Detecting consumer bank account takeovers
Working as part of a fraud detection team, you need to be able to quickly identify when a customer’s account is taken over by a fraudster.
The types of indicators you look for when detecting account takeover include:
- Password guessing
- Multiple IP addresses accessing an account
- Multiple accounts being accessed by a single IP address
- Unusual IP addresses accessing an account (for example a foreign country, TOR node, or proxy)
- Unusual account behaviour (for example a password change and email change, followed by money movement, since fraudsters often change password or email after gaining access to prevent the legitimate user from getting back in, then they steal money)
- Unusual browser type (or user agent)
- Browser language not matching customer locale (for example the Russian language used by a USA user)
Required data
Application data for banking transactions
How to use Splunk software for this use case
The Splunk App for Fraud Analytics comes with correlation searches out of the box to help you find incidents such as these. Depending on your environment and requirements, you might find it useful to look for some or all of the following:
Next steps
These resources might help you understand and implement this guidance: