BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles What Is Account Creation Fraud? Complete Guide to Detection and Prevention

What Is Account Creation Fraud? Complete Guide to Detection and Prevention

Bookmarks

Key Takeaways

  • Account creation fraud, in the broadest sense, relates to any customer account created using fraudulent information.
  • Because of the sheer number of different types of ‘attacks’ that rely on fake user account creation, the practice can be extremely difficult to detect and stop for any online company.
  • The good news is that there are a number of automated tools that can be used to detect obvious instances of the practice. The bad news is that more sophisticated forms of fraud, and especially those that use “real” credentials, are much harder to detect.
  • What is needed, in short, is a large-scale change in the way that users are verified.

The cybersecurity landscape is a dynamic one, and the threat profile that companies face is always changing. But while new threats are often those that generate the biggest headlines, it is also worth paying attention to the re-emergence of problems we thought we had solved.

A good example of this is account creation fraud. Ten years ago, this type of fraud was a major concern for many companies, and especially those working with ecommerce platforms. Then, the development of captcha and the widespread deployment of two-factor authentication appeared to have curtailed the issue. Today, thanks to the development of sophisticated and cheap hacking tools, fraudulent account creation is on the rise again.

This time, the problems might go deeper than before. Hackers have learned how to get around even the most secure account creation security systems, and this has led some analysts to question the very basis of our security practices in the cloud age. Some have even suggested that the password, still the most common way of protecting and validating user accounts, might be dead and out of touch with new and improved technologies available.

In this article, we'll take a look at the re-emergence of account creation fraud, and how this type of attack works. Then we'll turn our attention to the impact that this is already having on the way that companies secure their identity management systems, the effects of security measures like virtual private networks (VPN) and password managers, along with what the future will bring.

How Account Creation Fraud Works

Account creation fraud, in the broadest sense, relates to any customer account created using fraudulent information. The simplicity of that definition, however, belies how complex and widespread this type of attack is.

At one extreme, a hacker might buy a ‘package’ of personal information on a real-life person via the Dark Web, and use these stolen details to create fake accounts through which they can funnel illegal earnings. At the other extreme, a legitimate customer, looking to limit the amount of spam in their inbox, might simply supply a ‘fake’ email address when they sign up for a shopping account.

Somewhere in between these two extremes are also a huge number of other practices – some truly malicious, and some less so – that all rely on the creation of fake user accounts:

  • Some companies will use fake accounts, for instance, to bomb review sites with favorable reviews of their product.
  • Fake accounts can also be used for content and profile scraping, particularly on social media platforms.
  • Ecommerce sites are also a target of fake account creation schemes. Using fake accounts, attackers can automatically buy up high-demand items, and then re-sell them. By making use of multiple fake accounts, these attackers can get around purchase quantity limits.

Because of the sheer number of different types of ‘attacks’ that rely on fake user account creation, the practice can be extremely difficult to detect and stop for any online company. In addition, there are a number of other aspects of the practice that make it difficult for companies to address.

First and foremost, If an attacker is in control of a stolen identity, and has enough information on their victim, it can be impossible to detect the true identity of the individual signing up for an account, though Facebook, in particular, has become more adept at rooting out these ‘evil-doers’.

Not so long ago, you could switch your IP address at will using a VPN and fool the platform into allowing almost limitless account creation. Apparently,  Facebook can now identify this practice if we’re to believe this Reddit post about this guy tried to create multiple accounts whilst hiding behind a VPN and failed.   

Secondly, new account creation is often the lifeblood of startup companies. Particularly in the first few years of their existence, where they will typically lack hard fiscal data, companies will report the number of new accounts created as evidence of the sustainability of their business model. This can create a perverse incentive for companies to overlook instances of fake account creation in order to satisfy their investors.

This can sometimes backfire. If your startup service is littered with fake accounts, and users have created multiple accounts to get access to sign-up offers, you are also leaving yourself open to cyberattack. Dead or inactive user accounts can be hacked and then used to launch a coordinated attack on your other systems. This could involve DDoS attacks, or CPU-intensive operations like bitcoin mining.

Third, there is a difficult balance to be struck between letting customers easily create accounts, and screening fake attempts to do so.

In short, account creation fraud is implied within almost every type of cyberattack, and presents companies with a number of difficult compromises. For this reason, and as we will see, fake account creation is booming.

