July 3, 2018
Account takeover (ATO) is a form of fraud where fraudsters gain access to an established user’s digital account. By posing as the real customer, bad actors can change account details, make purchases, withdraw funds, and leverage stolen information to access and create other accounts. Fraudsters use a number of techniques to identify the weakest link in the chain, and the takeover begins.
State of the Market
It is reported that over 9.7 billion data records have been lost or stolen since 2013 and only 4 percent were “secure breaches,” meaning encryption was used and the stolen data was essentially useless. Compare that with the world population of 7.6 billion and we have an ongoing battle of criminals accessing a steady stream of stolen credentials. It is estimated that over 65 percent of people re-use usernames and passwords, so once credentials are breached, they often provide the key to many different accounts. The 2018 Identity Fraud Study produced by Javelin Strategy & Research reported that identity fraud rose to $16.8 billion in losses and found 1.3 million more victims in 2017 compared to 2016. Highlights of the report include:
- ATO losses reached $5.1 billion, a 120 percent increase from 2016.
- Account takeover victims pay an average of $290 in out-of-pocket costs and spend 16 hours on average to resolve.
- In 2017, more than 62.2 million hours of consumer time was lost to resolve their hacked accounts.
Types of Attacks
Criminal strategies used to takeover accounts continue to evolve as merchants find ways to fight it. Some of the more prevalent types of attacks are:
- Brute force attacks: A trial-and-error method used to obtain information such as a username, password or personal identification number (PIN). Automated software is used to generate many consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.
- Credential stuffing: This strategy is a subset of the brute force attack category where a large number of breached username and password credentials are automatically injected into websites until they are potentially matched to an existing account.
- Bot attacks: This attack can occur from malware that has been placed on compromised boxes and routers across the web. It will test credentials using different IP addresses to find hits and can act slowly across multiple days attempting a few logins at a time, in hopes of not getting caught.
- Social engineering: This tactic preys on human psychology. Using a variety of media, including phone calls and social media, fraudsters trick people into offering them access to sensitive information. Social engineering incorporates a variety of techniques including: phishing, pretexting, baiting, quid pro quo and tailgating.
Implications of Account Takeover
ATO fraud can be compounded based on the industry and products or services sold. There are numerous negative outcomes if criminals gain fraudulent access to an account. The main areas where fraudsters take advantage include:
- Using saved payment information to purchase goods or services
- Updating the payout method to steal funds
- Making purchases using loyalty points or transferring them to a new account
- Re-selling the account at a premium based on the value or “verification”
- Compromising additional accounts from other merchants using the same credentials
- Posting spammy or negative comments on forums
- Taking over a high rated account to sell items that don’t exist
Consumers often blame the merchant when their account is taken over. If not resolved timely and appropriately, the result can be detrimental to a merchant’s reputation and negatively affect their lifetime value of the consumer.
Strategies and Technologies to Prevent Account Takeover
Several solutions are available today to help deter ATO. Organizations that understand how this specialized fraud works are in a better position to deploy a multi-faceted fraud prevention strategy that helps stop all types of fraud, including ATO. Used in combination with other fraud prevention technologies, organizations can leverage the following strategies and technologies to verify a user, while protecting their consumers.
- Device identification and other fraud screening data points can be valuable to identify when someone may be trying to spoof their information. Device fingerprinting that goes layers deep is critical because often times, fraudsters will change just 1 or 2 of their settings when committing fraud.
- Behavioral biometrics is a technology that monitors how a user naturally interacts with their device through keystroke dynamics, touch, mouse motions, and more. It can be used with very little friction for the consumer.
- Velocities can be an indicator of fraud. Checking how many times a user has logged in or attempted a login with information like device, IP address, logins, users, etc. over a period of time provides unique insights to identify ATO.
- Additional verification such as 2-factor authentication, captcha, or another unique identifier can deter fraudsters past the entry point. To reduce friction for the consumer, merchants can use this method onlywith unknown devices or other anomalies that are reported.
- Collaboration across departments is key to finding anomalies or trends within account logins to build a better infrastructure for stopping ATO. One metric that can be an indicator of fraudsters trying to gain access is the percentage of repeat account logins.
Account takeover fraud is growing at an alarming clip – which should give pause to both consumers and businesses. Wherever there are profits to be made, fraudsters are looking to exploit the weakest entry points to capitalize on the greatest return on investment with the lowest probability of getting caught.
Kount hosted a webinar on this topic featuring CD Baby, an independent music distributer based in the U.S., and Tradera, Sweden’s largest online marketplace. These merchants have very different use cases related to their challenges with ATO. Watch the sessions now to learn the latest strategies to detect and stop account takeover.