Account takeover: what it is and how fintechs can stop it
Account takeover—where fraudsters use stolen credentials to seize control of financial accounts in an attempt to steal money—is a growing threat. Here’s what fintechs and consumers can do to prevent it.
February 12, 2024
Tom is a fintech industry writer who creates whitepapers and articles for Plaid. His work has been featured in publications like Forbes, Fortune, and Inc. He's passionate about the freedom that the union between financial services and technology can create.
Account takeover fraud, or the use of stolen login credentials to seize control of financial accounts, has become a major concern for businesses and consumers alike, with a 354% increase in attacks year-over-year in the second quarter of 2023. Fintechs—particularly vulnerable by their very nature—saw an even more alarming 808% increase during the same period.
This prevalence is due, in part, to the high number of usernames and passwords (known as credentials) that have been exposed in data breaches over the years. These breaches have produced vast databases of compromised credentials that fraudsters can use in an attempt to gain unauthorized access to protected accounts.
In this article, we’ll look closely at how account takeover fraud is threatening fintech companies, and what they can do to prevent it.
What is account takeover fraud?
Account takeover fraud happens when a bad actor uses stolen credentials to gain access to a user’s account—most often through a process known as credential stuffing (more on that below). Online banking accounts and fintech platforms that hold money are frequent targets, as fraudsters are ultimately after financial gain. This makes it doubly important for companies to do everything they can to prevent fraudulent logins while communicating their efforts to keep customers’ funds safe.
The account takeover cycle typically follows the following three stages:
Compromise: The fraudster first gains access to a person’s account credentials. This most often happens from data breaches in which usernames, passwords, and other personal information are exposed.
Validation: The compromised credentials are then used by the fraudster over a multitude of accounts in hopes of finding one that works. This is known as credential stuffing and is carried out at scale through the use of bots. When a match is found, the stolen credentials are validated.
Exploitation: If the fraudster succeeds in taking over an account using the validated credentials, they will then try to exploit the account by moving money or committing some other type of financial crime. That’s why most fintechs and financial service providers employ two-factor authentication (2FA) to prevent account takeover and exploitation, even after an eventual validation.
While fintech companies can’t prevent compromise, they can take steps to prevent validation and exploitation. Using Plaid for account connection, for example, reduces the chances of stolen credentials being validated and linked to third-party applications. It does so through internal defensive services built into Plaid Link. Check out our safety page to learn more about how Plaid keeps consumers safe.
Account takeover fraud examples
In addition to credential stuffing, fraudsters can employ several other means to gain access to sensitive account information. Here are a few account takeover examples:
Phishing. Attackers send fraudulent emails, messages, or communications that appear to be from legitimate sources, such as banks or other online services, and which often create a sense of urgency to prompt immediate action from the victim. Included are links to fake login pages that mimic the appearance of genuine websites. When victims click on these links and enter their login credentials, they unwittingly hand over their sensitive data directly to the fraudsters.
Social engineering. These attacks use human psychology to deceive individuals and gain unauthorized access to their accounts. This might be done through methods known as pretexting, impersonation, or baiting. In pretexting or impersonation, attackers pose as colleagues, customer support representatives, or authority figures to gain the victim's trust and manipulate them into revealing sensitive data. In baiting, attackers lure their victims with tempting offers like free downloads or gifts, prompting them to download malware or disclose login credentials unknowingly.
Man in the middle. Man-in-the-middle attacks gain access to the communication channel between the user's device and the intended website or service. This is often accomplished by setting up rogue Wi-Fi hotspots or exploiting vulnerabilities in public Wi-Fi networks that lack proper security measures. Upon inserting themselves into the communication flow, fraudsters can silently capture and record all the data transmitted between the user and the legitimate server.
Account takeover vs identity theft: What’s the difference?
Account takeover fraud, though it can be equally as devastating, is different from identity theft. Identity theft involves using personally identifiable information such as names, social security numbers, phone numbers, and addresses to create fake financial accounts or apply for loans. Once the fraudster gets past a financial company’s Know Your Customer (KYC) processes, they typically open a line of credit and max it out or use the account to launder money.
Using a digital identity verification tool is the most effective way to prevent this type of identity fraud. Such tools use several data checks to determine if a user is who they claim. However, a verification that’s overly disruptive to the account onboarding process can cause some users to abandon the process altogether. That’s why it’s important to choose a robust, yet seamless tool that can verify identity with high accuracy but low friction.
→ Want to reduce fraud during new customer onboarding without sacrificing conversion rates? Plaid Identity Verification is the lowest friction identity verification experience available.
Guide to calculating the value of identity verification
Prevent fraud, win users, and protect your bottom line
Account takeover fraud statistics and prevalence
Account takeover fraud has become increasingly popular with hackers in recent years due to the multitude of stolen credentials available from numerous data breaches. As of September 2023, there had been a total of 2,116 data compromises for the year—a 17% increase over the total number in 2022—with over 233.9 million victims.
This, combined with the fact that 50% of people worldwide re-use their passwords, makes account takeover fraud a worthwhile endeavor for attackers.
Data breach compromises during the first three quarters of 2023
People affected by data breaches during the first three quarters of 2023
Percentage of people who re-use their password for multiple accounts
At the same time, bots are getting more advanced. Most companies use application logic that stops users from attempting to log in to multiple accounts from the same device or session repeatedly in a short period—an indication of attempted fraud. But bad actors skirt this by using technology that masks their device fingerprints and true session details, distributing their traffic across a large number of IP addresses and device types to mimic real users.
