access to threat intelligence services that can track criminal actors and their activity across the cyber-underground and the dark web.

Two-factor authentication on login for all public-facing services is also crucial. Financial institutions should consider out-of-band (OOB) two-factor authentication, which sends the authentication request through a separate communication channel, rather than relying solely on SMS. A software token sent to an authenticator application on a customer’s smartphone, for instance, would render an attempted SIM swap useless. Biometric solutions and key fobs that generate random two factor authentication codes are other effective methods.

Finally, financial institutions should regularly employ anti-money laundering monitoring activities and strictly enforce document authenticity verifications to prevent forged documents from being used to opening drop accounts.

From our ongoing intelligence-gathering, it is clear that financial institutions and others are becoming increasing vulnerable to account takeovers. It’s crucial to understand the evolving threat landscape and move quickly and concertedly to take appropriate protections.

The Three Stages of an Account Takeover

Stage 1: Obtaining customer account login credentials. Methods including phishing, banking Trojan malware, brute force tools that target online banking platforms, and social engineering such as hoax phone calls where hackers pretend to be financial institution representatives. Most of these attacks rely on human error to succeed – sloppy password practices, failure to notice subtle changes in a financial institution’s URL, and other social engineering practices that lure victims into opening an innocent-seeming email, downloading malware, and other tricks.

Stage 2: Accessing a compromised account and moving funds to a drop account. This requires circumventing financial institution security controls such as two-factor authentication and anomaly detection tools that block suspicious login attempts and gain access to the customer’s account. Methods include SIM swaps (taking control of the legitimate client's phone number); associating rogue phone numbers with the bank account; social engineering; SMS-grabbing malware; cloning phone identifiers; and more.

Stage 3: Cashing out. Methods include ATM withdrawals, purchasing digital currencies, transferring funds to online payment platforms, or buying goods or gift cards. Often money is sent using mules, some witting and others not, to cover tracks and funnel the funds over to the final drop account. After taking his or her cut, the threat actor in charge of the cash out then dispenses the funds to their “client” (the fraudster who retained their services) with clean, untraceable Bitcoin being a favorite medium.