How to Prevent Account Takeover for Buy Now Pay Later Companies

by Bence Jendruszak
Many cryptocurrency exchanges offer fraudsters an irresistible cocktail of low regulation, low-security friction, potentially high rewards, and lots of imaginative ideas from people who don’t quite understand the market. The possibility of scamming away a username and password from an ill-informed crypto trader, bypassing low-scrutiny follow-up security with that login data, then finding a stockpile of untraceable digital currency inside is, well, something account takeover (ATO) fraudsters are happy to get drunk on.
Falling under the broad umbrella of financial and money services, exchange operators doing business in regulated territories already had to adhere to anti-money laundering (AML) and Know Your Customer (KYC) mandates, but enforcement was sporadic. Now, with the recent high-profile instances of extreme customer safety negligence, regulators are under more pressure to make crypto services walk the straight line toward consumer protection.
While following those KYC and AML regulations will help crypto exchanges in some instances for account takeover fraud prevention, half the battle to keep accounts safe is done on the side of the account holder. How then, can you keep your blockchain valuables safe from the threat of account takeovers?
Unfortunately, in the event that your account becomes compromised, there is little recourse to recoup your losses. The anonymity and decentralization that crypto trading offers are part of its appeal for many traders, but on the other side of the sword, decentralization means no centralized governing body, and less pressure on exchanges to offer their users security. Anonymity and the nature of blockchain technology mean there are few ways to get stolen crypto funds back.
If your account is hacked, it is likely that, by the time you realize the hack has occurred, whatever currency you had will be gone, and whatever personal information you stored in your account has been compromised. Your next actions should be damage control:
Only the largest crypto operators will have customer service arms to handle these kinds of complaints, and they will inevitably be swamped. Regardless, having visibility on your account’s situation by either the exchange itself or policing authorities may be beneficial in the long run.
Cases where funds are actually returned to wallets are rare. They are often part of large-scale policing efforts and class-action lawsuits. In those instances, maintaining an accurate paper trail is your best bet for covering losses.
SEON’s transaction monitoring and device fingerprinting can make sure your customers are who they say they are, not an account takeover fraudster.
Ask an Expert
To keep your accounts as safe as possible in the crypto environment, relying on in-built safeguards that the exchange itself provides is not enough. Awareness of prevailing security threats is crucial and you should pair it with a healthy dose of skepticism.
If that kind of thinking doesn’t come naturally to you, follow these steps as best practice for your personal security.
Password hygiene is not in reference to well-polished, squeaky-clean secret word choices. Rather, it means making a habit of organizing your login information using a secure method of some sort, such as a password manager program. With this, you can keep visibility on your various usernames/password combinations to:
Following these steps secures your crypto accounts by, essentially, not putting all your security eggs into one basket, and making those single-egg baskets are much harder for fraudsters to reach into. In other words, if one of your accounts is broken into, that compromised login data can’t then be used in a credential stuffing attack on another one of your accounts. Brute force attacks that try to guess your password are statistically unlikely to succeed.
Remember: Crypto providers will never ask for your password, so anyone saying they require your login data is inevitably a phishing scam.
Unfortunately, simply knowing a current list of the ways phishing scammers are managing to get access to customer accounts is not enough to keep you safe. Fraudsters are always developing new methods to deceive and manipulate and might approach from any channel available: email, text, social media, or even cold calling.
This makes the challenge of developing an internal system of red flagging even more crucial. Because of the prevalence of lists of security tips just like this one, there is a strong motivation among fraudsters to innovate. In general, if you are active in the crypto trading market, be on the lookout for:
Any one of these, if followed without scrutiny, will lead to whatever data you submit being used in ATO attempts. If you’ve given up login data that matches your crypto accounts, the likelihood that fraudsters will breach those accounts is much higher.
In general, treat any unknown entity that approaches you online with suspicion, and if they ask you for personal information that is outside your comfort zone, disengage.
