This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.
If we have learned anything from the evolution of fraud, it is that fraudsters adapt. As soon as one point of attack is shut down, they find another way in.
We have seen this with the migration of “traditional” credit card fraud to card-not-present fraud, because the introduction of EMV made it harder for fraudsters to counterfeit physical cards. And now we are seeing criminals move from leveraging credit cards to leveraging stolen credentials and personal data to commit account takeover (ATO).
Why fraudsters flock to ATO
ATO – when a bad actor gets access to a good user’s account – can be more profitable than credit card fraud. For one thing, many businesses do not have a robust solution in place for stopping ATO, so the window of time for exploiting the information before detection is typically longer. Furthermore, a credit card can only be used until it’s cancelled. But even once an ATO is discovered, the fraudster still has access to the credentials or personal information, which can be used to create a new fake account or a synthetic identity.
ATO also provides fraudsters with the advantage of built-in trust. New accounts are more likely to be flagged for fraud or given more scrutiny. If the account already exists and is connected to a trusted user, you may give them more leeway and the fraudster has more time to operate before they are discovered.
Data breaches: Equifax and beyond
One major reason ATO is on the rise is the prevalence of large-scale data breaches, which provide a trove of personal information that can be mined for years to come. The Equifax breach – which exposed the sensitive information of nearly 700,000 Britons and 145 million Americans – was only the latest to affect consumers and businesses around the world. From Tesco Bank and O2 to Yahoo and eBay, breaches are increasingly becoming a global regularity.
The bottom line is that financial institutions and merchants across the world are going to be dealing with the effects of these large-scale breaches for years to come. It is easier than ever before for criminals to take over and exploit good users’ accounts, as well as create synthetic identities using disparate pieces of information.
Measuring the impact of ATO
In terms of customer trust lost and brand damage, ATO can be a nightmare for companies. Collectively, victims spent 20.7 million hours resolving ATOs in 2016, according to data from Javelin Strategy & Research. While ATO may be harder to quantify than payment fraud, it can still be measured. You can start by collecting active inputs, every complaint and ATO reported to the Customer Support team. Then, you can try to gauge the number of unreported cases by analysing all of the users who have deactivated their accounts and trying to determine which ones were ATO victims.
After you gather these two sets of information, you can compare the long-term value of an affected user to that of a normal user (see graph below).
How companies can prevent ATO
To effectively protect your users from ATO, you must look at a range of relevant data points. Many signs of ATO are contained in subtle behavioural patterns across all of a user’s activity. An effective solution can synthesise a range of activity and detect anomalies.
Some of the signals that may indicate ATO include login attempts from different devices, switching to older browsers and operating systems, changing settings and passwords, multiple failed login attempts, and suspicious device configurations – like proxy or VPN setups.
However, it’s important to remember that each of these signs may be normal behaviour for a particular user. It’s only when you apply behavioural analysis on a large scale, looking at all of a user’s activity and the activity of users across the network, that you can get an accurate picture of whether a login is legitimate.
In this world of ongoing data breaches, sophisticated phishing attacks, and personal data changing hands on the dark web, all financial institutions and ecommerce companies must come to terms with their risk of ATO. With the proper tools and guidance, you can not only protect your business, but also build long-term brand loyalty.
About Kevin Lee
Kevin Lee is the Trust & Safety Architect at Sift Science. Prior to that, he led trust and safety, risk, chargeback, and spam teams at Facebook, Square, and Google.
About Sift Science
Thousands of global businesses depend on the Sift Science Digital Trust Platform to determine in real time which users they can trust. Sift Science’s Live Machine Learning, global trust network, and automation technologies fuel growth while protecting businesses and their customers from all vectors of fraud and abuse.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now