Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.
Improve your customer relationships and minimize fraud by bringing machine learning into your business Learn more in our 6 Step Guide to Using Machine Learning to Drive Payments Intelligence.
Related Blog Posts
Multi-layered Fraud Strategies are Crucial to Win the Battle against Authorized Push Payment Fraud
This blog was co-authored by ACI’s Jay Floyd and Iain Swaine, head of Cyber Strategy for BioCatch in the EMEA region
Have you ever received a text from your bank asking you to confirm a transaction by replying Yes or No? You then realise you don’t recognize the transaction, reply No, and receive another text instructing you to call a telephone number to discuss this unknown payment further. Suddenly you’re hit with the fear that someone has hacked into your bank account. But, do you ever consider that the text you received was, in fact, a scam?
How to be a Payments Trailblazer – The Seven Habits of Highly Innovative Organizations
The new Culture of Innovation Index from Ovum and ACI identified segments—from banks to intermediaries to merchants to corporates—at the cutting edge (of innovation) across the payments ecosystem. But what is most notable about those segments that have reached ‘trailblazing’ status is the apparent lack of commonality between them. No one segment, nor one region fosters better innovation. In fact, what’s driving these segments/organizations to be best of breed is their own culture of excellence. The only thing they have in common is their attitude.
How will SWIFT gpi Impact Latin America?
As the world continues to transition toward real-time, and technology continues to evolve, new challengers are disrupting the market with value propositions including real-time cross- border payments. The competition has inspired SWIFT to work with the industry and challengers to create the Global Payments Innovation (GPI) program, which radically changes the way banks interact with their correspondents and offers improved transparency and customer service to their customers.
Get Customers to Race Through Your Payments Funnel
No matter how good the products, how nice the website and how slick the flow, there are so many reasons why an eager prospective customer does not convert into a paying customer even after they have filled their basket. The buying decision has been made, but so often customers don’t complete the transaction.
The Middle Eastern payments revolution: Getting Real-Time Ready
The Middle East is developing quickly and considerably. The population has surpassed 410 million and a number of nations, such as Saudi Arabia and the United Arab Emirates (UAE), represent some of the world's most innovative economies. The region has become synonymous with the rise of large infrastructure developments and technological innovation, while tourism continues to grow - 1.4 billion people visited in 2018 alone.
Women in Payments: Don't Be Afraid to Ask Questions
Today, we have the pleasure of speaking with Google's head of Retail and Payments Activation for Southeast Asia, Anna Maria Maurieta. Anna works closely with retailers and e-wallet partners across the region's complex and sometimes highly-regulated market—including countries such as Indonesia, Thailand, Malaysia and Vietnam—making it easier for Google Play users to make payments on Play.
Are Subscription Payments the Way Forward for Gaming?
With consumers spending more time and money than ever on games, the opportunity for gaming companies is vast. But monetizing digital games and creating sustained customer loyalty are complex issues. Subscription models are a key area now being explored by gaming companies, but the industry is still working on how to make these models compelling and profitable.
Customer Innovation: Erste Bank [Q&A]
The global banking sector is becoming both more strategically focused and technologically advanced, responding to rising consumer expectations while trying to defend market share against an increasing array of competitors. A great deal of emphasis is being placed on digitizing core business processes, and reassessing organizational structures and internal talent to be better prepared for the future of banking.
Turning U.S. Players into Payers: Driving Conversions in a $30 Billion Market
It’s no secret that Americans love their games. In 2018, it was estimated that 178.7 million players spent more than USD $30.4 billion on games, a $5 billion increase over 2017. That $30 billion represents almost a quarter of the global gaming market, making the U.S. an invaluable target for game developers.
Helping Merchants Protect Themselves: Cybersecurity Tips from a Former White House CIO
In a world full of open technology, the devices that make our lives easier also leave us vulnerable to being hacked, according to Theresa Payton, former White House CIO and star of the CBS series Hunted. Payton recently joined me for an exclusive ACI cybersecurity webinar, sharing expert insights into how merchants can enable growth, enhance the customer experience and prevent greater instances of fraud.