This week’s Secret Crime Fighter discovered an account takeover (ATO) scheme where bad actors were able to gain access to a high number of accounts in order to cash out. Account takeovers have become an increasingly popular tactic in recent years, both to empty the accounts and/or to use them as a means to monetise other stolen instruments.
Fraudsters managed to obtain credentials for a large number of accounts, most of which had been set up with low security emails. The scale of accounts provided them with ample opportunities to test out different tactics and try to learn ways to evade detection while maximising their earnings. They restricted their testing to a smaller pool of accounts and laid in wait for several months before attempting any activity on the majority of accounts. Over the course of 6-12 months, the only observable activity was unusual logins but they were never tied to any movement of funds.
After months of testing the fences, the fraudsters finally made their move. In a highly coordinated attack during off-business hours, they reported cards as lost in order to auto-generate new virtual cards and quickly empty the accounts.
Our Secret Crime Fighter acted very quickly and was able to put in place some rules to ensure this behaviour would be flagged in the future. The rules took into account a wide range of signals that considered the relationship between login behaviour/timing and marking cards as lost. While maintaining the easy flow for legitimate customers to replace a card, they added friction to the process when certain risky signals were present.
From an operational perspective, one of the tricky aspects of detecting ATO can be understanding how to evaluate the risk/next steps when there are some unusual logins but no real activity. Our Secret Crime Fighter refreshed their training to ensure agents were equipped to appropriately weigh login behaviour even in the absence of any activity, and updated their processes to provide a clearer path for protecting customers, including educating them on best practices.
Thanks for reading our latest Secret Crime Fighters newsletter. If you have an interesting typology that you’d like to share, we’d love to hear about it! Please email us at [email protected].
This week’s Secret Crime Fighter discovered an account takeover (ATO) scheme where bad actors were able to gain access to a high number of accounts in order to cash out. Account takeovers have become an increasingly popular tactic in recent years, both to empty the accounts and/or to use them as a means to monetise other stolen instruments.
Fraudsters managed to obtain credentials for a large number of accounts, most of which had been set up with low security emails. The scale of accounts provided them with ample opportunities to test out different tactics and try to learn ways to evade detection while maximising their earnings. They restricted their testing to a smaller pool of accounts and laid in wait for several months before attempting any activity on the majority of accounts. Over the course of 6-12 months, the only observable activity was unusual logins but they were never tied to any movement of funds.
After months of testing the fences, the fraudsters finally made their move. In a highly coordinated attack during off-business hours, they reported cards as lost in order to auto-generate new virtual cards and quickly empty the accounts.
Our Secret Crime Fighter acted very quickly and was able to put in place some rules to ensure this behaviour would be flagged in the future. The rules took into account a wide range of signals that considered the relationship between login behaviour/timing and marking cards as lost. While maintaining the easy flow for legitimate customers to replace a card, they added friction to the process when certain risky signals were present.
From an operational perspective, one of the tricky aspects of detecting ATO can be understanding how to evaluate the risk/next steps when there are some unusual logins but no real activity. Our Secret Crime Fighter refreshed their training to ensure agents were equipped to appropriately weigh login behaviour even in the absence of any activity, and updated their processes to provide a clearer path for protecting customers, including educating them on best practices.
Thanks for reading our latest Secret Crime Fighters newsletter. If you have an interesting typology that you’d like to share, we’d love to hear about it! Please email us at [email protected].