Account Takeover Fraud: Detection and Protection

Account Takeover Fraud in its many forms

In this series of posts we’ve discussed Account Takeover Fraud in its many forms, how it happens and how criminals are winning the war on cybercrime. As criminal hackers continue to seek out vulnerabilities in corporate networks and citizens are lax in their own home networks, account takeover fraud will continue to plague the public.

There are numerous types of account takeover and many ways account takeover can occur.

Here are ten examples we’ve covered in previous posts:

  1. Credit Card Fraud
  2. Hacking
  3. Scams
  4. Change of mailing address
  5. Skimming
  6. Phishing
  7. Telephone fraud
  8. Vishing
  9. Mortgage refinance fraud
  10. Check fraud

Detecting account takeover

Credit cards: lost or stolen credit card numbers are usable until the cardholder shuts them down by calling a 24-hour toll-free number to cancel the card. In most cases, unless a wallet is immediately detected missing, the thief can go on for weeks making charges without the knowledge of the cardholder. Most identity thieves will quickly max out the card by turning its balance into cash. The victim doesn’t usually detect the fraud until they receive a paper statement and observe unauthorized charges. If the card holder has set up an online account to access and monitor their statements, and recent transactions, they often detect fraud quicker.

Credit card companies also have anomaly detection technology in place that alerts them to charges that may not make sense or are suspicious in regards to the cardholder's spending habits, purchasing behavior or the location of a transaction.

An example would be when the cardholder makes a purchase in downtown Boston at a gas station then an hour later a purchase is made in a retail store in Romania. Anomaly detection software would red-flag this as suspicious, possibly fraud, since it’s physically impossible to get from Boston to Romania in one hour.

Bank accounts: banks have similar systems in place when fraud is perpetrated using the account holder's debit card that acts more like a credit card. However, when a debit card requires a pin code, the fraud isn’t detected as often, if ever, by the issuing bank due to the nature of the pin transaction. It is assumed the pin is used only by the card holder.

Consumers' rights and responsibilities

Credit cards: Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days in order to be protected by this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account or change the account numbers altogether.

Bank accounts: In 2007, a U.S. couple fell victim to identity theft when a criminal accessed their online bank account and stole $26,500 from a home equity credit line.

The money was transferred to an Austrian bank that refused to return the funds to their bank. So the bank informed the couple that they were liable for the loss. When the couple refused to pay, the bank notified the credit bureaus that their account was delinquent and threatened to foreclose on their home. So the couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, as well as accusing the bank of negligence. In this case, the judge saw enough negligence on behalf of the bank to allow the case to go to court.

Most banks have “zero liability” policies in place that make the banks' clients whole after fraud. But there are strings attached in many cases. It is critical to review the fine details of all terms of service and conditions to make sure what the rights and responsibilities are.

In conclusion

Awareness: there are a number of things consumers can and should do to prevent fraud. First and foremost, knowledge of the different scams and what ruses identity thieves use to obtain client data is essential. Once consumers have an acute awareness of what to look out for, they are less likely to be scammed. Basics such as shredding unwanted paperwork and physical security in their own home and office are essential.

Computer security: in today’s e-commerce–dependent society it is essential for any home computer user, SMB and enterprise to have systems in place to protect their own and their clients’ data. Those existing systems' protections range from completely unprotected to completely regulated and protected 99 percent of the time. There is no such thing as 100 percent protection, but everyone involved the process of e-commerce should take responsibility for their own security to keep the bad guys out.

Identity theft protection: the term “identity theft” covers lots of different types of fraud. Identity theft as a whole is approximately a 50 billion dollar problem affecting 10 million people annually. There are numerous types of identity theft and numerous ways to prevent it from happening. In today’s crime climate, it is essential to make an investment in identity theft protection services. Without having some form of protection in place, a consumer is vulnerable to numerous types of identity theft that can negatively affect their credit ratings and ability to function financially.