The Scale of The Problem

Because of the sheer number of threats that fake account creation is a necessary part of, and also because of the difficulty of detecting it, it can be difficult to assess how widespread the practice is.

Some trends are beyond doubt, however. LexisNexis Risk Solutions, a research firm, has been compiling statistics on human-initiated attacks on their Digital Identity Network for a few years now, and these numbers show a worrying rise in the practice of fake account creation. The most recent report, for instance, showed a 13% increase in fraudulent account creation in the first 6 months of 2019, as compared to the last 6 months of 2018.

Tellingly, this report also showed that account creation fraud was the only ‘use case’ that saw growth over the study period, with all the other types of attack the firm detected slowly decreasing. The largest-scale fraudulent account attacks over the last year are also a good indication of the varied ways in which these attacks can be performed, and the scale at which they can now be deployed.

An attack in June 2019, for instance, was the largest bot attack that has been seen since 2016. This attack targeted a virtual gift-card provider, and used a huge botnet to automatically sign up to accounts using ‘legitimate’ email addresses. An earlier report found that 41% of new account fraud operates in this way. Whilst this attack originated in the US, it might be telling that the browser language was set to Russian.

Two smaller attacks in 2019 made use of real user credentials, likely to have been sourced from the Dark Web. One was on a "global e-commerce" retailer, who were hit with thousands of requests for new accounts from automated desktop account tools. Another attack made use of IP-spoofing and device-spoofing to mimic legitimate customers of a multinational bank, and tried to set up account services in their name.

Some other headlines from recent research may point to the future of fraudulent account creation. 2019 has seen a 144% surge in fraudulent account creation requests from mobile devices. To date, the vast majority of automated account creation tools have been operationalized through desktop machines, so this rise in mobile attacks represents a new threat vector for companies trying to reduce the practice.

Detecting Account Creation Fraud: The Basics

At this point, you are probably wondering how you can stop account creation fraud. There is some good news, and some bad news. The good news is that there are a number of automated tools that can be used to detect obvious instances of the practice. The bad news is that more sophisticated forms of fraud, and especially those that use "real" credentials, are much harder to detect.

Let’s cover the easy wins first, though. There are several software providers who offer services that can detect suspicious activity on new accounts, and which can help you to identify accounts that have been created merely to commit fraud. These services generally look at the raw level of account activity: if an account is suddenly making hundreds of requests a second, or conversely sits dormant for months, there is a fair chance that it is not a legitimate one.

You can, of course, also undertake this kind of analysis yourself. Whichever platform your systems use, you should have the capability of analysing user activity. For web-based systems, for instance, you can use your web analytics package to break down usage by IP address, which will quickly show you if one IP is using a huge amount of resources.

On the other hand, it’s also worth checking frequently for accounts that are dormant, and letting the user know that you will delete them if they are not being used. This kind of "pruning" can be very effective in reducing the number of fake accounts on your systems, reducing your risk profile, and also freeing up computational resources that you can use to help genuine customers.

A Closer Look At These Solutions

Whilst these simple solutions can catch basic instances of fraud, the practice is such a complex one that it touches on some more fundamental aspects of the way that IT systems, work. Given the complexity and scale of account creation fraud, it’s no wonder that developing ways to reduce the practice has become a major topic of research for tech providers.

In order to understand how to combat the problem, it’s worth looking at the way that account creation works at the moment, and how it can be improved. Today, there are essentially two types of approaches that seek to limit the ability of hackers to create fake accounts; those that analyze background data on the user seeking a new account, and those that aim at a more revolutionary approach to the very idea of account security.

Let’s look at the first approach. A growing number of companies offer analysis tools that claim to be able to detect account creation fraud. IBM’s Trusteer was one of the first of these tools, and is still the most popular, although plenty of other companies claim that their systems are now more advanced.

These systems work by analyzing data – sometimes using AI techniques – gathered from a user’s online activity. They can be implemented at various levels of complexity. At a basic level, data on the previous activity of phone number or email address can be correlated with data gathered (or bought) from telecoms providers: if a phone number has never been used, for instance, there is a fairly good chance it is fake.

Going deeper, some systems will automatically detect suspicious account creation activity – such as a high number of account requests from similar IPs – or flag examples of potentially malicious purchase activity – such as a spike in demand for a particular product.

But do these systems work?

Well, yes and no. Systems like this can be effective at catching account creation fraud that utilizes botnets, because this kind of large-scale attack generally leaves a data trail that can be detected by AI analysis.

