Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.
Find out more about ACI’s Stream Analytics Engine, which helps merchant fight fraud – including account takeover.
Related Blog Posts
Removing Gender Bias and Enabling Women to Succeed in Leadership Roles
The recent UK Women in Payments (WIP) Symposium 2019 took place in London, recognizing unique leaders who help uplift women in the payments industry. Among those recognized was ACI’s Melissa McKendry, vice president, Retail Banking Implementation Services, who was honored by WIP as the 2019 Advocate for Women.
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Payments and Fraud: The Paradox Twins
Digital commerce through web and mobile is where merchants predominantly experience shopper growth today. This has become a hugely important domain for their focus. It offers a means for international growth, new market penetration and a way to engage with shopper-hungry Millennials in their culture. Merchants frequently adopt a Digital-First, eCommerce-First or Mobile-First strategy to ensure full corporate buy-in to this strategy.
Open Payments Systems for Merchants: Don't Close Down Your Options
Remember “Open Systems”?
It was a big industry nom du jour in the 80s and 90s. Every IT system had to be open and therefore flexible and future-proof. Nobody can argue with the logic behind this; making systems easy to integrate with other systems, ensuring vendors could cooperate with one another; creating agility to improve time to market and drive down costs.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
Why It’s Time for Women to Rise UP
As a senior software engineer at ACI Worldwide, Rawan Shawar helps to guide her team’s priorities and enhance processes at both the team and organizational level. Recently, Rawan was selected by the organizers of Money20/20 Asia to be part the Rise Up Class of 2019.
Can Digital Payments Be Kind?
There is no doubt that the era of less (or minimal) cash is truly upon us. According to the Access to Cash Review, cash could fall to just 10 percent of all payments in the UK within the next 15 years.
Other countries, such as Sweden, have already seen significant changes – cashless payments have grown so quickly that only 10 percent of the 20 SEB banks in Stockholm now hold cash. Beyond Europe, China is leading the way with USD$12.8 trillion in mobile payment transactions in 2018.
SWIFT gpi: Leveraging Cross-Border Payments for the Real-Time World
SWIFT gpi represents the evolution of business done over the SWIFT network, bringing correspondent banking into the digital era.
I’ve covered this topic before, but with gpi now reaching the two-year milestone, it’s a good chance to reassess the progress that has been made – and what is needed to drive further adoption.
Keeping Up With Fraudsters: A Month Isn’t Enough
As the Government of Canada campaigns for improved fraud prevention and awareness this month, I’d like to do my part as a fellow Canadian, and shed some light on why payments need to stay a step (or more) ahead of fraudsters, today more than ever.
Local Perspectives: Real-Time Realities Across Asia-Pacific in 2019
Money20/20 Asia returns to Singapore this week, attracting payments professionals from around the vast APAC region – and beyond. The real-time and open imperative is one of the reasons why all eyes are on Asia-Pacific when it comes to payments, so I caught up with ACI payments experts representing three of the key countries within the region, to take the pulse of real-time schemes that are in varying stages of maturity.