Online shoppers are increasingly at risk of ATOs, or account takeovers, with fraudsters employing ever-more sophisticated bot networks to probe and break into online shopping accounts using data gained through large-scale data breaches. The one obvious impact of online shopping ATOs is the financial loss for the online merchant, with 2016 seeing losses of $2.3 billion due to ATOs.
Yet there are other factors too, including the difficulty online shoppers have in trying to receive refunds for orders they simply did not place. Below, we discuss the types of ATOs that are commonly seen in the wild, and what online merchants can do to prevent a shopping platform from turning into a cyber nightmare for shoppers.
The how and the where of ATOs
Online shoppers are unquestionably vulnerable to ATOs, given that the sheer scale of individual cyber data breaches can be enormous: one attack on Yahoo alone affected 3 billion accounts. The data that is acquired in the process provides ammunition for fraudsters who use robotic networks to test the validity of the account information acquired. With the numbers of stolen accounts in the millions and billions, fraudsters only need to get lucky a few times.
This process is called “phishing for credentials” and involve rapid testing of millions of email and password combinations across many sites in an attempt to successfully take over an account. This can often be a very fruitful process because many users employ the same email and password combination across multiple accounts. For example, by acquiring the credentials for a user’s Facebook account, a hacker can often get access to other social media accounts – and indeed many online shopping accounts.
Once a fraudster has gained access to an online shopping account they can proceed to benefit in a couple of different ways. In some cases, the shopper’s card details will be saved to the account, and a hacker can simply proceed to order goods or services. Another example is the presence of a spendable currency in the account, such as loyalty points which can be redeemed or transferred. Either way, your customer stands to suffer a financial loss which they may struggle to recoup.
Yet often the fraudster is not that lucky, and simply relies on the fact that the shopper is a registered, trusted customer. In other words, a fraudster will use completely unrelated credit card details to order, trusting that a more basic fraud prevention solution will wave the transaction through because the order is for an existing customer.
Though advanced e-commerce fraud protection will still stop such a transaction, this method of fraud is often quite effective as not every online merchant deploys cutting-edge prevention techniques. Again, your customer is left holding the bag: goods were ordered from their account, using their credentials, but the cardholder has triggered a chargeback. None of this is a good outcome for the merchant or the shopper.
Stopping an ATO attempt in its tracks
Merchants can stop ATOs at different stages ranging from the initial access attempt through to – stopping at the point of checkout – orders that are the result of ATOs. Yet the earlier an ATO is stopped the better, as merely getting access to an account can be a nightmare for the customer, regardless of whether this leads to an eventual fraudulent order.
ATOs can be stopped before they lead to orders. At the account login stage your fraud and intrusion detection system should detect and analyze parameters such as the source IP address and the device used, and compare this to historical data. A mere change in location or device is not sufficient to block access to an account, but these are valid red flags when combined with several failed password entries or perhaps a password reset request.
Advanced detection systems can watch out for robotic login attempts, including the ability to analyze the velocity of keystrokes or the orientation of a mobile device. A web application firewall (WAF) can also prove useful as these systems can prevent logins from known bad IP ranges. Advanced fraud detection systems will have similar capabilities.
However, it is not always easy to stop an ATO right at the point where an account is accessed. Thankfully, fraudsters are forced to reveal further information when putting across an order, and these often compound the risk factors which should, in theory, be tallied up by the merchant before an order is authorized. A mix of repeated login attempts, repeated credit card rejections and a high-value order amount are clear grounds for stopping a transaction.
Finally, it is worth underlining that merchants have a duty of care when it comes to customer data, or personally identifiable information (PII). Though preventing ATOs and other forms of fraud is incredibly important, merchants should pay attention to internal data security policies or risk ending up with reputational chaos. And as described, such a breach of data can cause a nightmare for some percentage of your shoppers later down the line.
Fraud prevention solutions keep consumer grief at bay
The sheer range and complexity of risks faced by merchants, ATOs included, can be daunting to deal with for any but the largest ecommerce merchants. Small and mid-size merchants should instead consider deploying a middleman: a fraud prevention package from a vendor that has the resources to pool the knowledge gained through millions of transactions to successfully prevent ATOs and fraudulent transactions from occurring. Going at it alone, or skipping on ATO and fraud protection altogether, can lead to a nightmare outcome for both merchant and customer.