Account takeover headaches for eCommerce merchants is a fraud prevention problem that isn’t going away. In fact, in 2018 account takeover fraud (ATO) cost merchants and online shoppers over $5 billion.
Also, the success of these attacks guarantees they will become more frequent. Fraudsters like tactics that work and will ramp up their frequency in the wake of so much success. In fact, ATO is already one of the biggest eCommerce fraud trends of 2019.
What Is Account Takeover Fraud?
Account takeover is a catchall phrase to describe many different tactics fraudsters use to profit from unauthorized access to an online account.
Here are the steps in an attack:
- Gain unauthorized access to an account. First, fraudsters look for ways to gain access to a user’s online account. This takes a variety of forms. But in general, the most common include customers’ carelessness with their account credentials, and corporate network vulnerabilities.
- Use the unauthorized account access to profit. Second, fraudsters use the account access to make money or steal merchandise. This includes making purchases with a different shipping address, diverting corporate cash flow, selling account information on the dark web, or blackmailing account holders.
- Try to gain access to more of the account holder’s accounts. This is an intermediate step. It’s common for people to reuse passwords and logins across multiple sites. Therefore, fraudsters often take credentials from a successful account takeover and try them elsewhere.
- Disappear without a trace. Finally, the account owner realizes there is a problem. They will notify their card issuer and change their account passwords. But by that time the damage is already done, and the fraudster simply moves on to the next victim.
How to Stop Account Takeover Fraud
Merchants can use a number of strategies to protect themselves against these kinds of attacks. Although it’s true they require sacrificing a little bit of convenience for a lot of security, you can apply many of them quickly and easily. The payoff of avoiding the risks is well worth it.
How to Stop Account Takeover Fraud
- Good Password Hygiene
Businesses should require customers to create strong, unique passwords during the account setup process. Require a minimum character limit, as well as a variation of letters, numbers, capitals, and symbols.
- Use Two-factor Authentication
Two-factor authentication (2FA) works by requiring customers to use an additional login credential beyond their username and password combination. Without this additional step, it is impossible to access the account. A username and password combination is not enough to commit an account takeover.
- Don’t Setup Frictionless Payments
The ability to make a purchase with one or two clicks is convenient for merchants, customers — and also fraudsters. Requiring customers to reenter their payment details makes it impossible for a fraudster to steal using a username and password alone. At a minimum, merchants can require card data to be reentered for high-value purchases.
- Pay Attention to Data Mismatches
Key data points like an address verification service (AVS) check mismatch can indicate fraud. They are not definitive, but if you see several mismatches for a single order, it may be cause for concern.
- Constantly Communicate with Account Holders
The faster an account holder knows there is a problem, the faster you can take action to isolate it. Set up a way to automatically tell customers when there is activity on their account. Best practices include informing account holders when their account is accessed and sending confirmation emails after a purchase.
- Don’t Send Money Without Confirming the Request Is Valid
Fraudsters often create authentic looking messages and landing pages requesting a money transfer. Don’t provide any bank card or personal details without confirming who is behind the request first.
- Don’t Open Emails from Unrecognized Senders
Fraudsters send emails with malware embedded in links. Contrary to popular belief, they don’t all get sent to the spam folder. If it’s unclear where an email comes from, don’t interact with it.
- Don’t Use Free Public Wifi
Free wifi at restaurants, cafes, and airports seems like a convenience. But these networks are unsecured, and fraudsters can easily hijack them to steal your personal information and use it for account takeover fraud. If you need to connect while away from your home or office, turn your phone into a hotspot.
- Don’t Reuse Passwords
Fraudsters have access to any account that uses a reused password. This is common knowledge, and many solutions exist to solve the problem. Get a free password manager or keep a notebook offline. There’s no longer any excuse not to.
What are the Risks?
Account takeover attacks can seriously impact individuals and business alike. Specifically, here is what can happen if you don’t take the time to follow the best practices listed above.
- Direct revenue loss: The most commonly understood risk. Products or services purchased via an account takeover are fraud, and often result in a chargeback. Most merchants are well aware of the need to know how to prevent eCommerce fraud.
- Payment Processing Issues: There is also a danger beyond individual chargebacks. Sophisticated fraud rings can undertake large account takeover attacks. If a ring is successful in targeting a single merchant multiple times, it can cause a large volume of chargebacks. If the volume drives the percentage of chargebacks to legitimate orders too high, a merchant can find themselves in the dreaded “high risk” pool. That can trigger increased processing fees, or even the complete loss of processing rights.
- Loss of Consumer Confidence: But revenue loss is only one part of the equation. The knockoff effect of attacks is that account holders associate theft of their account credentials with the merchant. This isn’t fair, but it’s the reality. Someone who associates a merchant’s site with the nightmare of account takeover is much less likely to business there in the future.
- Brand Reputation Damage: What’s true for the individual is also true for the aggregate. Merchants with the dubious honor of association with a massive data breach or other attack risk losing market confidence. The bigger the breach, the bigger the damage to the brand’s reputation.
- Hacked Bank Accounts: Fraudsters that get control of bank accounts can use the access to make unauthorized purchases. Account holders can often recoup these losses, but only after expending time and effort to do so. Even worse, fraudsters can transfer funds into their own accounts. This process is extremely hard to undo. In many cases, it will be impossible and the funds are lost forever.
- Identity Theft: Account takeover is already a form of identity theft. But fraudsters that gain access to an email or payments account have everything necessary to impersonate someone in any scenario. This includes social security number frauds like opening up new credit cards. These kinds of attacks can cause extreme, long-term damage to credit scores.
Account Takeover: Vigilance Is Key
There is no magic bullet to solve this problem. The best thing for both merchants and account holders to do is to remain diligent about security. Fraudsters see this method is successful, and they will only increase their volume of attacks. However, you can read up on how to detect account takeover fraud and stay up to date on the latest trends.
In addition to following best practices, you can also get outside help. Many of the top eCommerce fraud solutions offer tools to stop account takeovers. Nothing is foolproof. But in a game with such high stakes, it’s always best to take advantage of everything available.