Account opening fraud must be stopped before the breach
Bank accounts, mortgages, credit cards, online shopping accounts, mobile wallets, loyalty and rewards programs—the variety of accounts opened by consumers on digital platforms is nearly endless.
In exchange for access to information, services and convenience, consumers exchange personal and financial information about themselves. The ability for consumers to open accounts online is essential in today’s 24/7, always-on society, but it is incumbent on digital-enabled organizations to protect their customers, as well as themselves, from potential financial losses and reputational damage due to account opening fraud.
Since the launch of EMV chip-enabled cards in the U.S., fraud has been steadily shifting to digital channels, precipitating a rise new account opening fraud. According to a Javelin Strategy & Research report ("Mitigating Application Fraud from Synthetic Identities," 2016), the opening of fake accounts in the U.S. more than doubled in 2015. Cybercriminals created various fraudulent accounts using stolen identities from 1.5 million consumers, up from 700,000 the previous year.
Growing consumer expectations for 24/7 digital access, as well as competitive pressures have forced many organizations to abandon more stringent manual application review processes in favor of making it as easy as possible for users to open accounts quickly to generate more revenue and increase market share. Unfortunately, this may be helping create an insecure environment for fraudsters to exploit.
Account opening fraud takes many forms, from amateur fraudsters using stolen credentials to obtain credit cards fraudulently, to extremely sophisticated and far-reaching operations netting high-dollar losses. In one recent example, a Reno man, using the personal identities of multiple victims, fraudulently opened upwards of 8,000 accounts online, including bank accounts, credit cards, prepaid debit cards, and PayPal accounts, according to federal authorities. He then used the fraudulent accounts to steal money and obtain property, transferring, depositing and sending approximately $3.5 million through both electronic transactions and physical checks.
While there is awareness among both business and consumers about the risks of doing business online, the sheer volume of personally identifiable information (PII) available on the black market due to a steady stream of security breaches makes account opening fraud difficult to stay in front of. Armed with even a few key pieces of compromised information—either gleaned from one source or cobbled together from multiple sources—fraudsters can replicate an existing identity, or create what appears to be a new, legitimate identity using a mix of information, to open new accounts.
Criminals exploit these accounts in a number of ways. For example, they may hijack a victim’s identity altogether by linking fraudulently opened accounts with legitimate ones to control access to and the movement of funds between the good accounts and the bad ones. They can also use access to a victim’s accounts to enable additional access to funds—such as “turning on” cashless ATM functionality, setting/changing PINs and removing account limitations.
More sophisticated and better organized criminal actors are increasingly using automated bots to generate a torrent of new account applications in a short time. The use of bots enables fraudsters to test a large amount of stolen information with a potentially short shelf-life more quickly, increasing the likelihood of successfully opening a greater number of fraudulent accounts and moving money before the fraud is detected.
Digitally enabled organizations are stuck between a rock and a hard place—wanting to meet consumer expectations, thwart the competition and leverage new opportunities, while at the same time, recognizing the inherent financial and reputational risks involved with enabling online account opening capabilities.
Despite the obvious benefits to both organizations and consumers, the risks from online account opening fraud are causing many businesses to take a step back. For example, a survey commissioned by Mitek found that only one third of the nation’s top 30 financial institutions offered end-to-end mobile account opening.
It’s an unfortunate blow to innovation within the mobile channel, but there are some steps organizations can take to mitigate the risks in order to continue leading with their digital strategies.
The best way to avoid account opening fraud is to close the door on fraudsters before they can gain access to any account opening processes. There are a number of tactics and solutions organizations can employ to shut down the favored methods of fraudsters, including the use of bots and device compromise.
Bot attacks involve velocity enabled by automation—usually hijacking a computer to attempt to open hundreds of accounts in a short amount of time, often using the same device repeatedly to perform the fraudulent transaction until the device is detected and disabled. Other bot attacks may spread the attack over multiple devices, making it harder to detect the source in a timely manner.
Due to the large volumes of activity generated by a bot attack, simple observation for a spike in traffic can help identify it. On the higher-tech end of the spectrum, velocity detection technology exists which can flag devices being used to perform multiple unusual behaviors (usually at a high rate of speed). If a device performs multiple login attempts on multiple accounts over a short period of time, this could signal the use of a bot. Advanced technologies can also detect bot activity based on behavioral analysis. This allows the identification of an adversary who builds remote controlled tools to automate an attack.
Device authentication enables organizations to verify the identity of a device by the device’s unique characteristics. Device authentication technology uses certain unique attributes in each device to create a permanent device ID that survives app uninstalls/reinstalls and operating system upgrades, and cannot be spoofed.
By creating and calling on this permanent device ID for subsequent transactions, organization can more quickly authenticate trusted consumers with the least amount of friction, providing a positive customer experience. And, transactions from risky devices can be flagged for next-level review or denied altogether. The unique operating system architecture of mobile devices lends itself well to native apps that are more secure than browser-based account opening. Using this approach, security can be an enabler of a positive customer experience, rather than a point of friction.
One first-line approach is to query static sources of identity, such as information derived from credit data, for example. Other new verification techniques include the use of social media data or validation from government documents.
But an even more powerful weapon in the fight against account opening fraud includes analyzing the correlation between a global network of devices and user data. Such analysis can confirm if a certain device is associated with the user trying to access your systems, for example. It can also uncover the reputation associated with the user’s previous transactions, account origination history or the device’s prior history itself. Using both a device reputational score and a user reputational score allows organizations to correlate these historical data points, empowering them to make more confident decisions by validating the true identity of a good consumer versus a fraudster using real or synthetic identities to open the account.
Retailers, financial institutions, card issuers and others know they must take more stringent measures to combat digital account opening fraud, yet they want to do so in a way that does not cause more friction and inconvenience to customers who prefer the speed and convenience of opening accounts online. By deploying the latest digital security measures and solutions, customer experience and security no longer have to be mutually exclusive.