Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.
Find out more about ACI’s Stream Analytics Engine, which helps merchant fight fraud – including account takeover.
Related Blog Posts
What Can the Re-Regulation of Other Industries Tell Us About Open Banking One Year On?
UK Open Banking just reached its first birthday milestone (on January 13 to be precise) and given my own commentary – including in the ACI blog – on this topic, the first anniversary of Open Banking in the UK certainly won’t pass without a debrief on the progress that’s been made and what challenges lie ahead.
Around The World: Taking Stock of Global eCommerce in 2019
As I head to #NRF2019 in New York City next week, I’m excited to see how some of the biggest retailers and merchants see the industry evolving over the coming year. What trends they think are going to shape 2019, and which of 2018’s buzzwords can be put to bed.
A Pointless Credit Card World (Sound the Alarm, Ring the Bell, Freak Out… Le Freak, see'est Chic)
Mark, we were slightly prescient a few weeks back when our rantings touched on credit card points. Based on some news over the past weeks related to rewards, perks and sweet deals, do I now sound the alarm or do I stand down?
19 for 2019 (Payments Predictions Galore!)
As I’ve bid adieu to 2018, once again mumbling my way through Auld Lang Syne (reciting Burns poetry was never really in my 'wheelhouse,' as they say) I’m squarely focused on 2019 (and beyond), and the payments prognostications that typically accompany the start of a new calendar year.
How Fresh, First-Hand Research Leads to Interfaces That Make Users Feel Understood
In 1890, my great-great-grandfather fled Czarist Ukraine for a new home in London. Amongst the few possessions that he brought with him was a book that had been given to him in 1860 by his grandfather.
Success Speaks: How Roanoke College Simplified Higher Education Billing and Commerce
Campus commerce has quickly become the ultimate test for payment software providers, IT professionals and administrators. Technology stacks and service offerings are continuously challenged by rapid innovation, just as budgets have begun to shrink. And to top it off, cybersecurity threats lurk around every corner, and even a single breach can destroy student confidence in their institution of higher learning.
Monetizing Real Time and Open Payments A Global View from Leading Banks
Payments experts from Bank of Montreal, Lloyds Bank and Rabobank lead a discussion on #NewPayments use cases.
During Sibos 2018, I was lucky enough to moderate a panel of payments experts from around the globe, including banking leaders representing three key phases of the real-time evolution; early adoption, go-live and ‘wave 2.’ Here, I’d like to share insights from these experts, outlining the challenges and rewards for banks in the new real-time and open payments ecosystem.
All I Want For Christmas (Or Any Holiday) Is… Instant Payments Gratification
Mark, some of us are fast approaching the end of the holiday shopping season, some of us are fast approaching that time of year when we consume too much egg nog, and some of us are fast approaching too many viewings of Die Hard or It’s a Wonderful Life or Love Actually or Christmas in Connecticut (I’ve disclosed too much about myself). To segue slightly more than slightly, I was at Target over the weekend, braving the holiday shopping crowds, to buy toilet paper, paper towels and tissues… and I took advantage of the 5% off that I get from using my Red Card. I surveyed the throngs of other consumers in the nearby checkout lines and not once did I see another store card. During this, the biggest shopping season of the year, why wouldn’t consumers use loyalty/rewards cards when making purchases?
Fraudsters Don’t Wait for Peak, So Neither Should You: 2019 Fraud Strategy Starts Now!
In existence for barely two decades, eCommerce has transformed not only the way we shop, but also how retailers plan and execute their marketing strategies around the peak shopping season. Now that we’re deep into this period, retailers will have prepared for changes in buyer behaviors, relaxed their strategies to be within the limits of manageable review rate, and most important of all, put strategies in place for increased fraud attempts.
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.