Skip to main content
Lantern Home
 
 
Splunk Lantern

Detecting consumer bank account takeovers

  1. Last updated
  2. Save as PDF

 

Working as part of a fraud detection team, you need to be able to quickly identify when a customer’s account is taken over by a fraudster.

The types of indicators you look for when detecting account takeover include:

  • Password guessing
  • Multiple IP addresses accessing an account
  • Multiple accounts being accessed by a single IP address
  • Unusual IP addresses accessing an account (for example a foreign country, TOR node, or proxy)
  • Unusual account behaviour (for example a password change and email change, followed by money movement, since fraudsters often change password or email after gaining access to prevent the legitimate user from getting back in, then they steal money)
  • Unusual browser type (or user agent)
  • Browser language not matching customer locale (for example the Russian language used by a USA user)

Required data

Application data for banking transactions

How to use Splunk software for this use case

The information in this article applies to Splunk Enterprise Security (ES) versions 7.x. If you have upgraded to Splunk Enterprise Security version 8.x, some terminology and steps might not apply. For additional assistance on this use case with ES 8.x, Splunk Professional Services can help.

The Splunk App for Fraud Analytics comes with correlation searches out of the box to help you find incidents such as these. Depending on your environment and requirements, you might find it useful to look for some or all of the following:

Next steps

These resources might help you understand and implement this guidance:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.