Battling Identity Theft in Subscription Based Services: A Personal War Story

18 Apr 2024

Monthly subscriptions have become the new norm for accessing online services for individuals and corporations. With the popularity of subscription-based services, online fraudsters have developed different ways of exploiting compromised credentials for financial gain. This article details my personal experiences dealing with Identity Theft and proposes a strategy for dealing with them at large.

The most popular form of Identity Theft in an online setting is called Account Takeover fraud. In this format of fraud, a fraudster gains access to a user’s online account through social engineering and makes purchases using the previously saved payment method information. In subscription-based services, these purchases are normally additional licenses to the software.

The fraudster then sells it at a cheaper rate to buyers on the dark web. When the owner of the account finds out about this fraud, they normally report it to the company that offers the service, and the company makes a refund to the user in an effort to retain them. This results in financial and reputation loss to the service offering company, and the user loses trust in the security of the service.

Furthermore, auditing authorities such as payment gateways threaten to de-list the company as a merchant due to a lack of effective security measures.

Personal Account

As the Identity Security Architect facing this situation, I had to deal with multiple challenges. First and foremost was to implement measures to detect and prevent fraud. The Second was to do this without worsening the user experience resulting from stricter security measures.

Detecting Online Fraud

My approach to dealing with these problems began with identifying patterns of fraud. Common patterns that emerged in this analysis were,

  • Suspicious Login Activity: Where the user logs in from an IP address that does not map to the physical address of the account owner or from a device that they do not normally log in from.

  • Suspicious Purchase Activity: Where the user or a small business makes a large purchase for an unjustified number of licenses. For example, an online Yoga teacher makes a purchase of 100 licenses for a video conferencing tool when they normally need just one. Or a user makes multiple purchases of a small number of licenses in succession.

Preventing Fraud Through Novel and Adaptive Fraud Prevention Techniques

Strict measures to prevent fraud often lead to a poor user experience for legitimate users. In order to avoid this, I employed adaptive fraud prevention techniques.

  • When a user logs in from a new IP address or device, they are challenged with a second-factor authentication by sending them a verification code via text. Upon successful verification, the new IP address or Device ID was added to the list of trusted traffic sources.

  • When the users make an irregular purchase either for large quantities or repeated purchases, they are challenged to re-enter the CVV from the back of their saved cards.

Once these challenges were presented to the users, until they passed the challenge, they were disallowed from making changes to their accounts. Furthermore, the IP addresses and devices that could not pass the challenge are cataloged as high-risk traffic sources, and future activity from these devices is presented with stricter security challenges.

These measures largely reduced fraud and prevented legitimate users from being inconvenienced by the stricter safety measures.

Addressing the Global Problem of Identity Theft

Imagine if, when a stranger attempted to open the door of your parked car, you could instantly alert your entire neighborhood through a community platform, ensuring everyone took precautions to prevent theft. This common practice in physical communities is lacking in the online world, where account takeover and identity theft are rampant.

While the measures mentioned in the previous section successfully prevent fraudulent activity in most cases for a given online application, they fail to prevent online fraud from occurring across different applications due to the reuse of login credentials, a very common practice.

A server-side solution presents an opportunity to mitigate this risk and prevent account takeovers across multiple platforms. By establishing a centralized index of compromised credentials (CICC), software applications can proactively protect their users. When a login attempt is made, participating applications can cross-reference the credentials with the CICC to verify their integrity.

If compromised credentials are detected, the application can prompt the user to undergo additional authentication measures, such as two-factor authentication, to thwart unauthorized access. The account owners are notified of the fraud attempt and asked to change the password to a stronger password across applications.

Account Takeover Prevention through shared compromised credentials index

In conclusion, a shared protocol similar to the one presented above is urgently required to prevent identity theft in the online world. Detection and prevention within closed ecosystems fail to solve the problem at a global scale. An open approach to dealing with the problem seems to be a viable future alternative.