Companies suffering an advanced attack like this might not know it, as the only indicator is an increased number of login attempts that otherwise appear normal. If they do become aware, they most likely won’t be able to stop the attacks without disrupting service for their customers.
How to prevent account takeover fraud as a business
While only a tiny percentage of attacks actually work, fintechs should assume their customers’ credentials have at some point been stolen from a data breach and are likely to have been reused. They should also take every available precaution to prevent stolen credentials from being used on their apps. Fintechs, especially, must prove users can trust them with their funds by safeguarding them as much as possible.
Here are some critical actions fintechs can take to help stop an account takeover from succeeding:
Two-factor authentication (2FA)
Using 2FA to send a one-time passcode (OTP) to a user's email or phone before logging in is a highly effective way to reduce account takeover. While it’s possible for a hacker to skirt this safeguard (they could use the same stolen credentials to access a user’s email address and obtain the OTP), it greatly reduces their chances of success.
IP address checks
IP addresses can be checked for other factors that may indicate fraudulent activity or the presence of a bot. These include the use of a VPN, which can represent a slightly elevated risk, or the Tor browser, which signals a high risk. Other IP address checks include the association with a data center, mismatched geolocation between the IP address and the home address provided, and a timezone mismatch.
Bots and fraudsters behave differently than humans. Activities that can reveal their behavior include the speed with which personal information is entered, the error rate of the entry, the use of copy and paste, and the order in which the data is entered.
When suspicious activity is suspected, companies can use tools like live video verification to ensure the user’s face matches the image on file. Essentially, this is a selfie re-check done when an account takeover is suspected. In serious cases, users can also be prompted to resubmit document ID verification as well. Customers likely won’t mind the added step if it ensures their account stays safe—especially if the messaging around the reason is clear.
When should identity re-verification be used to stop account takeover attacks?
The same tools used for verifying new customer identity during the onboarding process can be used to prevent account takeover attacks through ‘identity re-verification’, which we outline above. However, the trick is for companies to launch re-verification fast enough to stop account takeover fraudsters from moving funds out of stolen accounts.
To know when it’s appropriate to re-verify identity, companies need to track three kinds of risk:
Typically identity verification is done only at the onboarding stage, but signals that an identity has been compromised may pop up later on. For example, if a customer wants to change their password, this could be an appropriate time to re-verify their identity using a quick selfie check to make sure they aren’t a fraudster.
Reviewing the risk of customer transactions is important for preventing returned payments due to account takeover, because a fraudster typically attempts to withdraw the majority of funds from a stolen or compromised account in one fell swoop. Using a tool like Plaid Signal, which uses machine learning algorithms to calculate transaction risk, companies can review the risk of return for transactions from an account and require users to re-verify their identity when there is an indication of fraud or other risk of returned payments.
Fraudsters might gain access to another customer’s account on your app using a synthetic or stolen identity. They could be attempting to launder money or move stolen funds into their account from an account they took over.
To help prevent this, Plaid Beacon offers a network-based solution. When a fraudulent user is detected on any of the apps on the Beacon network, it sends an alert to all of the other apps to let them know an identity is associated with stolen ID, synthetic, or account takeover fraud. Fintechs can use this to stop the chain reaction of fraud, as fraudsters will try to use the same stolen and synthetic IDs across multiple apps.
What can consumers do to prevent account takeover fraud?
Consumers, too, can take many precautions to reduce the risk of an account takeover. These include:
Ensuring MFA is turned on
While it’s possible to hack multi-factor authentication (MFA) by logging into a victim’s email with stolen credentials, it’s much harder to do so. It’s also more difficult to hack a phone than an email, so using MFA on the phone is preferable.
Eliminating password reuse
As previously mentioned, password reuse is what allows credential stuffing to work. Avoiding password reuse—especially for financial accounts—is one of the best ways to protect against these attacks.
Looking up data breach exposure
Numerous databases make it quick and easy for people to find out if their email address or phone number has been compromised. Websites like haveibeenpwned.com show all data breach exposures in seconds. Some of these sites offer notifications as well, enabling users to instantly change their password shortly after a breach occurs.
Keeping devices updated
Operating system updates most often include patches that prevent malware from affecting a device. Keeping up with the latest updates on phones and computers helps ensure a device stays one step ahead of any vulnerabilities that hackers might exploit to steal credentials and other personal information.
Never connecting to personal accounts from external devices
Logging in to a personal account on a computer that’s infected with malware is a surefire way for credentials to be stolen. If it’s unknown whether a public computer or a friend’s device is infected, it’s best not to log in at all.
Expanding account takeover fraud prevention
In a world where financial services have become predominantly digital, bad actors continue to find clever new ways to take advantage of consumers. Account takeovers, along with other types of fraud, are at an all-time high—an issue that will only be compounded by the rapidly expanding use of artificial intelligence.
Plaid Beacon is an anti-fraud network designed to go beyond individual fraud attacks by stopping the chain reaction and preventing fraud from spreading across the digital ecosystem. It does so by helping detect data associated with account takeover and other fraud.
→ Learn more about how Plaid’s robust fraud and compliance solutions can help prevent account takeover and other types of fraud.