The most sophisticated account takeover fraudsters may be leveraging advanced tools to skim or manipulate your data from right out of the airwaves, so to speak. These methods might allow a fraudster to impersonate someone within your circle of trusted people, or even intercept security communications between a crypto domain and your devices.
Maintaining secure connections is a crucial part of securing your data from these advanced fraudsters. In order to cut down the likelihood of your data being invisibly intercepted, consider:
Following these simple protocols goes a long way to securing your data from:
In the crypto landscape, these three threats are extremely pervasive, so closing any loopholes in your online habits – or in your knowledge – will go a long way to securing your valuable accounts.
Cryptocurrency exchanges have a particular issue with ATOs because of the low scrutiny a decentralized economy inherently offers; little oversight means few safeguards. This not only makes stolen funds nearly impossible to recover but also attracts an outsized number of fraudsters and scammers seeking to take advantage of these de-emphasized security protocols.
As exchanges make their names largely on reputation and digital word-of-mouth, the potential for reputational damage to impact bottom lines is much greater if an exchange becomes associated with account takeovers regularly.
Conversely, retail-level crypto investors may be more likely to take their business to exchanges that have strong anti-phishing measures, multi-factor authentication, real-time transaction monitoring, or a consumer safety-focused refund policy. Not coincidentally, crypto exchanges that have these things in place are less likely to find themselves under the scrutiny of regulating bodies, and thus less prone to incurring potentially massive fines.
Fraudsters who have succeeded in taking over a user account can be detected through their behavior, which is very likely to deviate significantly from the behavior of the genuine account holder. Though every crypto exchange needs to determine what constitutes risky behavior individually, there is a certain perimeter of risk assessment that every exchange should try to stay within, or else risk intense government scrutiny.
To protect customers from the risks of ATO in a crypto exchange – and avoid fines from safety regulators – exchanges should implement and maintain practices such as transaction monitoring, IP analysis, device fingerprinting, and a strong system of account takeover alerts.
Let’s take a look at how SEON can address some of these needs.
In tandem with both the risk management and customer services teams, SEON can help detect instances of ATO, as you tune it to suit the particular needs of your crypto exchange. These are some examples of rules that you can leverage on traffic and transactions to keep your customers safe from fraudsters and your bottom line safe from legal punishment.
One of the more obviously suspicious user behaviors that could indicate a crypto account has been compromised is a suspicious increase in the amount of currency being moved around, deviating from a user’s previous behavior.
As soon as a fraudster successfully takes over an account, it is most often the case that they will liquidate the funds therein by transferring any cache to another account they control. In crypto, even if this other account is known, there is little to do in terms of being able to recoup it.
The screenshot below shows how you can set up a custom rule with SEON to detect such behavior.
This particular example has been set to detect instances of transaction behavior where, within 24 hours, a crypto customer has suddenly had a 200% (or more) increase in their transactional volume. There may be any number of legitimate reasons this might take place, of course, but crypto exchanges would be wise to monitor for and review such instances for signs of ATO.
Note, also, that the velocity values – both the timeframe and the transaction volume – are instantly customizable, and you can adjust them based on your knowledge of transactional variances among your user base or your respective risk appetite. By the same logic, SEON allows you to set up rules to review instances where a “normal” user suddenly decides to drain their account.
Fraudsters armed with stolen username and password combinations will likely try to force those login details through various security gateways in credential stuffing attacks. They are hoping to find a domain where the user has re-used the same credentials as those stolen or purchased by the fraudster.
This is a security gap easily remedied with good password hygiene, as previously mentioned. In all likelihood, however, a user practicing at least the most basic password safety will probably not be using the same login credentials, so particularly in the cases of fraudsters who use automated bot attacks for credential stuffing, there may be a sudden flurry of failed login attempts.
Here’s a screenshot of how SEON can help remedy this issue.
Here, a custom rule has been set up to escalate any instance of 5 or more failed login attempts to manual review. Even in cases where the login attempts all fail, and thus the attacked account has not been taken over, review teams should have the capability to issue an alert to the account holder under attack.
