We are all now so accustomed to the announcements of large-scale cyberattacks and data breaches that we sigh in acceptance, rather than act in shock, when a certain provider informs us of a breach of our personal data.

British Airways’ data breach still continues to make headlines over a year on as customers look to sue the airline after their personal details were exposed in September 2018.

Due to the accelerating rate at which data breaches and cyberattacks occur, there is now a wealth of personal data available on the dark web, including passwords and login credentials. It is estimated that there are 550 million individual documents on the dark web, being fuelled by large-scale data breaches.

This can result in account takeover fraud (ATO), a form of identity theft whereby a criminal uses a legitimate customer’s stolen data to illegitimately access their existing account.

This data is easy and cheap for cybercriminals to acquire and we have witnessed a 31% increase in ATOs year-on-year. What’s more, these attacks are being performed by bots at scale, meaning they can perform upwards of 100 attacks per second.

The impact of ATO

The knock-on effect of ATO is hard to measure. In some cases it is slightly easier to quantify on a personal scale — it’s possible to know how much money you’ve lost and which accounts have been compromised, for example.

The rise of ATO has also led to a complete breakdown in trust between businesses and their customers — almost half (46%) of organisations say they have suffered damage to their reputations and brand value as a result of a breach.

Username and password, knowledge-based authentication (KBA) and SMS-based two-factor authentication (2FA) are outdated methods of authentication and are increasingly susceptible to ATO fraud because the information used to access or regain access to an account can be bought on the dark web for as little as $1.

Legitimate businesses are now being defrauded by hackers posing as honest customers, with total ATO losses reaching $5.1 billion in 2017, a 120% increase from the previous year. Unfortunately, this is why companies need to reconsider the password and other outdated methods for verification and authentication.

How to safeguard against ATO attacks

Luckily, the appetite to address this issue is there from both a consumer and C-suite perspective and the majority of CIOs, CISOs and security VPs (86%) are happy to abandon password authentication if they could.

As already alluded to, the other traditional authentication methods, such as 2FA and KBA, have become compromised through the multitude of historic data breaches.

Therefore, one of the strongest methods now available to businesses is biometric authentication, building the support it has already gained from a consumer perspective.

Luckily, two-thirds (67%) of consumers are already comfortable using biometric authentication today, while 87% say they’ll be comfortable with these technologies in the near future.

This trend has been accelerated by the broad adoption and familiarity of facial recognition integrated within the most popular smartphones such as Apple Face ID and Samsung’s facial recognition feature.

Preventing ATO begins the moment a new account is created. Organisations need to thoroughly vet users through robust identity proofing technologies.

One of the strongest ways is by evolving towards biometric-based identity verification which relies on establishing a reliable trust anchor, such as a government-issued ID (e.g. driver’s license) and a corroborating selfie.

Better biometric authentication solutions include certified liveness detection which ensures the user is physically present and detects advanced spoofing attacks (i.e., the use of a picture or video to impersonate a legitimate user).

Once an account is open, face-based biometric solutions allow organisations to consistently ensure the user logging onto the account is who they say they are. In addition, from a practical point of view, if a cybercriminal knows they have to send a picture of their face to a company they’re trying to defraud they are likely to think twice.

In this era of zero trust, it’s not surprising that companies are starting to look to alternative authentication methods.

While conventional wisdom holds that consumers will value speed over all else, more and more consumers are placing a premium on security and prioritising it as a must-have feature for protecting their online accounts.

Businesses need to adopt an adaptive risk approach and introduce multi-layered security approaches to minimise the risk of customers falling victim to ATO.

Philipp Pointner is Jumio’s Chief Product Officer.