Fraud is becoming more and more sophisticated, as cybercriminals try and keep a step ahead of fraud management solutions. This arms race is likely responsible for the recent surge in ATO – account takeover – attacks, a form of fraud which is particularly difficult to detect. In 2016 ATO led to $2.3 billion in losses – well over a third of the total fraud losses that year.
Not only are ATO attacks tough to spot, they can also cause a lot of harm beyond just stolen goods and chargebacks. Customers often leave their credit card details saved in their store accounts, trusting merchants to guard it. And if a bad actor gains access to their account, the customer is left to deal with the fallout of having their personally identifiable information–PII– stolen, which reflects very poorly on your brand. In this post, we’ll dig a little deeper into what ATO attacks actually look like, and provide some tips to help protect your customers’ data, and your own products, from sophisticated ATO fraud.
How do ATO attacks happen, and what forms can they take?
Whenever a bad actor gains access to another party’s legitimate account, this is called an ATO.
These often occur as a result of data breaches – cyber criminals hacking into information systems and stealing data. But stolen credential data tends to be incomplete and unorganized, so these criminals use bots to sift through the loot. A bot is a simple software application that automates a task. Hackers use bots to ‘credential phish’ – test logins and passwords automatically and at extremely high speed until they successfully login, thereby validating the credentials they’ve stolen. Compounding the damage of the breach is people’s tendency to use the same login information across multiple platforms: a verified set of credentials could be used to access several accounts.
Once hackers have a store of verified credentials, they can either use them themselves or sell them on the darkweb. The surprising affordability of this data on the open market is an unnerving testament to its abundance, as well as the efficiency of credential phishing: logins to Paypal accounts with a balance of $500 cost only $6.43, and Uber account logins cost under four dollars.
A fraudster with login credentials has countless different ways to perpetrate an attack. One tactic that gets a lot of press is the ransom attack, in which fraudsters access individual’s or company’s data and threaten to either destroy it or make it public, unless the victim pays.
But ransom attacks are pretty elaborate and less common in eCommerce. When fraudsters target a retailer they’re more likely to just attempt to order goods from your store with someone else’s credit card.
The ideal cases for the fraudster are:
1. That they’ve obtained credit card details of the same person who owns the account, or the customer saved their credit card details on the site;
2. There is already some kind of credit in the account they can use to shop, for instance, frequent flyer miles or a cash rewards account (this MO is known as loyalty fraud).
But most of the time fraudsters aren’t lucky enough to have these options, and they’re likely to just use a card belonging to someone other than the account owner, hoping that the legitimate credentials will be enough for the merchant to approve the order; it’s so crucial to merchants to provide loyal customers with a smooth shopping experience that they’ll be very reluctant to request verification from a customer they have history with.
The fraudster may try to change the shipping address on file, if they’re trying to steal physical goods. More savvy fraudsters go for digital goods like gift cards, since they know they can steal them without raising any red flags: it’s a pretty legitimate shopping pattern to have a gift card sent to an email other than the one on file (ostensibly, as a gift).
All of these MOs, unfortunately, tend to be pretty effective. Traditional fraud detection systems simply aren’t equipped to detect bad actors logging in to good customer’s accounts, sometimes from the customer’s own device. Protecting goods and PII from these type of attacks requires changing the way you think about CNP fraud.
First steps to detect and prevent ATO attacks
First, it’s important to realize that catching an ATO attack at the point of sale, and declining the order, is not ideal. You’ll have to alert the rightful owner that their account has been breached, so that they change their login information. The fallout of having personal information compromised could be devastating a customer, and you can be sure they’ll think twice about shopping with you next time.
That said, catching the fraudster and declining the order is still better than paying a chargeback. To catch an ATO attack at checkout, make sure your fraud detection system is able to detect changes in behavior, including the shopper logging in from a different geographic IP address than usual, and if the customer is shopping like a legitimate customer or a fraudster (read more about behavioral analytics here).
But far better for both the retailer and consumer is to prevent fraudsters from ever logging into the customer’s legitimate account in the first place. In addition to protecting you from chargebacks, this will protect your brand’s reputation and your customers’ private information.
The most critical part of catching bad actors at the point of account login is processing data and making decisions in realtime; your legitimate shoppers won’t tolerate more than a second or two of wait time when they try to log in to your site. In other words, manually reviewing data at this stage takes too long to be an option.
And what data should you be reviewing at this point? Just like you would at the point of sale, your fraud solution should look at the geographic IP address and device the shopper is using, and compare these to historical data about the customer in real time. Of course, mismatches here shouldn’t automatically lead to blocking the customer; they could have gotten a new phone or are traveling, but in conjunction with other data points (like how many attempts it takes to get the password right) they could be a red flag.
A vital job for your review system at the point of login is bot detection. If you’re able to identify that the user is a bot, based on parameters like keystroke velocity and mobile device orientation sensors, it becomes far more likely that this login is either an ATO attempt or credential phishing. While identifying human fraudsters in possession of real credentials is vital, it’s only one part of the equation. Equally important is cutting off phishing attacks at the source, so credentials are never compromised in the first place.
Though it’s no small task, detecting bots and bad actors is only half the battle: then you have to decide how to act. Determining which attempts to block, which to allow, and which to verify, is a careful balancing act. Ideally, only a narrow range of ‘grey’ login attempts should be asked to authenticate their identity; so that most good customers gain access without any additional friction, while login attempts you’re certain are fraudsters are blocked instantly.
Building a system to deal with a range of risk scenarios, and different types of identity-verifying measures (texts, captcha, emails, email-based login alerts, security questions and so on) is a complex task, and beyond the scope of this post. In a forthcoming guide to account protection, we’ll give actionable tips for creating such a policy, as well as more in-depth insights into to help you protect your business and customers from these devious attacks.
Keep abreast of the latest developments in ATO prevention technology, and more by subscribing to our blog: