Illustration of 4 types of complex ato attacks to watch for

Account takeover (ATO) is frequently thought of as a fraudster using someone’s genuine yet stolen credentials to commit identity theft. Next, they’ll gain access to their victim’s online accounts and steal their funds. However, developments in technology combined with the increasing sophistication of cybercrime and organized crime gangs are giving rise to new, more complex types of ATO attacks.

These approaches include impersonating or manipulating legitimate users. Not only are they able to outwit financial institutions’ legacy authentication techniques. Some of them can even outsmart a victim’s own friends and family. 

Here are four complex ATO attacks you need to be aware of right now.

Complex ATO Attack 1: Deep Fakes

If there was ever a sign that we’re living in an age where technologies previously confined to the realms of science fiction are becoming a reality, it is deep fakes. In a world where Spotify can analyze a user’s emotions to offer them calming music when they feel stressed, or where robots can cook burgers, is it really so strange that machines can replicate someone’s voice or even reanimate a photo of a deceased relative? 

If someone looks like you, sounds like you, and has access to your personal information, what’s to stop them from coming after your account and succeeding? This reality is why deep fakes are one of the most troubling complex account takeover attacks deployed today.

Deep fakes can be so convincing that Russians used deep fake filters on video calls to trick senior parliamentary members in Europe into thinking they were different people. Hence, it’s not a giant leap for fraudsters to exploit this tech for their gain.

Deep fakes can back up a synthetic identity, a type of false ID often used by criminals that blends false and genuine information to increase its chance of bypassing financial services’ security. They can also compromise call centers, for example, by persuading agents that they are someone they’re not.

Complex ATO Attack 2: SIM Swap Scams

The process of changing your old phone number to a new one is pretty simple. Unfortunately, bad actors can use this very same process to commit SIM swap fraud – a particularly pernicious type of scam – and access almost anyone’s account.

They use confidence tricks or stolen information to deceive mobile providers into switching someone’s genuine number onto another SIM card.

Next, they put this SIM card into their phone to access bank verification details. Once they’ve gained access, fraudsters reap the rewards before account holders realize anything is wrong. Criminals can even reset all the other account information and lock the genuine owner out of their own accounts.

Criminals only need basic information to perpetrate SIM card fraud, including someone’s name, date of birth, and address. Data breaches, phishing scams, and information sold on the dark web give bad actors access to this information. Bad actors can also perform simple online searches to gather what they need to answer a call center agent’s security question before registering the new SIM.

Fraudsters can even clone the legitimate user’s voice, strengthening the illusion that they are the genuine account owner.

This type of fraud has mushroomed in recent years. According to the UK’s Action Fraud, SIM swap fraud has increased substantially in recent years, resulting in losses of more than £10m to UK consumers alone in the first half of 2020.

Complex ATO Attack 3: SMS OTP Fraud

At first glance, sending a one-time passcode (OTP) or another multi-factor authentication (MFA) method to a user to make sure they are who they say they are seems like a good authentication measure. However, now that we know how easy it is for bad actors to pull off a SIM swap scam, it might not add so much security. It’s easy to switch someone’s number onto a device and intercept the OTP.

Adding to this threat is malware capable of intercepting OTPs and resending them to attackers. Your mobile phone can intercept a text message sent to your phone and copy and paste the OTP to the requesting app. Similarly, malware can intercept messages and send the OTP to fraudsters.

Criminals compromising a mobile provider’s servers and intercepting all text-based OTPs is a more insidious threat. Instead of creating a more secure authentication process, mobile numbers used for two-factor authentication unwittingly open a back door for fraudsters to exploit.

Vulnerabilities like these are why SMS-based authentication has been listed as a method “to be avoided” among the Strong Authentication Requirements for internet payments, as issued by the European Banking Authority (EBA). While criminals continue to leverage advanced technologies to commit their crimes, the security world knows what some institutions are struggling to admit – it’s time for organizations using SMS OTPs to move on.

Complex ATO Attack 4: Session Hijacking via RATs

Remote Access Trojans (RATs) are authentic-looking applications containing malware that can be accidentally downloaded onto a device. RATs sneakily piggyback on legitimate-looking files. For example, the malware Vizom spreads through spam-based phishing campaigns disguised as popular video conferencing software, a tool that became crucial during the pandemic. Once downloaded, they provide a way for hackers to gain administrative control over the targeted device. 

Bad actors also use RATs to perform remote overlay attacks to target online banking sessions after users have legitimately logged in to their accounts. This form of malware is often known as a Rat-in-the-Browser (RitB), a third-generation Trojan attack that can work alongside a RAT to hijack a session. The installed RAT then alerts the cybercriminal when the customer logs on.

The attacker can then overlay their windows on top of the target app. Victims input information such as login credentials like usernames and passwords or bank card numbers. Instead of dealing with their banking app, they are handing over their private information to the bad actors, giving them the means to take over their accounts and steal their funds.

Originality is Key

Financial services need to leverage authentication technologies based on input that genuinely cannot be replicated – especially with the rise of deep fakes and other highly advanced account takeover fraud methods. As bad actors use increasingly sophisticated technology that can learn and adapt to bypass security systems, financial institutions (FIs) need to fight fire with fire.

Implementing artificial intelligence and deep learning to know each and every customer through their online behavior enables FIs to answer the question, “are you really you?” In other words, companies need to know their customer by analyzing their behavioral biometrics.

A fraud prevention solution founded in behavioral biometrics can analyze thousands of parameters, including how a user types or moves the mouse, and combine this information with device and network assessments to create a unique digital fingerprint. No two BionicIDs are the same and are impossible to replicate. 

By profiling users at a granular level and using deep learning mechanisms to ensure the solution gets smarter and more accurate with each login, FIs can protect their customers – even from people who look and sound exactly like them.