As we have seen, however, not all account creation fraud operates in this way. A significant proportion of ‘fake’ accounts are requested using ‘real’ credentials that have been stolen and then bought by an attacker. Opening fraudulent accounts is often the first step in the process of stealing someone’s identity, or of setting up a fake identity that looks legitimate. Typically, an attacker will use a fake identity to sign up for an email account and start a blog, and then use these fake accounts to sign up to ever-more ‘legitimate’ accounts and services. Working upwards in this way means that a hacker can quickly build up an online presence that makes their invented identity appear to be real.

This kind of fraud is often more dangerous than automated attacks, because it is implicated in identity theft schemes that are among the most damaging to consumers, and is very difficult to detect. To make matters worse, implementing a system that automatically detects ‘suspicious’ activity can actively bar legitimate customers from signing up for an account. The increased use of virtual private networks among the 'average' user means that this type of automated system will be unable to detect the type of background information they require to function, and flag such requests as illegitimate. In this way, the use of such systems can penalize customers that are taking legitimate steps to improve their own cybersecurity.

The Problem With Passwords

Perhaps, then, we need to look a little deeper for the solution to account creation fraud. To do that, let’s first remember that the vast majority of account management systems, even today, make use of one system – email – and one form of credential – the password.

This means that some of the most ‘advanced’ account management systems out there are still reliant on technologies that are decades old, and were not developed with today’s threat environment in mind.

In an ideal world, screening new account requests via email verification would represent a relatively secure, relatively easy way of screening illegitimate requests. The problem is that we don’t live in an ideal world. Thousands of people still use the same password even after a known security breach. And, the majority of users don’t use strong passwords with many of them using the same password for all of their online accounts.

In practice, this means that it’s pretty easy for an attack to get around password protection and email verification.

What is needed, in short, is a large-scale change in the way that users are verified. It might sound fanciful to argue that the password is obsolete, but plenty of analysts have done so, and even the US government is seeking an alternative to passwords.

The new systems that are being developed seek to leverage the security advantages of cloud storage, and specifically the fact that cloud-based systems allow previously impossible amounts of data to be stored and linked to user accounts. These new systems can broadly be broken into three categories:

  • The first is the adoption of biometrics. Biometric security is, of course, not a new idea. However, public cloud environments are allowing even small startups to start to use biometric verification of new user accounts. The advantage of these is obvious: bots do not have fingerprints, and even with stolen user credentials it is difficult to fake them.
  • The second proposed solution is to use temporary credentials. This is approach that AWS is currently pushing in its cloud security solutions, but it remains to be seen if this will have a significant impact across other systems.
  • Finally, and at a much broader level, there has been a shift toward verification systems that don't rely on passwords or emails at all. These systems typically use multi-factor authentication in combination with push notifications, and are currently the way that both Yahoo and Google verify new user accounts.

At the moment, it is difficult to ascertain which of these approaches – if any of them – will become the standard way in which new user accounts are verified in the future. What is clear, however, is that the current way in which this is done leaves companies wide open to account creation fraud.

The Future

Whatever the future holds, it is also worth noting that the "arms race" between hackers and cybersecurity systems is not going away any time soon. As new ways of verifying user identities emerge, new ways of getting around these will also – inevitably – be found. For instance, even the most secure form of user authentication around at the moment, which is arguably biometrics, may soon be undermined by high level deepfakes.

In short, the level and severity of account creation fraud might be spiking right now, but the situation remains fluid. As countermeasures to this type of fraud become more widespread, it might be that we can forget about this type of attack for a few years. But eventually, it will emerge again.

About the Author

Sam Bocetta is a former security analyst, having spent the bulk of his as a network engineer for the Navy. He is now semi-retired, and educates the public about security and privacy technology. Much of Sam’s work involved penetration testing ballistic systems. He analyzed our networks looking for entry points, then created security-vulnerability assessments based on my findings. Further, he helped plan, manage, and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems used by the Navy (both on land and at sea). The bulk of his work focused on identifying and preventing application and network threats, lowering attack vector areas, removing vulnerabilities and general reporting. He was able to identify weak points and create new strategies which bolstered our networks against a range of cyber threats. Sam worked in close partnership with architects and developers to identify mitigating controls for vulnerabilities identified across applications and performed security assessments to emulate the tactics, techniques, and procedures of a variety of threats. Linkedin here.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT