There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.