Account Takeover

Exploring One of the Fastest-Growing Online Fraud Threats

Account takeover fraud, or ATF, is exactly what it sounds like: a fraudulent action involving the unauthorized use of a legitimate customer account, usually by phone or internet.

In this situation, the word “takeover” doesn’t mean removing the account owner from the picture; in fact, quite the opposite. Having that legitimate customer in place is what makes the scam work.

How Customers Lose Control

Credit cards are the most lucrative—and therefore the most prevalent—targets of account takeover.

This occurs when fraudsters obtain enough of a consumer’s information to either sign in or reset the account, then purchase goods or services without the victim’s knowledge or consent. Because the purchases seem to be coming from a trusted client, the fraudster can get in and out quickly, then disappear. Transactions are typically not noticed right away by either the merchant or the consumer.

That spells trouble for consumers and merchants alike. Earlier this year, NBC News reported that the estimated loss from ATF cases rose more than 60% in 2016, to a staggering $2.3 billion.

Customer Data is Easier to Get than It Should Be

Account Takeover

In a perfect world, customer log-in data should be difficult to obtain, but there are multiple ways for fraudsters to acquire the information. These include:

  • Security Breach
  • Malware
  • Phishing
  • Weak/Overused Passwords

What’s worse, the results tend to snowball: taking over one account can help perpetrators gain access to more of the customer’s information. In turn, that makes it easier to commandeer other accounts the victim may have.

Why the Customer’s Account is the Merchant’s Headache

Almost all issuers offer consumers some sort of limited liability coverage against credit- or debit-card fraud, but those rules may not apply in the case of ATF. Online orders are considered card-not-present transactions, putting more responsibility on the merchant.

If a credit card transaction is revealed to be fraudulent and the consumer is the victim of an account takeover, the issuing bank will collect from the merchant on the cardholder’s behalf. In other words, the merchant may have little or nothing to do with the transaction, but the prevailing argument is that there was a lack of security in place, so the merchant is at fault.

For merchants, the obvious answer to this dilemma seems to be increased security, but that can create other issues. Shoppers go online for speed and convenience; requiring more steps in the checkout process slows things down. Tightening parameters to flag even slightly suspicious transactions leads to frustrated customers and increased risk of cart abandonment.

Merchants must carefully weigh potential fraud losses against the loss of actual customers annoyed by increased security measures.

Protecting Your Business from ATF

While there is no guaranteed, one-size-fits-all solution, there are things merchants can do to mitigate the risk of ATF. Start by looking at fraud cases with an eye toward identifying a pattern—names, delivery locations, or the same item (usually a high-ticket item) being purchased over and over.

Keeping customers informed on the dangers and means of prevention can also help, as can adding strategic layers of security. New authentication solutions for safeguarding account integrity are slowly being introduced and implemented as well.

  • One-time passwords are random unique codes generated for each log-in session. Since they are only used once (and for a limited time), the numbers are impossible to replicate.
  • User location matching uses geolocation to compare the user and device to the customer’s known physical location and behavior in real-time, flagging login attempts that don’t appear to sync.
  • Biometric authentication involves determining user identity via signature dynamics such as fingerprints or facial recognition. I posted an entry here recently going into some of the pros and cons of this method.

Customers and the Convenience Factor

Of course, much of the issue still stems from the lax use of complex passwords. However, blaming customers won’t help.

As I mentioned earlier, consumers want convenience. Any new measure a merchant might implement, like forcing a password change at regular intervals, has the potential of turning-off customers. Does that mean you shouldn’t even try to fight ATF? Ultimately, that’s a call merchants will have to make for themselves.

If your customers tend to be loyal and long-term, you may be able to tighten your checkout process, provided you keep them informed of what you’re doing and why. If you already have a high customer turnover rate, the end may not justify the means. The key here is finding the combination of tools and technology that give the highest return on investment.

ATF Is Not the Real Threat

Any type of fraud is dangerous and needs to be combatted however possible. But when creating a strategic multilayer fraud management plan, it’s good to remember that ATF is a prime example of criminal fraud.

Criminal fraud is a comparatively small percentage of the problem. If we consider the total number of chargebacks, criminal fraud represents less than 10% of all cases. That doesn’t mean we can ignore it, but it is something to keep in mind when allocating resources for overall fraud management.

Monica Cardone