As technology expands so do diverse types of fraud. One such form, account takeover fraud, threatens companies that touch or hold customer money in any way. This means fintechs are especially vulnerable and should be doing everything in their power to protect their customers from this growing threat.
In the first 90 days of 2022, Okta reported that 23% of signup attempts for all companies using their platform were fraudulent. Financial services companies were among the most attacked, with 64.8% of registration attempts reported as fraudulent.
This prevalence is due, in part, to the high number of usernames and passwords (credentials) that have been exposed in data breaches over the years. These breaches have produced vast databases of compromised credentials that fraudsters use in an attempt to gain unauthorized access to protected accounts en masse.
In this article, we’ll look closely at how account takeover fraud is threatening fintech companies, and what they can do to prevent it.
What is credential stuffing? How account takeover starts
Credential stuffing happens when fraudsters attempt to log in to multiple users’ accounts with credentials stolen from a data breach. Attackers will use exposed credentials repeatedly over a multitude of accounts in hopes of finding one that works. Online banking accounts and fintech platforms that hold money are frequently the targets.
Fraudsters who employ this method don’t only use the credentials to log in to the account from which the data was stolen. They assume (often correctly) that these credentials have been re-used across multiple accounts. A leaked username and password combination from an online gaming service, for example, might be tried on dozens of crypto trading apps to see if it works there, as well.
This is not done manually. Fraudsters program bots to submit stolen usernames and passwords into various financial account login screens, allowing them to carry out credential-stuffing attacks at scale.
Fintech accounts are likely to be targeted in these attacks, as bad actors follow the money. This makes it doubly important for companies to do everything they can to prevent fraudulent logins while communicating their efforts to keep customers’ funds safe.
What is account takeover? How fraudsters use stolen credentials
Account takeover is when a bad actor uses stolen credentials to take over a user’s account—most often through credential stuffing. The account takeover cycle typically follows the following three stages:
1. Compromise: This is when bad actors gain access to credentials. Compromise most often happens from data breaches where usernames, passwords, and other personal information are exposed.
2. Validation: Compromised credentials can be used by fraudsters to log in to various accounts, most often through credential stuffing bots. When a match is found, the stolen credentials are validated. While a fintech company might succeed in blocking the takeover through two-factor authentication (2FA), the fraudster still knows the credentials are valid and can try to use them elsewhere.
3. Exploitation: If a fraudster succeeds in taking over an account using validated credentials, they will then try to exploit the account by moving money or committing some other type of financial crime. 2FA is effective here because it prevents account takeover and exploitation, even after validation.
While fintech companies can’t prevent compromise, they can take steps to prevent validation and exploitation. For example, using Plaid for account connection prevents stolen credentials from being validated and successfully linked to third-party applications by bad actors. Plaid prevents fraudsters from using its network to take over compromised accounts through the internal defensive services built into Plaid Link. Check out our safety page to learn more about how Plaid keeps consumers safe.
Guide to calculating the value of identity verification
Prevent fraud, win users, and protect your bottom line
Account takeover fraud has become increasingly popular with hackers in recent years due to the multitude of stolen credentials available from numerous data breaches. In 2022 alone, there were a total of 1,802 compromises with over 422 million victims affected.
Data breach compromises in 2022 alone
Victims affected by data breaches in 2022
Of people re-use the same password for some or all accounts
While only a tiny percentage of credential stuffing attacks actually work, the billions of available login credentials from stolen databases make it a worthwhile endeavor for fraudsters nonetheless. The sheer volume of this data means the use of bots to ‘see what sticks’ has become worth it.
Fintechs should assume their customers’ credentials have at some point been stolen from a data breach and are likely to have been reused (more on that below). They should also take every available precaution to prevent stolen credentials from being used on their apps.
New account fraud vs account takeover fraud
Account takeover fraud is just one of the ways stolen credentials are used. Fraudsters can also use personally identifiable information such as social security numbers, names, phone numbers, and addresses to create fake financial accounts or apply for loans. Once they get past a financial company’s KYC processes, they’ll most likely either open up a line of credit and max it out or use the account to move money that was gained as the result of a crime.
This kind of identity theft can be devastating for the customer, who is left with a nightmare scenario in which their credit is potentially destroyed. Financial service providers, however, are the ones who will be left footing the bill, as those maxed-out credit lines will never get repaid.
Using a digital identity verification tool is the most effective way to prevent new account fraud. These tools use several data checks to determine if a user really is who they claim. However, a verification that’s overly disruptive to the normal account onboarding process can cause some users to abandon the process altogether. That’s why it’s important to choose a robust, yet seamless tool that can verify identity with high accuracy but low friction.
→ Want to reduce fraud during new customer onboarding without sacrificing conversion rates? Plaid Identity Verification is the lowest friction identity verification experience available.
