August 19, 2016
By Karisse Hendrick, Editor-at-Large, CardNotPresent.com
While the list of companies victimized by account takeovers is long and getting longer, when the organizations that accept your federal tax returns and serve up your morning brew are targeted, headlines—and attention—will follow. Account Takeover (ATO) is the term used when a fraudster uses a legitimate customer’s credentials to log on to their account and make purchases. In some cases, the customer’s stored payment method is used, while in others, the fraudster is using the account to make the purchases appear legitimate. This fraud attack method has been increasing in popularity over the last several years as merchants became more vigilant and began using better fraud detection for standard credit-card fraud.
The impact to both the company and the customer can be more detrimental for ATO than traditional credit card fraud. For the company, because this fraud is much more difficult to detect, the financial impact can be devastating. Customers have an expectation their accounts are safe. When their accounts have been compromised, they often blame the company more than the fraudster who used their account. Also, the customer may be at risk for more account takeovers with other companies, since many use the same logon credentials for multiple accounts. Many fraudsters are counting on exactly that.
The Buck Stops Here
Ultimately, because the accounts are with the merchant and the chargeback liability is with the merchant, the responsibility to prevent this type of fraud—as with any type of card-not-present payment fraud—is on the merchant. In Starbucks’ case, media was critical of the company’s public response because it was perceived as an attempt to shift the responsibility for keeping customer accounts secure from the company to their customers (Starbucks blamed the account takeovers on weak passwords). While there is some truth to that, it is important to note that hundreds of merchants have had this problem and have taken steps to solve it. Once a merchant is aware that its customers’ accounts are being accessed by unauthorized users and used to make fraudulent purchases, their focus should be on preventing the fraud and protecting their customer’s payment and overall account information.
The first step to prevent ATOs is to understand the way fraudsters are getting around your current fraud processes, and how they are utilizing the accounts. For instance, does it appear to be bots accessing the accounts, or does it look like they are being accessed one at a time? And are the usernames and passwords attempted only once before gaining account access, or are there multiple attempts for each account? Additionally, are the stored payment methods being used to make the fraudulent purchases or are the accounts being used purely for their legacy, with new payment methods added? Answering these questions and studying the behavior will lead to knowing how to implement a new strategy to prevent this fraud method.
Adjusting Strategy for a New Threat
Because consumers typically use the same or similar usernames and passwords with multiple merchants, the practice of testing stolen credentials on multiple Websites is believed to be the most common way fraudsters access accounts and take them over. Knowing this, some companies have become very proactive when a large breach of usernames and passwords occurs, requesting or requiring a password reset. One large online gaming company worked with its communications department to educate its consumers about keeping their accounts safe. Instead of blaming customers after a problem became public, the company communicated the importance of unique passwords, showing its interest in consumer safety, while also protecting its bottom line.
Studying the behavior of fraudsters engaged in ATO also will provide more insight into the source of the account credentials and provide alternate avenues to combat it. One merchant recently discovered that a large majority of its ATO attempts were occurring with a specific cell phone provider’s e-mail domain. The company was able to reach out to this provider to learn the reason, but also to change its rule sets to include this e-mail domain as a risk factor.
There is no one cookie cutter solution that will prevent this sophisticated fraud method, however, it is important to select a tool that addresses the type of account takeover your company is experiencing. If the ATOs your company is seeing are coming from a bot, you may want to consider a technology solution that randomly changes the location of fields on your account log on page, to make the scripts fail. Additionally, tools focused on device information tend to be more effective in detouring ATO, since the fraudster is using the legitimate customer’s information, rendering verification tools almost useless. Products utilizing pre-purchase account behavioral analytics and big data are also worth considering, to combat account takeover fraud issues.
This fraud method is growing quickly, but companies have alternatives to throwing up their hands or blaming customers for not knowing the importance of unique passwords. Layering your strategy with customer education, requiring password changes, and new tools that focus on the device used all while ensuring that they will address the specific tactics used against your Website is the proactive approach to preventing fraud and protecting the account information entrusted to your company by your customers.