Using multi-factor authentication can block the lion's share of account compromises, according to Microsoft. Pictured: A hard drive is seen in the light of a projection of a thumbprint. (Photo by Leon Neal/Getty Images)

Note: Part 2 of 2 on account takeover, which has been cited numerous times in financial industry research as the fastest-growing, most pervasive and/or most concerning fraud type. Part 1 covers how account takeover (ATO) is poised to become the No. 1 security risk, ahead of malware.

Account takeover has become an increasingly popular and accessible way for fraudsters to steal money from real bank customers, and also to commit other forms of cyber-malfeasance. However, experts have pointed out steps that financial institutions and their customers can take to reduce that risk.

Since account takeover typically relies on cyber criminals accessing or figuring out financial customers’ passwords, instilling employees and customers with a greater understanding of account security and access is an important first step.

“Banks should take a fresh look at their stance with respect to customers using password managers,” said Jeffrey Goldberg, principal security architect at 1Password.

However, strong security often works in contrast to ease of use. Hence, Goldberg pointed out that many financial institutions have “rightly taken steps to discourage 'password management' in the form of Excel or Word files. [But], by doing so they have made it harder for their customers to use good password management systems.”

Mike Bosserman, chief revenue officer at MANTL said that to stop the account takeover fraud cycle, banks and credit unions must have “comprehensive fraud checks with instant account verification and device fingerprinting in place during the account opening process to ensure new accounts being opened online are legitimate.”

Multi-factor authentication (MFA) for account opening and access is also recommended by Gal Diskin, co-founder and chief technology officer for Authomize. When it comes to “hardening their posture from both an authentication and authorization standpoint, Diskin said that financial firms must use MFA, which can block the lion’s share of account compromises, according to Microsoft. 

Gary McAlum, senior analyst at TAG Cyber, said that supporting MFA would prevent over 99% of account takeover attempts.

“MFA on the user end is a strong piece of the security puzzle,” McAlum said. “Enhancing consumer confidence in account security will be critical to the success of open banking.”

Financial institutions need to ensure robust transaction monitoring in order to identify potential unauthorized or illegal transactions, including money laundering, McAlum said.

“This is already a challenge in the traditional banking environment,” McAlum added, “but becomes more difficult in the open banking ecosystem.”

Hence, it is critical to identify who has privileged access to the financial institutions’ most sensitive resources, including customer PII, according to Diskin.

“It’s not foolproof, and there are more advanced phishing kits out in the market now that help attackers skirt around MFA, but it is the most basic of hurdles to put in front of attackers,” Diskin said. 

When it comes to account takeover, Diskin said: “You need to watch out for the creation of new admins or others with highly privileged accounts like we saw in the SolarWinds case.”

Similarly, Kevin Gonzalez, director of security for Anvilogic, which develops security detection platforms for PayPal and eBay among others, said that banks can reduce account takeover risk by simply having a good password policy in place as often users will reuse or recycle passwords with their accounts.

The problem with account takeover is that there are so many other ways in which it could cost a financial firm and its customers beyond the basic account access. In its blog post on the “true cost of account takeover” earlier this year, Callsign estimated that account takeover incidents cost $26 billion in 2020.

And account takeover has arguably at least doubled since then.

“[These] figures should make anyone sit up and take notice,” said the Callsign blog, “but unfortunately, it’s just the tip of the iceberg."