March 24, 2020
Fraud prevention has broadened from simply preventing chargebacks, and today includes protecting brand reputation, securing data, retaining customers, and preventing account takeover. Account takeover (ATO) fraud has emerged as an issue of major concern for online businesses and digital commerce. Part of the reason for the rise in this type of non-financial credentials fraud is due to the demand for stolen email addresses, passwords, and other personal privacy details, sold and distributed on the dark web. Mass data breaches and phishing attacks have exposed billions of usernames and passwords. This problem is compounded by consumers that use the same credentials across multiple sites and don’t change them often enough.
Stolen personal data has risky implications for all of us. When a threat agent discovers the right combination of username and password, they can access and exploit genuine customer accounts.
Why Is It Important to Protect Against Account Takeovers?
Beyond exposing a victim’s personal identifier information (PII), a criminal can use unauthorized account access to inflict a host of related harms.
After taking over an account, a criminal can:
- Change the password and lock the real user out
- Drain an account of monetary funds or loyalty points
- Steal PII
- Buy goods, services, and gift cards
- Use the access to create other accounts
- Trade value between multiple accounts
- Illegally stream digital content
ATO can damage an individual’s reputation, impact their credit, and cause losses that ripple beyond a single account. An even more sobering fact: 81% of consumers use the same credentials across multiple online accounts1. This means that the same credentials can be used to access multiple accounts, causing more damage to the consumer and the merchant.
Loyalty accounts are often the target of ATO because of the stored value they contain. Loyalty programs are a great way to build repeat business because naturally, consumers like to earn “rewards” – such as a plane ticket or gift card – from their daily spending habits. Loyalty accounts are a top account takeover target because consumers typically use less secure credentials and don’t log in often enough to immediately know when an account has been compromised. Yet, even the loss of “free” rewards can have a devastating impact on brand loyalty.
How Does Account Takeover Occur?
An ATO attack can be launched with the right combination of just a few data elements, such as a password, account number, username, email address, or social security number. Once an attacker acquires credentials from a website breach or password dump site, they use automated tools to test these credentials across different sites. Various sophisticated networks such as phishing and botnets take this information as a key and use it to begin unlocking more accounts.
What Are the Impacts From Account Takeover?
From 2016 to 2017, losses from ATO rose 122% and reached $9B in 20192. Those are significant numbers that can result in brand and financial impacts for digital businesses.
The following data from Consumer Affairs and Javelin indicates how fraud has expanded to include ATO.
The impact of ATO fraud on businesses goes well beyond financial loss since poor customer experiences and fraud incidents can lead to long-term brand reputation damage. But high amounts of friction are inconvenient to good customers. Companies must battle these fraud problems without inserting too much friction into the user experience for their good customers.
How Identity Trust Can Balance Friction With Great User Experiences
Digital innovation continues to scale and customers expect low friction as they shop. However, businesses are responsible for securing a consumer’s digital journey through their websites. To balance consumer expectations with risk, businesses should take a diverse and multifaceted approach to fraud prevention that spans the entire customer journey from login, to account creation, to account change. Based on one fraud exposure event, a consumer’s positive perceptions of a brand can shift and the brand is damaged. That’s why it’s essential to protect customer accounts with the same diligence given to monetary transactions.
Adequately protecting the customer journey doesn’t stop at password protection, and now extends to a diverse set of strategies. To help businesses balance security and customer experience at every step of the journey, Kount provides businesses with the flexibility to adapt the amount of friction given to certain users. Kount does this by establishing “Identity Trust,” or the level of trust for each identity behind every payment, account creation, and login event.
Effective ATO Protection Requires a Multi-layered Approach
In order to prevent account takeover fraud, businesses should look at three key layers: protection, policy and customization, and reporting and data presentation.
Layer One: Protection
At the protection layer, solutions should evaluate user behavior, device, and network anomalies. A linked analysis can detect high-risk, irregular login activity such as bots, credential stuffing, and brute force attacks. This helps determine in real-time whether a login should be allowed, declined, or challenged with step-up authentication.
Layer Two: Policy and Customization
In the policy and customization layer, businesses should be able to customize user experiences and reduce friction by identifying and segmenting users based on common characteristics, such as VIP users or trial users. A rich set of data is essential for delivering adaptive friction with precision. This dataset includes user type, device specifics, IP risk, geolocation, custom data, and more.
Some users are higher risk, some users are no-risk, and some users might require a personalized experience. Creating policies based on robust data from Kount’s Identity Trust Global Network allows businesses to decide what type of experience to deliver to their customer, from low friction to step-up authentication.
Layer Three: Reporting and Data
The reporting and data layer should provide login trend data that includes device and IP information, both of which are often not available to fraud teams. Having the ability to quickly identify and report on failed login attempts, risky IPs, compromised accounts, and inbound anomalies not only allows businesses to stop account takeover attempts, it uncovers trends that enrich their own data and inform future policies.
How Can Kount Control Account Takeover Protection Help?
Kount Control Account Takeover Protection is the only ATO solution built on the Identity Trust Global Network, linking risk and trust signals from location data, digital identifier data, and unique customer data to enable accurate account protection in real time. It is the industry’s first solution to provide an adaptive and customizable way to protect and enhance the entire customer journey. For the first time, companies have access to a unified and customizable solution to combat malicious logins and bots, credential stuffing, and brute force attacks while also enabling personalized customer experiences through an adaptive friction model.
1 Experian, 2019 Global Identity and Fraud Report
3 Javelin Strategy & Research, 2019 Identity Fraud Study: Fraudsters Seek New Targets and Victims Bear the Brunt, March 2019.