Clearsale Blog | Insights on Ecommerce and fraud

Account Takeover Fraud - You Can Fight It Without Losing Good Customers

Written by Rafael Lourenco | Feb 11, 2019
TL;DR

Account takeover fraud (ATO) is rising sharply, costing U.S. businesses $5.1 billion in 2017, roughly three times the 2016 figure, with attacks on financial services up 40% from Q1 to Q2 of 2018. Fraudsters take over accounts using stolen login credentials harvested from data breaches, unsecured networks, phone impersonation, and social engineering, then exploit those accounts to commit fraud.

Account takeover fraud (ATO) is on the rise, and businesses and banks are bearing the costs. ATO cost US businesses $5.1 billion in 2017, about three times as much as in 2016. This type of fraud is still trending upward, especially against banks. ATO attacks on financial services rose by 40% from Q1 to Q2 of 2018, according to ThreatMetrix’s Q2 Cybercrime Report.  Even more alarming, the rate of ATO attempts via mobile transactions rose 200% during that period.

How do fraudsters take over accounts?

Anyone with a customer’s login credentials can take over that person’s account. An increasing number of recent large-scale ATO attempts have been done with botnets that attempt to login in customers’ retail accounts, according to ThreatMetrix. How are thieves getting the credentials in the first place? Unfortunately, fraudsters have many resources at their disposal.

The ongoing wave of consumer data breaches at retailers, hotel chains, social media networks, and other companies gives organized criminals a steady supply of data points to exploit. This data can include names, payment card numbers, and in some cases, usernames and passwords. Unsecured wireless networks give thieves another way to steal credentials and other personal data. Some fraudsters impersonate their victims on the phone with customer service to change account passwords and gain access.

Scammers also use social engineering on social media to collect information they can use to hack their way in. For example, quizzes and memes that prompt users to share the names of pets, former hometowns, and other personal details can help attackers answer knowledge-based authentication questions that many online accounts require for password recovery.

Click here to continue reading.

Frequently Asked Questions

What is account takeover fraud?

Account takeover fraud (ATO) happens when a fraudster gains access to a legitimate customer's account using that person's login credentials. Anyone with the credentials can take over the account, often through automated botnet login attempts against retail accounts.

How fast is account takeover fraud growing?

ATO cost U.S. businesses $5.1 billion in 2017, about three times the 2016 figure, according to the article. Attacks on financial services rose 40% from Q1 to Q2 of 2018, and ATO attempts via mobile transactions rose 200% in that same period, per ThreatMetrix.

How do fraudsters obtain login credentials?

Fraudsters get credentials from the ongoing wave of consumer data breaches at retailers, hotels, and social networks, which supply names, card numbers, and sometimes usernames and passwords. Unsecured wireless networks, phone impersonation of customer service, and social engineering on social media are other common sources.

How does social engineering enable account takeover?

Scammers use social media quizzes and memes that prompt users to share pet names, former hometowns, and other personal details. Those details help attackers answer the knowledge-based authentication questions many accounts require for password recovery.

Why are botnets used in account takeover attacks?

According to ThreatMetrix, an increasing number of large-scale ATO attempts use botnets that automatically try to log in to customers' retail accounts at scale. Automation lets fraudsters test stolen credentials across many accounts quickly.

Can businesses fight account takeover without losing good customers?

Yes. The goal is to detect and block takeover attempts while still letting legitimate account holders log in and buy without added friction. Balancing strong protection with a smooth experience keeps good customers from being turned away.