Letting them know they have likely been involved in a breach and should be doing their due diligence in terms of password management may go a long way to securing them.
In all likelihood, a malicious fraudster who has executed a successful account takeover will not be connecting from the same location as the actual account holder, and certainly not from the same device.
These two points are easily scrutinized by SEON’s fraud-fighting platform. Though there may be any number of reasons why a person might be accessing your crypto exchange from a new device or location, the possibility of an ATO should at least give operators reason enough to let a member of the risk management team review the login, particularly if the device and location change suddenly.
Here is a screenshot of this rule in action.
This rule has been set up to add 10 points to the user’s overall risk score when the user connects from a new device. Depending on the risk appetites of your particular company, this can be changed, as can the overall score threshold to determine what actions need to be taken with this account.
Of course, there is nothing inherently suspicious with, say, buying a new phone and then connecting to an existing crypto wallet account with it, but a combination of suspicious markers, like a different IP from a potentially risky region alongside a new device should at least make your risk managers curious, and thereafter motivate them to investigate further before determining if this account has been breached.
All digital verticals offering their customers account-based transactions will inevitably have to deal with account takeovers and their snowballing risks.
While the infrastructure of a given crypto exchange doesn’t necessarily make it more or less vulnerable than any other ecommerce domain, in the DeFi (decentralized finance) world, risk appetites are necessarily higher.
Despite the clear value of a VPN detection test, in the context of cryptocurrency, many crypto customers will, as a baseline, be connecting via some connection-obfuscating service like a VPN for their own security reasons. Therefore, most crypto exchanges will certainly be unwilling to assign too much risk to a data point like the presence of a VPN or Tor client, lest they ban a significant portion of their users.
This can make detecting instances of account takeover somewhat more difficult, but SEON can rise to the challenge.
Even if a fraudster manages to gain access to one of your legitimate customer’s accounts with an accurate username/password combination – also while making themselves appear as close to the account holder as possible with a location-spoofing service – SEON can still find them.
This is true of out-of-the-box deployment thanks to our blackbox machine learning, and it becomes even more consistent when trained on your historical fraud data. Anomalous transactional behavior can always be detected by SEON. Device and browser configurations associated with fraud can be scanned for among incoming traffic, so if a normal user’s PC suddenly turns into one that strongly resembles an automated account-stuffing bot attack, SEON will tell you.
Sadly there is no piece of software that can ensure that your domain remains unplagued by cybercriminals autonomously. Keeping your crypto exchange free of ATOs will always be a two-handed operation. While one hand should be concentrating on holding the fraud door closed, the other must be illustrating the pervasive threats of the day on the chalkboard, then tapping it repeatedly, to make sure your customers and staff stay informed and their accounts secure.
Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.
Ask an Expert
Most commonly, ATO fraudsters hoping to find valid username/password combinations will use phishing, SIM-swapping, and credential stuffing to go about their attack, and often a combination of these.
The nature of blockchain currencies means that there is no mechanism to return stolen crypto, and indeed almost everyone claiming otherwise is likely a scammer themselves. In large-scale cases of massive ATO attacks, governing bodies may pursue funds over the course of legal proceedings, but this is rare, and has historically not recouped the entire amount stolen.
It’s worthwhile to first report the theft to the exchange themselves, though the customer service department of many exchanges may be limited or even nonexistent. Depending on your location, you can then report to local governing bodies, such as the FTC, CFTC or SEC in the US, or the NCSC or the national police’s Action Fraud website in the UK. The data will help inform future action, and in the rare event of legal action against the fraudster, could help you stake your claim on any recovered currency.
Showing all with `` tag
Click here
Bence Jendruszák is the Chief Operating Officer and co-founder of SEON. Thanks to his leadership, the company received the biggest Series A in Hungarian history in 2021. Bence is passionate about cybersecurity and its overlap with business success. You can find him leading webinars with industry leaders on topics such as iGaming fraud, identity proofing or machine learning (when he’s not brewing questionable coffee for his colleagues).
The top stories of the month delivered straight to your inbox