New research on security in the financial sector released Tuesday found that 84% of organizations surveyed have online users who experienced a successful account takeover (ATO) over the previous 12 months.
The report by Aberdeen Strategy Research on behalf of PerimeterX, also found that the mean cost of these bot-driven ATOs can run up to 6.4% of the revenue generated from a company’s monthly active users.
For the study, Aberdeen focused on four segments: commercial banks, credit unions, savings institutions, and fintechs. The researchers targeted companies in the four segments that have online, account-based relationships with at least 50,000 monthly active users and access to important information for quantitative analysis, such as the number of monthly active users, monthly revenue per active user, the percentage of active users who experience an ATO in the past 12 months, and the total cost of fraud from an ATO.
Kim DeCarlis, chief marketing officer at PerimeterX, pointed out that the median revenue for the credit unions that responded to the survey was $65 million, and the median amount lost because of a data breach comes in at 5.2% of revenue, which totals more than $3 million. “The business impact of ATO-related fraud costs an organization much more than many people realize,” DeCarlis said.
Respondents were also asked about the direct consequences from ATOs on their customer accounts and the survey found the following:
"Ever since we enabled online financial transactions at the start of the century, we still have not solved the fundamental issue that there are major problems with authenticating users for account access," said John Bambenek, threat intelligence advisor at Netenrich. Because of the wide availability of stolen credentials, compromised consumer machines in active botnets, and the lack of truly effective authentication, it’s no surprise organized crime has weaponized their supply chain of assets for fraud, he said.
“There has always been the risk of fraud in financial transactions, we’ve just enabled the possibility of doing it anywhere in the world and at massive scale,” Bambenek said. “Organizations need to enable multi-factor authentication and specifically avoid using SMS-based messages for this task. Beyond that, companies need robust behavioral controls to look for automated access attempts combined with threat intelligence on credential stuffing networks to detect such fraud attempts.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said credential stuffing and ATOs are on the rise and cybercriminals are growing more successful at taking over victims accounts by brute-forcing easily guessable passwords. Carson said users must be taught not to reuse passwords and must use a password manager to help create strong, long unique passwords for each account.
“Companies that offer authentication and login to their website must also move away from having a password as the only security control and help customers move passwords into the background by endorsing password managers,” Carson said. “One way criminals will steal your identity is by taking over your accounts, so don’t make it easy for them by using the same password everywhere. In reality it’s easier to get your money back, but extremely difficult to get your identity back when stolen.”