Online account origination fraud: when new users are bad news

Your online company is getting lots of new online customers, but you don’t understand why revenue numbers don’t add up. OAO is probably at the source of your problems.

After a test with an eCommerce company, we found that a staggering 70% of their new accounts were fake. Incredulous at first, the company cross-checked our data with their own fraud team to finally agree with us. Only 30% of new accounts were legitimate. As the sad news sunk in, they added “our marketing team is going to be crushed, they thought their sign-up campaigns were killing it” – I guess, in a sense, they were.

Online account origination fraud affects every industry; financial institution, digital goods, gaming, healthcare – and also marketing. Many companies are aware of the damage of fake accounts in their environment, but there is still uncertainty across the industry on how this fraud affects their bottom line. Some companies will see chargeback spikes but miss the potential link to account creation. However, if we have learned something after over a decade of stopping bad actors, is that fraudsters don’t spend resources if they don’t have a large payday waiting on the other side. These dark workers retire in their forties, that should tell you how much money they make off you.

Mosaic face

What is OAO fraud

OAO is the acronym for online account origination. The fraud is known as OAO fraud, online account origination fraud, application fraud, credit application fraud, or new account fraud. OAO fraud is where someone creates new accounts in your environment and uses them for fraudulent or delinquent activities.

How OAO fraud harms your business

Online account origination fraud or application fraud is the gateway to a succulent menu of fraudulent activities, such as:

1. Credit or application fraud

This type of fraud affects financial institutions who accept online credit and other applications, granting the client a sum of money they don’t intend to pay back. Bad actors create fake credit applications with the institution, with their information, with someone else’s information, or with a synthetic identity (a mix and match of different genuine identities). Once they have access to the funds, they disappear in the black hole of the internet-sphere.

This fraud generates direct losses to financial institutions. Javelin’s most recent report on new account fraud (NAF) states that losses on loan-related NAF have increased 30% in the last years. “For lenders, their failure to accurately assess the identity of new applications has translated into meaningful losses, growing from $1 billion in 2017 to $1.3 billion in 2018.”*

2. Credit card testing

This type of fraud happens in eCommerce companies and is often done through a fake account. Let’s say a bad actor bought a set of credit card numbers and wants to know which ones work, before making a fraudulent purchase with merchant A. The bad actor creates fake accounts with merchant A and uses a script to make purchases and finds the working credit cards. Once she finds the working cards, she can make a fraudulent purchase with that same eCommerce company and/or with a different one. This creates significant losses for the targeted merchant when the legitimate owner of the card spots the fraud and requests a chargeback.

3. Rewards fraud

Those reward dollars, points, or miles that you invested so much in creating for your eCommerce company are starting to disappear from your user’s accounts? Rewards fraud happens at account creation first.

Bad actors figure out the algorithm a company uses to create rewards and then create new accounts. They cash a limited amount of cash from each account – to avoid raising flags – using their algorithm to find unclaimed rewards. Recently, a large eCommerce company suffered rewards losses of $1.3 million from one single attack.

4. Trial abuse

Why pay for a product after the trial has expired when you can just create a new account and enjoy a fresh new trial again? And why not do that at large scale; sell a trial with a fake account to others so they don’t have to pay for the services either? – while the bad actors makes money on the transaction. This is trial abuse, a type of business logic fraud (abuse of a company’s processes for fraud). This type of fraud affects companies’ subscription numbers and overall revenue.

5. Checkout stalling

This is a recent fraud scheme I heard about from a client. It works as follows: Let’s say you want to buy tickets for a Queen concert for $200. When you go buy them on the website you find, astonished, that they are already sold out – that wouldn’t be a surprise with a Queen concert in the 80s, but, let’s be honest, today Brian May doesn’t have that much draw. You are forced to go to an online broker who also sells those tickets but at a higher price. Bad luck? No.

Someone in the chain used automation to add the tickets to the cart, go to checkout, and never buy them. As you know, when you go to checkout, your ticket is held for a few minutes until you finish the purchase. Now, imagine this action multiplied hundreds of times, looping every few minutes. Every time you go to the website to buy your Queen tickets, you will see they are sold out and you will have to buy them through the broker at a higher cost, damaging the ticket company’s brand and direct revenue.

6. Promotion abuse fraud

Those pesky marketers come up with catchy sign-up promotions that, unbeknownst to them, attract bad actors like bees to a honeypot. “Sign up today and get $20 to spend on our products.” “Sign-up now and get $200 to gamble on our site.” It doesn’t take long for bad actors to figure out a way to bypass the fine print and make use of those cashable goods. Whether it is coordinating with other friends or using scripts, sign-up promotion abuse is often an easy revenue source for bad actors – when companies are not monitoring the account creation placement.

