OneSpan: how to protect from account takeover fraud

By Matt High
Account takeover (ATO) fraud is one of the top threats facing financial institutions, according to a new ebook from OneSpan The new guide, Account Take...

Account takeover (ATO) fraud is one of the top threats facing financial institutions, according to a new ebook from OneSpan

The new guide, Account Takeover Fraud: How to Protect Your Customers and Business, sets out the top techniques that cybercriminals use to take control of a bank account. 

Account takeover, which is an identity theft crime, can be initiated in several ways, with criminals using a variety of weapons and methods to harness personal data. 

These can include data breaches, phishing, SIM swapping and malware - all of which can cause serious damage to an enterprise. 

However, by employing a multi-layered security approach, account takeover fraud can be protected against and customers cared for at every stage of their digital journeys. 

This, together with several best practice steps, is explained in OneSpan’s new ebook

Data breaches

ATO attacks can be initiated by criminals harvesting personal data, says OneSpan. Typically, this is achieved through the purchasing of personal data leaked as part of a data breach that then allows cybercriminals to prepare targeted phishing attacks.

To combat this, financial institutions should use multi-factor authentication processes, such as fingerprint technology or one-time password capability. 


Typical phishing attacks include:

  • Classic email phishing
  • Spear phishing
  • Whaling
  • Vishing
  • Smishing
  • Overlay attacks

While all of these phishing methods can be used, according to OneSpan, the most common continues to be by email. 

Phishing takes advantage of trust. Messages typically create a sense of urgency that encourages the recipient to click links or open them. These redirect them to a fake banking portal or install credential-harvesting malware. 


Malware and banking trojans

Malicious software - or malware - is installed on a victim’s computer as a result of specific user actions. According to OneSpan, they carry out different types of attacks, including intercepting everything type by the victim and infecting web browsers through an add-on.

Mobile banking trojans have been growing in complexity, says OneSpan. The continued tendency towards mobile banking means that this trend is likely to continue. 

The attacks present their own screen on top of the legitimate banking app, thus capturing a user’s log in and personal details. 

Other forms of attack outlined by OneSpan include man-in-the-middle attacks, in which criminals position themselves between a user and financial institution to intercept data, and SIM swapping. 

OneSpan: protecting your business

OneSpan’s guide sets out several recommendations and best practices to protect financial institutions from ATO. These are based around a multi-layered approach that covers: 

  • Protecting the user: OneSpan’s Cronto visual transaction signing solution can protect users from social engineering and man-in-the-middle attacks. It does this by displaying a unique visual challenge  that contains transaction details - these cannot be modified by an attacker.
  • Protecting the device and banking session: The company’s Mobile Security Suite applies a 360 degree approach to mobile security. This includes factors such as app, device, interface, communications and more, and includes app shielding and runtime protection. The suite also includes encrypted, secure communications channels and storage.
  • Proactive fraud detection: OneSpan Risk Analytics is designed for this specific purpose. It provides financial institutions with the ability to proactively detect signs of an account takeover before there is any damage. It does this through continuous analysis and scoring of numerous data points in real time. 
  • Flexible, dynamic authentication: a flexible approach to authentication can prove fruitful, says OneSpan. Steps should include supporting a wide range of risk-based authentication methods and the assessing of every action taken by a user. 

OneSpan understands the complexity of ATO. The company’s guide provides an in-depth insight into the risks that company’s in the financial services sector face, as well as the steps they must take to mitigate them. 

Read the full guide here.

Find out more about OneSpan here.

For more information on all topics for FinTech, please take a look at the latest edition of FinTech magazine.

Follow us on LinkedIn and Twitter.


Featured Articles

First Citizens Bank in rescue deal for Silicon Valley Bank

First Citizens Bank, which has completed more than 15 acquisitions of stricken US banks since 2009, has stepped in to take over SVB

Banks are capping crypto spending, but are they right to?

Several banks in the UK are limiting the amount of money that account holders can transfer to crypto exchanges. Is the move justified, or an overreach?

UBS agrees to rescue troubled Swiss bank Credit Suisse

UBS has agreed to rescue its troubled Swiss banking peer Credit Suisse, a move that has been welcomed by the Swiss National Bank and ECB alike

Credit Suisse gets $50bn emergency finance from central bank


Regulators race to salvage collapsed Silicon Valley Bank


Stripe's UK Head of Engineering talks 'women in fintech'

Digital Payments