When COVID-19 created the great work-from-home experiment, there were many unintended outcomes. Some were rather innovative, like grocery delivery, telehealth and more. Others have had much more sinister effects (enter account takeover).
While the way we shop for goods and services has been digitizing rapidly for decades, it increased substantially in a pretty short time. The way we pay for those items has followed suit. The pandemic created uncertainty around handling cash and credit cards, which led to higher usage of contactless payments.
Unfortunately, with the rapid growth of payment methods and online shopping, fraudsters have taken advantage. Account takeovers (ATOs) have grown a lot in the last year. In fact, just in the first six months of the pandemic, ATO fraud was up 378%.
Businesses must add additional security tools to their payment systems to meet this heightened threat head-on.
What is account takeover?
Account takeover is a type of identity theft that focuses on financial fraud where a third party obtains a user’s credentials.
By posing as the user, the fraudster changes the account. They empty payment stashes or make fraudulent purchases.
ATO is equal opportunity in that it is a growing headache for consumers, retail businesses, and financial services/firms alike.
How does account takeover happen?
As noted earlier, COVID-19 stimulated the increase in ATO. That leaves the burning question, How can it happen to me and how would it affect my customers’ experience?
Unfortunately, with ATO, you could end up fighting fraud while losing customers. Here are the most common account takeover scenarios:
- Data breaches/leaks:
- Direct – This is when the credentials are used on the same site the data originated from. For instance, if your credit card provider is hacked or has a database that is improperly configured, a criminal may use the credentials on their site.
- Indirect – An indirect use of stolen credentials may appear as credential stuffing. Many people don’t practice good cyber hygiene and reuse passwords or simple variations across many sites. With automation, a fraudster can quickly attempt logins across hundreds of sites using these credentials and their variants. Password spraying is similar to credential stuffing in that it attempts to log in to many user accounts with a smaller number of passwords. Where they differ is that the attacker will often attempt to use common passwords against many users, not just one.
- Brute force – A brute force attack involves attempting many passwords on a single account. These attacks are simple, easy to create, and reliable. While many defenses can combat this attack, it’s so cost-effective that it remains a viable method of ATO fraud.
Account takeover isn’t just a technical problem for your business though. It’s a reputation problem waiting to happen.
If customers have their credentials or payment methods compromised on your site, it can lead to increased abandonment rates, lost trust, and ultimately, lost business.
Other concerns
COVID-19 has also increased shopping on mobile devices. With nearly 50% of all retail sales coming via mobile, fraudsters are paying close attention.
Mobile device security is often less robust than desktop and is a ripe target for criminals. It’s important (but hard) for companies to make shopping an enjoyable experience while providing the security that it now needs.
The dark web
Even with all the ways fraudsters can access credentials, this data is not often used right away. Rather, fraudsters sell it on the dark web.
In fact, it’s not uncommon for stolen information, passwords, and payment methods to be used for years after a breach occurs.
How can you prevent account takeover?
There are many ways criminals can exploit your customers’ credentials. Fortunately, you can mitigate ATO fraud with the right methods and technologies.
For example, typical logins and payment transactions have patterns they generally fall into. You can set configurations for your payment and identity systems that help prevent ATO attacks like brute force and credential stuffing.
Fraud.net can help
When it comes to technology, the world is flat. For businesses, that means you can have customers from around the world shop on your site. As a downside, it also means that criminals can use the same technology to attack from anywhere.
Automation has led to innovation in fraud. Increasingly, we’re finding that simple rule-based prevention systems just aren’t cutting it.
To protect your business and your customers, you need solutions that include:
- Consortium data. We partner with payment processors, data organizations, and merchants to share anonymous data about fraudulent transactions and users in their systems. This enables us to flag those transactions before they even take place.
- Deep learning. Our solution features machine learning that zeroes in on anomaly detection. It also factors in the location of the login. Our deep learning models detect the sometimes subtle patterns of fraud and use behavioral analysis to flag high-risk sessions.
- Entity analysis. Criminals rarely act alone. Often, they share techniques and stolen data with other criminals. Analyzing relationships between bad pieces of data and fraudsters can differentiate between a single fraud attempt and a full-on attack.
Give your business a competitive differentiator with a solid defense against account takeover. To learn more about Fraud.net’s innovative technology for fraud detection, and account takeover prevention, schedule a demo or contact us today.