Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.
Improve your customer relationships and minimize fraud by bringing machine learning into your business Learn more in our 6 Step Guide to Using Machine Learning to Drive Payments Intelligence.
Related Blog Posts
European Banks Have the Right Tools to Stay Ahead – But Will Big Tech Overtake?
Open banking and immediate payments have come a long way, according to the panellists who joined me during the ‘Open Banking in an Instant World’ session at EBAday in Stockholm recently. The building blocks are now falling into place through the introduction of national and regional schemes, open banking initiatives, regulations such as PSD2 and the acceptance and use of APIs.
Checkout Optimization Challenges: Top Tips for Online Merchants
As the current conference season draws to a close, it’s time to reflect on one of the key topics topping the agenda for many online merchants: checkout optimization.
How Banks and Acquirers Can Deliver on the Benefits of PSD2 SCA Exemptions and Differentiate Their Merchant Services
PSD2 is an opportunity for acquirers to differentiate themselves by delivering improved services to their merchants, if they implement modern solutions to manage SCA exemptions. This will drive the best customer experience in combination with regulatory compliance.
How UPI is Driving India's Shift from Cash to Digital Payments
The Indian economy has traditionally been heavily dominated by cash, while experiencing low adoption of various online payment systems including National Electronic Funds Transfer (NEFT), Real Time Gross Settlement (RTGS) and inter-bank mobile payments. The dominance of cash is evidenced by the ratio of cash withdrawals at ATMs vs debit card usage at Point of Sale (POS)—ATM transaction volume is more than 2x greater than POS.
Cooperation, Consultation and Collaboration Are the Keys to Countering CNP Fraud in Australia
As Europe, and other parts of the world ramp up for regulatory changes around PSD2, Australia is about to launch its own strategy to combat Card Not Present (CNP) fraud.
PSD2 and Strong Customer Authentication – What's in Store for Merchants?
With the final pieces of the Payment Services Directive (PSD2) puzzle coming together, payments businesses are highly focused on meeting their compliance obligations. But the forthcoming changes will affect everyone in the payments chain – and it’s important for merchants and PSPs to understand the practical implications for their businesses and customer relationships.
Transforming Telecom Companies in a Retail World
The recent MVNO World Congress in Amsterdam brought fascinating insights into the changing telecom industry, particularly around the opportunities that lie ahead for Mobile Virtual Network Operators (MVNOs) and how they can they can cement their position in today’s fast-paced climate.
Success Speaks: Surprising New Ways Students Want to Pay
Colleges and universities are facing the dual tasks of accommodating not only new payment methods, but also a new generation of students, Gen Z, whose expectations differ greatly from even millennials. How can higher education institutions meet these demands?
In our latest Success Speaks webinar, experts from Temple University, FutureCast, ACI and MTFX Group of Companies explored today’s payments landscape for colleges and universities, payment desires of Gen Z, innovations the higher education sector is already implementing and how schools can better assist with international payments.
Women Must Choose to Rise Up Despite Past, Current and Future Circumstances
Money20/20, Europe’s biggest payments and fintech event, was recently held in Amsterdam and featured Rise Up Money20/20, a global program designed to address the gender imbalance in leadership positions within the financial services and fintech industries. A cohort of 30 female professionals was selected to take part in an exclusive curated agenda, complete with a series of bespoke content sessions, one-to-one mentoring and unique networking opportunities.
Beyond Borders: Navigating the Challenges of eCommerce Expansion
eCommerce continues to flourish, with impressive growth figures year after year. In 2018, global online sales reached almost $3 trillion, and are expected to hit $4 trillion by the end of 2020.
Despite eCommerce taking an increasing slice of the retail pie (which could now be as high as 15 percent according to recent figures), it is increasingly challenging, with competition and cost pressures creating significant issues for merchants of all sizes.