Account Takeover Threat on the Rise with Growth in Dark Web Data

Here’s how treacherous the fight against account takeover fraud has become: With all of the massive data breaches in recent years building up the inventory of information criminals can obtain online through the dark web, individuals need to assume the bad guys have access to their private data.

That’s right. Privacy is nearly a thing of the past. The data criminals need to build a profile on most individuals and ultimately access bank accounts they control is available for sale on the dark web today.

So what does this new reality mean for businesses like yours? Simply this: When it comes to protecting your bank accounts, as well as advising your employees and customers on how to protect their own personal accounts, you have to assume the criminals have the “key to the vault.” The challenge then becomes developing multiple layers of defense so criminals can’t successfully use that key to take over and drain those accounts.

Breaches and the dark web

Phishing, malware, social engineering — even robbery — are among the more traditional ways criminals steal the private information and passwords they use to fraudulently access other people’s bank accounts.

Today, however, with the continued growth in the volume of information on the dark web, collecting the data needed to execute account takeovers has never been easier. That growth has been fueled by thousands of data breaches in recent years, including many involving large retailers, as well as others such as hotel chains, government agencies, universities and financial institutions.

According to the Privacy Rights Clearinghouse, since 2005 there have been more than 8,000 data breaches made public, resulting in nearly 11 billion records breached.1 Some data breaches compromise very little, while others expose Personally Identifiable Information (PII) that can find its way to the dark web and be purchased for nefarious purposes such as account takeover schemes.

In December 2017, for instance, dark web researchers reported the discovery of a single database of stolen credentials from Internet data breaches that included more than 1.4 billion pairings of user names and passwords. Organized in an interactive structure, the database permitted near-instantaneous searches as well as the easy uploading of records from new breaches.2

Exposure to fraud

With so many data breaches occurring at popular businesses, the odds of any adult not having at least some private data exposed on the dark web are getting slimmer every day.

Furthermore, once fraudsters have your private data, they know how to leverage it. Through social media research and other tactics, they can supplement this data and figure out or reset the passwords you use to log in to your accounts. And after they’ve stolen your identity and gained access to your accounts, it’s easy for them to withdraw funds, initiate wire transfers, cash checks, etc.

Smaller businesses and individuals are most vulnerable to account takeovers. But the growing dangers related to this type of fraud also impact larger organizations, particularly with respect to their desire to protect customers and employees.

Consider, for instance, a state government’s pension fund for teachers. The state might have its accounts protected from hacking — through policy and procedures and the use of various banking safeguards — but what about its teachers who retire and set up their own individual accounts, which they access online with a user ID and password at the pension website? How can the state protect them too?

Financial services companies face the same challenge with respect to protecting their consumer customers with investment accounts, for instance.

Preventing account takeovers

Here’s a list of tools organizations can use to implement multiple layers of security and prevent account takeovers in these dangerous times. Several can be extended to protect the accounts of customers or employees.

▪ Multifactor authentication (including soft and hard tokens, challenge questions, user IDs, personal identification numbers and more) to confirm that online users are authorized.

▪ Trusteer Rapport security software. This endpoint detection and response technology works with existing anti-virus and firewall software to detect malware intrusions.

▪ Dual controls. This best practice calls for different employees to be authorized to initiate and approve payments.

▪ Positive pay. This risk-mitigating reconciliation service offered by banks matches checks presented for payment to those properly issued by authorized individuals and reports exceptions back to issuers for a pay-or-return decision.

In addition, it’s important to educate employees about the growing dangers related to account takeover, both to protect your organization and them personally. Training that provides basic fraud prevention guidance — such as the importance of not re-using passwords — is essential.

1 Privacy Rights Clearinghouse (

2 “Database of 1.4 Billion Credentials Found on Dark Web,” by Kevin Townsend,, Dec. 11, 2017 (


Related Articles