Preventing Account Takeovers by Cryptocurrency Fraudsters
Multiple, integrated layers of security technology can, together, help prevent fraud, even in the case of blockchain corruption.
Credit unions are under constant pressure to prevent fraud, and the latest threat comes from the world of cryptocurrency and blockchain. For the newly initiated, crypto is digital currency designed to work as a medium of exchange – buying, selling and transferring – through a computer network. Crypto has been around for years and, despite recent news coverage to the contrary, it’s not going away. In fact, consumer research conducted by Fiserv indicated that 61% of Gen Z and millennial survey respondents want their bank or credit union to hold cryptocurrency.
And therein lies the risk associated with crypto and fraudsters who operate in this environment. Funding a crypto account requires users to link it to a sourcing account that requires a connection to a non-crypto financial instrument or account. In this case, that would be a credit union member’s account.
It’s this connection from the sourcing account to a credit union account that offers fraudsters an avenue of opportunity. What’s vitally important is understanding the different ways that they can attack.
The most common fraud is traditional account takeover, or ATO. Fraudsters use stolen account credentials from a bank, credit union or credit card to connect a victim account to a crypto account, then siphon off the funds. For credit union members who have crypto wallets, a variation of ATO involves fraudsters outright stealing the credentials to a member’s crypto wallet, then drawing down the funds.
Easily the most publicized form of fraud are scams where bad actors convince people to make payments to crypto accounts with a promise of delivering goods or services. To compound the problem, when people do this, they leave themselves susceptible to future ATOs, unless they take the proper precautions.
With these various points of attack, how does a credit union protect itself and its members from crypto fraud? Given the highly sophisticated nature of these attacks, credit unions can benefit from multiple integrated layers of security technology that, together, can help prevent fraud, even when it involves the corruption of the blockchain itself. The leading lines of defense against fraudsters now include a choreographed mix of digital signals, and behavior and biometric solutions.
To ensure that users are who they claim to be, identity verification tools that leverage authenticated identity are the first step.
Looking at the traits of fraudsters, they frequently open multiple crypto accounts in short bursts of time, which can easily be spotted with sophisticated and proven device intelligence. When used in conjunction with personally identifiable information, device intelligence and recognition tools can spot this type of behavior and identify anomalous behavior, such as detecting a device in southeast Asia that is opening accounts using U.K.-based identity data.
In addition, behavioral biometrics capture how users interact with their devices. Isolating how devices navigate apps or websites can help detect fraud, especially when paired with strong device intelligence. More advanced biometrics tools entail document verification with selfie and liveness testing that can authenticate users during onboarding or as a step-up function for high‑risk events.
Other analytical tools to prevent fraud include network analysis that employs a combination of intellectual property intelligence, internet service provider intelligence, traffic pattern observation and more; leveraging mobile phone number data and signals to streamline both onboarding and authentication processes; link-analysis technology that identifies ring activity or broader, organized attack activity; and identity-graphing capabilities that stitch together digital and non-digital data about a consumer, including a histogram of their activity across crypto ecosystems.
Deciding which of these lines of defense to deploy depends on each credit union’s unique user journey; the level to which that credit union has adopted crypto and, if applicable, which partnerships are in place; customer-service standards; and more. Regardless, connecting these layered solutions can be challenging, as credit unions ascertain how and when to use each one. It requires finding the right balance between serving the necessary prompts to mitigate fraud and using identity data to verify members without requiring them to constantly authenticate themselves, which sacrifices convenience and jeopardizes their brand experience.
The good news for credit unions is that machine-learning decisioning technologies can help orchestrate which identity and fraud solutions to activate and when to do so. These technologies will coordinate and manage the required workflow and perform the complex work of reviewing the raw data from the above systems to produce a single, best answer at every moment across a member’s journey and detect bad actors in a privacy-compliant manner. These technologies also can optimize the right solution set for better cost management.
Behavioral and biometric data is already used for identity resolution and fraud prevention in the crypto ecosystem today. That information is integrated into corporate, government, law enforcement, and banking and financial institution identity-decisioning systems to enable safer, personalized interactions with consumers and an accelerated user experience.
The call to action for credit unions that currently offer crypto to their members, are entertaining it or provide service to members funding their crypto accounts from their credit union accounts is to assess their readiness to prevent fraudsters from finding entry points of attack and sure up their infrastructure with multiple, intelligently orchestrated layers of security technology. This way, credit unions can do everything in their power to mitigate risk and preserve members’ brand experience.
David Britton is the Vice President of Strategy for Global Identity & Fraud at Experian.