iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Malware is just one of the things behind the growing incidence of account takeover fraud on mobile devices.
A new report from biometrics company BioCatch said that fraudsters will always go where the money is – and that means going mobile.
Malware use is, in fact, on the rise, and the tools are getting more sophisticated. One example is a banking remote access Trojan called TeaBot. The malware can steal login credentials and even intercept one-time passcodes. It’s been in use since 2021, and while it was initially largely in use in the US and Europe, it has since become more prevalent in Australia.
No matter the vector, here are BioCatch’s five key drivers behind account takeover fraud:
Data breaches
With 12 billion account credentials breached in the last couple of years – including those of Optus, Medibank, and others – there is a treasure trove of passwords and emails available to those who want to take advantage of them. “Breaches are fueling the underground economy and providing fraudsters with a ready supply of credentials to commit account takeover fraud,” Heidi Bleau of BioCatch said in a blog post.
Fraud automation
Fraud automation is becoming particularly popular, with fraud automation tools such as SNIPR and Sentry MBA used in automated credential stuffing attacks. “BioCatch has seen success rates of up to 23 per cent for tested batches of stolen credentials,” Bleau said.
Social engineering
Simply tricking people remains one of the key parts of any malware or scam campaign. From sending SMSes that look just like the real thing, to promising victims that a simple cryptocurrency investment could reap them untold rewards, social engineering remains part of the fraudsters’ toolkit.
The expansion of digital banking services
According to BioCatch, the competition between “traditional banking from emerging challenger banks and fintechs has created an innovation race”. This race to innovate can lead to the rapid rollout of new features, along with the concomitant risk of new vulnerabilities and a larger attack surface.
Weaknesses in legacy fraud controls
Passwords and password management remain a weak point in most digital ecosystems. Modern authentication systems – such as geo-location and one-time passwords – can help prevent fraud in this area, the criminals are doing a good job of playing catch-up and looking for new vulnerabilities. “Visibility beyond login based on user behaviour provides a rich additional layer of trust signals to identify more sophisticated attacks such as social engineering scams,” BioCatch said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
