January 4, 2018
The recent discovery of a single file on the Dark Web containing 1.4 billion unencrypted login credentials makes one thing clear: the tools to commit account takeover (ATO) at scale are more accessible than ever. Meanwhile, the seemingly endless disclosure of large-scale data breaches like Equifax and Yahoo ensure that fraudsters have a steady rotation of logins and passwords to test across the web.
However, although ATO is growing across industries—from social networks and e-commerce merchants to SaaS and professional services—not every company even realizes ATO is a looming threat.
A common crime with a high cost
In terms of customer trust lost and brand damage, ATO can be a nightmare for companies. Collectively, victims spent 20.7 million hours resolving ATOs in 2016, according to data from Javelin Strategy & Research.
Besides counting your company lucky for not making headlines, how do you measure whether ATO is a problem for your business? ATO can be harder to quantify than payment fraud. When measuring the total cost of ATO, there are a number of individual costs to consider.
Chargebacks (if applicable), including:
- Product cost
- Chargeback fees
- Dollar amount of the transaction
- Does this chargeback put your company over the excessive chargeback threshold, which could result in financial penalties?
Reduced customer engagement, including:
- Fewer clicks, fewer purchases, lower average dollar amount, less time spent on the site or app
- Customer lifetime value (LTV): If the customer churns, you lose all future sales.
- Customer acquisition costs: Now you need to spend more money to acquire more customers.
Brand damage + cleanup costs, including:
- Negative PR: This is tough to measure, but you may consider looking at negative social media sentiment and article mentions.
- Lost brand value: For example, Yahoo lost approximately $350 million in the Verizon deal because of its data breaches.
- Legal fees (if applicable)
- Compliance fines or additional audits
- Ops, Eng & PM staffing: This includes salary, equipment, and overhead costs.
- Cost of external tools used to fight ATO
The key to preventing ATO
Effectively protecting your users and business from ATO necessitates looking at a range of relevant data points. Some of the individual signals that may indicate ATO include login attempts from different devices, switching to older browsers and operating systems, changing settings and passwords, multiple failed login attempts, and suspicious device configurations like proxy or VPN setups.
However, keep in mind that each of these signs may be normal behavior for a particular user.
It’s only when you apply behavioral analysis on a large scale, looking at all of a user’s activity and the activity of users across the network, that you can get an accurate picture of whether a login is legitimate.
As data breaches continue to come to light, and fraudsters grow increasingly sophisticated in their attacks, all online businesses need to assess their own risk of ATO. With powerful tools and the right guidance, you can ensure good users are seamlessly accessing their accounts – while keeping fraudsters out.
Learn more about why ATO is growing, and how to detect and stop it, with Sift Science’s free eBook, the Complete Guide to Preventing Account Takeover.