By Mairtin O’Riada, CIO and co-founder, Ravelin
Account takeover (ATO) attacks have long been a threat to merchants, but the rapid digital acceleration we’ve seen because of the pandemic has created perfect conditions for ATO to thrive.
Now, 36% of merchants rank account takeover as the number-one threat they are facing.
Why? Existing fraudsters were given more time to focus on attacks, financial hardship drove new people to turn to fraud, and the number of potential victims boomed — with people across the globe being forced online to work, shop and be entertained.
What is “account takeover”?
ATO occurs when a fraudster infiltrates a genuine customer’s account. Fraudsters like this tactic as it can be harder to detect than traditional online payment fraud. By accessing an account through existing credentials, rather than creating a fresh account and using stolen card details, businesses are duped into thinking any activity is that of a legitimate customer.
It’s not only ecommerce businesses that face this threat. Any online account can fall into the hands of fraudsters, including subscription services, banks and emails. And once access is gained, there are several routes a fraudster can take to monetise the account. For example, using saved card details to make orders, redeeming loyalty points, or extracting customer data to sell online.
Fraudsters are having a lot of success in obtaining accounts through phishing. Over the past 12 months, there’s been a spike in sophisticated phishing attacks, with research finding that email is the most popular method of tricking customers into giving away their login credentials.
Another method commonly used to infiltrate customer accounts is credential stuffing. Here, fraudsters use software to try leaked credentials that they’ve bought or obtained through data dumps on several popular websites — all in the hope that a victim has used the same username and password across different sites. And all too often, this is the case.
Which accounts have been impacted most?
Account takeovers are on the rise across all industries. Our research shows that over the past year half of merchants experienced a rise in account takeovers — suffering on average one high-impact attack per week.
Of course, in the hands of a professional fraudster any customer account can be valuable, but some businesses have found themselves targeted more than others during the pandemic.
So, what makes an account a hot target?
Naturally, goods in high demand are easier for attackers to sell, so this is a huge consideration for fraudsters. They’re looking to make money fast, so the ability to make instant purchases on an account is a big win. Also, digital goods appeal to attackers, because of the extra effort involved in selling physical goods.
With this in mind, it’s no wonder the gaming industry in particular has fallen victim to an increasing number of account takeovers. The online gaming industry skyrocketed during various lockdowns, as people resorted to indoor entertainment. Not only did popularity spike, but the existence of in-game currency made them even more lucrative targets — with people spending way more money in game than before.
Ravelin also found that online grocery accounts became very desirable to fraudsters throughout the pandemic. These retailers saw more attacks than any other — experiencing over five per month. The massive increase in online traffic, combined with depleting staff due to compulsory isolation, meant fraud teams quickly became overstretched. This increased the likelihood of fraudulent activity flying under the radar.
What’s more, loyalty points that are stored on many grocery accounts are an enticing bonus for attackers. Tesco found itself combatting mass ATO attempts in May last year against Clubcard holders, affecting 600,000 customers.
And it’s not only booming industries being targeted. Accounts in the travel industry became prime targets for fraudsters, despite the industry feeling some of the worst effects from Covid. Air miles and loyalty points are a jackpot for ATO attackers as they’re easily accessible and extremely rewarding. And because people couldn’t travel, victims weren’t checking their accounts. And if the victim doesn’t notice, it makes it far more difficult for fraud teams to mitigate the issue.
How businesses can combat ATO
To successfully combat ATO, my advice is to rely on a combination of human input and automation. As a starting point, organisations should be adding an extra layer of security to customer accounts by way of two-factor authentication.
Businesses also need to monitor customer logins and new devices, which sounds obvious, but we’ve seen many companies simply fail to do this. Attackers often use basic scripting tools that spam a login with credentials, hoping for a combination that works. But if you’re monitoring logins, and you’ve set specific rate limits for logins based on the device, username and IP address, taking into account your business-specific operational requirements and customer behaviour, you can prevent the most obvious attacks. You can also autonomously check if a particular customer has updated their password with compromised credentials by using an API, which can help you avoid the most egregious of user errors.
But if a fraudster has successfully cracked a password and gained entry, look out for the signs of suspicious subsequent activity. You may see a sudden upsurge in logins compared to normal, which is a red flag that an attack is taking place, and you may also see odd changes to account details, for example a change of phone number. If your logins require a one-time text message code, a sudden change of phone number is a red flag as it could be a sign that the fraudster is looking to direct those text messages to their own mobile devices.
Machine learning can really help be your eyes and ears across all your accounts here. But also bear in mind that fraudsters may display behaviour that are definitely fraudulent to you, but perhaps not for other businesses. For example, an unusually large order may be a strong indicator of fraud for your business if most of your customers tend to spend roughly the same with each order. That means, if you do use machine learning, you must tailor it to make sure it picks up the right indicators of fraud for your business. Otherwise, you’ll either miss fraud cases (because the machine learning isn’t looking for the right signals), or you’ll end up with high false positive rates. Both scenarios cost you money because either you’re missing fraud cases or you’re making the payment experience difficult for genuine customers, who may go elsewhere to make their purchase.
ATO isn’t going anywhere
Given the pandemic has given ATO the chance to thrive, there’s never been a more important time to deal with the issue. The sooner you begin to fight back with technology, the sooner your machine learning can improve, and the stronger you’ll be at keeping the bad guys out and keeping your customers safe.
That can sound like a daunting task. And while you can’t outsource your fraud responsibility, you can work with a technology partner to reduce both the losses to ATO itself and the cost of defending against it.