There are three main types of online account origination

First-party fraud

Mostly seen in financial-related fraud – is when borrowers trick a lender into believing they have good credit to borrow money they do not intend to pay back. They may do this by using their own data or building a fake persona and then slowly building this fake persona’s credit over time.

Second-party fraud

Is often considered first-party fraud, but, since we are at it, we’ll explain it as well: it is a type of application fraud in which the fraudster is a friend or trusted acquaintance of the party whose name is on the application. Again, the credited money is not paid back.

Third-party fraud

Often called identity theft or identity fraud is when someone creates a fraudulent account or application in someone else’s name pretending to be that person. However, unlike second-party fraud, the perpetrator is unknown to the victim and probably acquired the victim’s identity illegally.

Why is it hard to catch?

New account fraud or OAO fraud is hard to catch because, unlike authenticating a returning user, when a user opens an account it is the first time a company sees that client and there is nothing to compare him or her to.

Bad actors often use automation to create fake accounts (whether for a credit application, for a trial or to open an account with an eCommerce company). This allows them to scale for a small price. The only downfall – for fraudsters – is that the scripted nature of this attack reveals automated behavior that some bot-detection tools can flag.

To bypass this challenge, bigger fraud rings hire full-time workers with one task: create as many accounts as possible. To motivate quantity, they pay them based on the accounts they manage to open. These are called human farms, and give financial institutions migraines with their high-level of effectiveness: nothing like a human to solve a CAPTCHA.

New account or OAO fraud can also happen at a smaller scale: someone who has their neighbor’s personally identifiable information, or two friends who have agreed on using each other’s credentials to pretend their identities were stolen.

There is a myriad of solutions to stop bot behavior, but when these bots start becoming more sophisticated (for example, they mimic human typing pauses or use real IP and location combinations) they bypass most automation-detection tools. Not to mention the challenges when the bad actors are actually humans (human farms, for instance).

How to stop OAO fraud or new account fraud

When the risk is human or human-like, the most effective way to stop this behavior is by looking at precisely that: the behavior. Passive biometrics technology and behavioral analytics have proven to be successful at identifying fraudulent patterns while a user fills out a form. The way your user moves tells a story: how fast are they typing, filling out the fields, or moving the mouse?

nudata is working with major players across the globe to stop OAO fraud with its solution, NuDetect for OAO, and helping them mitigate these attempts.

Bad actors creating an account or submitting an application have identifiable behavior. For example, the familiarity with the form, the keyboard shortcuts, and the mouse movements are some of the parameters that expose them. Even the way they introduce the person’s information tells a story: are they constantly correcting easy fields like first and last name? Do they have long pauses? Are they using Paste to provide the information?

However, not all risk assessments are as clear-cut as good or bad. Sometimes there are grey areas. In those cases, we work with the company to determine a process. nudata can automate any interdiction or step up process the company uses.

Once the company determines what type of risk score belongs to the grey area for them (this is determined based on their false positive tolerance: they don’t want to risk letting it go through but don’t want to block it either), they decide what steps to automate. For example, one of the banks we work with, based on their low-risk tolerance, wanted to call applicants with a specific score to verify them further. nudata has automated that process: when a score equals X, the application is sent to customer service for a personal call to that applicant.

By looking at the passive biometrics behavior and analyzing it, our clients are sharply reducing the number of fake accounts or applications that were previously bypassing their existing security tool. These are fraudulent accounts that would have generated direct losses to the company before NuDetect for OAO was deployed.

What should you do next?

As we have seen, online account origination or new account fraud has many uses for bad actors (application fraud, trial abuse, credit card testing…) and companies are faced with two challenges: First, understand what is your direct loss from this fraud. It is not always clear what losses begin at account creation; “New accounts are free to create, how is that costing me money”? Instead, more sing-ups should be a good sign – at least for marketing! It takes a bit of digging to realize where the problem comes from.

Secondly, because of the sophisticated nature of these attacks, companies need tools that look at the user behavior such as passive biometrics. This technology can be customized and fine-tuned to reduce fraud that bypasses current security tools and still give good users a streamlined experience with a 0.9% false decline rate.

If you suspect you may have fraud losses originated at new account or application, dig a bit deeper; talk with your fraud, business, and risk teams ¬– find out not just what is happening but why.

If you would like a consultation with us to assess your needs and how we can help you, email us at verifygoodusers@nudatasecurity.com.

*Javelin, The Evolution of New Account Fraud, July 2019

Author: Magali Vander Vorst