Account takeover works because of password reuse
A Google survey found that 52% of people re-use their passwords for multiple accounts while 13% re-use their passwords for all accounts. Password reuse gives credential-stuffing attackers a better chance of success when using stolen credentials to log in to various financial accounts—another reason it’s become so widespread.
At the same time, bots are getting more advanced. Most companies use application logic that stops users from attempting to log in to multiple accounts from the same device or session repeatedly in a short period, as it can be indicative of abuse. Fraudsters skirt this by using technology to mask their device fingerprints and true session details, distributing their traffic across a large number of IP addresses and device types to mimic real users.
Companies suffering an advanced attack like this might not know it, as the only indicator is an increased number of login attempts or sign-ups that otherwise appear normal. If they do become aware, they most likely won’t be able to stop the attacks without disrupting service for their customers.
How to prevent account takeover fraud
Both businesses and consumers can take action to prevent credential-stuffing attacks from succeeding. Nonetheless, the onus remains on businesses to do all they can to protect their customers. Fintechs, especially, must prove that users can trust them with their funds by safeguarding them against identity theft and account takeover.
Companies can achieve this, in part, by protecting themselves against data breaches. They can’t, however, control when hackers use credentials stolen from external data to attempt a breach.
Instead, here are some critical actions businesses can take to stop credential-stuffing bots from logging in successfully.
Account takeover prevention for businesses
Two-factor authentication (2FA)
Using 2FA to send a one-time passcode (OTP) to a user's email or phone before logging in is a surefire way to reduce account takeover. Technically it’s possible for a hacker to get around 2FA. For example, they could use the same stolen credentials to log into a user’s email address so they can see the OTP. However, having it in place greatly reduces the chance of success.
Using live video verification to ensure the user’s face matches the ID on file is a typical practice when signing up for a new financial account. This can also be used when a credential-stuffing attack is suspected.
Essentially, when an account takeover attack is suspected, an app can prompt the user to do a selfie check re-verification, which a bot or fraudster can’t pass. Customers most likely won’t mind providing a quick selfie if it ensures their account is safe—especially if the messaging around the reason why is clear.
Plaid IDV uses cutting-edge facial comparison and 3D facial recognition analysis to quickly and easily check that a user’s selfie matches their ID documents.
IP addresses can be checked for other factors that may indicate a bot. These include the use of a VPN or the Tor browser. While many people use a VPN, it can indicate a slightly elevated risk of a bot. The use of Tor, however, signals a high risk.
Other IP address checks include association with a data center, mismatched geolocation between the IP address and the home address provided, and a timezone mismatch. All of these factors can help stop bots and fraudsters from signing up or logging in with stolen credentials.
Bots behave differently than humans. Activities that can reveal bot behavior include the speed with which one’s personal information is entered, the error rate of the entry, the use of copy and paste, and the order in which the data is entered.
During the new verification process, Plaid Identity Verification uses behavioral analytics like these to determine whether a user is a bot or a human.
Account takeover protection for consumers
Ensure MFA is turned on
While it’s still possible to hack multi-factor authentication (MFA) in a credential-stuffing attack by logging into email with stolen credentials, it makes it much harder. It’s also more difficult to hack a phone than it is to hack an email, so encouraging customers to use MFA on their phones is a safer bet.
Eliminate password reuse
As mentioned above, password reuse is what allows credential stuffing to work. Never using the same password twice, especially for financial accounts, is one of the best ways to protect against these attacks.
Look up data breach exposure
There are numerous data breach lookup websites that make it quick and easy for people to find out if their email address or phone number has been compromised. Websites like haveibeenpwned.com will show all data breach exposures in seconds.
Users with an older email address might be surprised to see that their credentials and personal information have been exposed dozens of times over the years. Some of these sites offer notifications as well, enabling users to instantly change their password shortly after a breach occurs.
Keep devices updated
Operating system updates most often include patches that prevent malware from affecting a device. Keeping up with the latest updates on phones and computers helps ensure a device stays one step ahead of any vulnerabilities that hackers might exploit to steal credentials and other personal information.
Never log in to personal accounts from other devices
Logging in to a personal account on a computer that’s infected with malware is a surefire way for credentials to be stolen. If it’s unknown whether a public computer or a friend’s device is infected, it’s best to not log in at all.
Account takeover and new account fraud prevention is crucial for fintechs
Reputation management in financial services is crucial—especially for fintechs. Budding companies must earn customers’ trust, assuring them that their funds and accounts are as safe as possible.
Using a mature identity verification solution prevents fraudsters from creating new accounts using stolen credentials (which ultimately costs the company money while destroying the victim’s credit). With Plaid, identity verification can be completed in as little as 30 seconds, without disrupting the onboarding experience. Additionally, Plaid’s account verification services make it virtually impossible for fraudsters to get past the validation and exploitation phases of account takeover fraud.
In the current world of extensive data breaches and account takeover attacks, this type of solution is paramount to lasting business success.