Online Retailers Are Fighting Account Takeover Fraud Fires
Online merchants and retailers are facing an ever-growing threat from account takeover fraud, which is accelerating within the card-not-present space. Account takeover occurs when user credentials for a retailer’s website are compromised, leading to exploitation of a consumer and potentially offering a large return on investment for the fraudster. Per research from ACI Worldwide and Javelin Strategy, this type of sophisticated attack accounted for a staggering USD $5 Billion in fraud losses in 2017 alone. The card-not-present environment, due to anonymity, allows a fraudster to hide themselves in the act.
There are a few different ways that consumers can become victims of account takeover fraud, and once they have been exposed, the floodgates are open for a fraudster who not only has access to one merchant’s website, but a set of credentials that can be tried on other merchants’ websites (due to consumers’ proclivity for reusing usernames and passwords). Because of this, account takeover has become a popular tactic amongst fraudsters, and stolen credentials can be a lot more valuable than one stolen credit card.
A growing number of merchants and retailers allow for consumers to store their payment credentials on their websites, so once the fraudster has access they can begin their shopping spree and ship the purchases to new locations. The fraudster also creates a challenge for the genuine consumer to log back into the website, by changing the password and physical address on file and essentially locking out the genuine account. For the retailer trying to investigate, it becomes difficult to determine whether this is truly suspicious behavior, as the legitimate consumer no longer has knowledge of the changed password or email address used for communications when attempting to verify and reestablish their account.
How does account takeover happen?
- Consumers may be tricked or lured into revealing their credentials through friend requests on social media, emails requesting password and account info, or other phishing attempts.
- Data breaches can occur from network security vulnerabilities that lead to account takeover – essentially allowing sensitive customer data to be exploited, and often enhanced through a tactic known as credential stuffing. In brute force attack style, automated tools scan and collect account credentials through trial and error, which are then automatically populated into a merchant site until there is a match and a successful login. A set of account credentials which are valid and working can be sold on the dark web for a very nominal purchase price, and along with the username and password come instructions as to which merchant websites the account info can be used to log into.
- Spam emails, designed to appear legitimate, lead a consumer to click on malicious links or open files that can download malware onto their devices. These may install software known as ‘key loggers,’ which can monitor and track keystrokes such as a username, password, and even responses to security questions. This data is fetched and returned to the fraudster, who uses it to log into and take over an account.
How can account takeover be prevented?
- Consumers should be advised that it is best practice to utilize stronger passwords when an account is created or a password updated. The password may contain capital letters, numbers and special characters. In addition, merchants should also require a certain length of the password (fraudsters are known to target less tech-savvy individuals) and should also monitor access points and times.
- Merchants should choose a fraud solution that considers a consumer’s profile. This can consist of an email address, a physical address, a phone number or even a device fingerprint – it is important to track the data around how long these individual data elements have been associated through number of days of usage. When analyzing transactions, the merchant can expect to see a match of previously used customer data for the same consumer, but if there is suddenly a change in any data element along with new address or a payment instrument, the merchant may want to perform additional validation.
- A merchant’s fraud strategy should aim to fully comprehend consumers’ unique transactional behaviors, such as the average spending pattern through a payment instrument, an IP address, an email address, or a phone number. Typically, a fraudster’s average ticket purchase price would be 3-4x higher compared to legitimate consumers’ purchases. When there is an abnormal change or a sudden spike compared to the typical spend, this may serve as a red flag.
- It is also important to monitor average spend behavior per card ‘BIN’ (multiple cards generated from same bin by the issuing bank with each individual card being unique), as well as bot-generated emails or disposable emails. Linking fraudulent behavior from multiple cards in a very short time span may be tied to the BIN attack and the BIN should be blacklisted in a timely manner.
- Fraudsters frequently use bot-generated emails to hide their identity, so merchants should be able to identify such domains and blacklist them as well. Merchants should also look for similarities between the email address and the name on the account.
Overall, customer profile patterns play a tremendous role when it comes to mitigating account takeover fraud, because they help merchants and analysts better detect anomalies. Understanding these patterns leads to wiser decision-making, resulting in reduced losses.
Based on internal research from ACI, 17% of new customers (for a typical merchant) had an existing history across other merchants, versus 84% of fraud being on profiles with minimal (less than 8 days) or no history. This illustrates that global customer profile data is essential when choosing a fraud strategy, so that merchants can see an increase in sales with the least customer friction.
Find out more about ACI’s Stream Analytics Engine, which helps merchant fight fraud – including account takeover.
Related Blog Posts
Modernizing Cross-Border Transfers with SWIFT gpi
The customer experience for domestic payments – retail and corporate – has recently undergone a complete transformation. There’s still plenty more that could be achieved, but the advent of real-time payments in combination with open APIs has seen the launch of Request for Payment services and direct eCommerce instant payments in the UK and Europe. And it’s not just the PSD2 push in Europe that’s driving change – in the U.S., Zelle is moving beyond standalone P2P payments to become an integrated part of the retail banking app experience, as well as being included in new kinds of corporate disbursements.
Instant + Open Payments = A Winning Combination
I recently joined a panel discussion at EBAday 2018, alongside representatives from across the payments ecosystem, and the clear consensus was that real-time payments will be the new normal. This was evidenced by some of the interactive polls carried out.
Maintain Vs. Invest: What the Digital Era Ushers in for Banks
Taking place this week in Brussels, the European Credit Research Institute (ECRI) will host a high-level debate on how policymakers can build on the process of digitalisation of banks to raise competitiveness in light of increased competition from fintech start-ups and tech giants.
How the Merchant Payment Ecosystem Can Create Value in Instant Payments
Recently, ACI conducted some research into the appetite to make use of instant payments among corporates. The results were overwhelmingly favorable, but when we think about the benefits of immediate payments for corporates, it does seem obvious that they would want to leverage this new payment type.
Real-Time Payments Will be Europe’s Most Dominant Payments System – Are You Ready to Realize the Full Value?
Since the launch of the SCT Inst rulebook in November 2017, many more banks are live and offering real-time payments to their customers, with most of the rest committed to 2018. The buzzword at the recent ECB #TIPSapp Event in Frankfurt was ‘Interoperability,’ or as my friend José Beltrán from STET would say, ‘Reachability.’ No-one expressed this more clearly on February 6th than Javier Santamaria, President of the European Payments Council, when he reiterated his message from Il Salone Dei Pagamenti, the day after the SEPA launch; "We have launched the Pan-EU scheme, now it is up to you in the audience and beyond to take advantage of it and make it work."
The Hammer Finds Its Nail: Open Banking and Commercial Cash Management
Globally, the Open Banking story has been shaped by Europe, thanks to PSD2 (The Revised Payment Services Directive) and the effect that it will have on us as everyday consumer banking clients. This will forever change our experience with financial tools for the better.
The banks that have traditionally served us will modify their models to support the foundational layer of a new ecosystem of co-invention and partnership. This story is all well and good, but so far most – if not all – of the discussion has surrounded the consumer experience and has neglected where the most fertile ground for change and disruption lies—corporate and commercial banking.
Three Ways to Build Your Business Case for Real-Time Payments
In the UK, faster payments are well established, and we have seen new innovations as well as new businesses being built since May 2008. In Singapore, which went live in 2014 with its Fast and Secure Transfers (FAST) scheme, we are starting to see similar innovations. And we can expect similar seismic shifts in payments innovation for years to come, as Instant Payment schemes in Europe and Real-Time Payments in the US go live, ubiquity increases and real-time payments become the new normal.
Three Reasons Why Corporate Banks Must Invest in New Security Measures
The New Payments Ecosystem brings great opportunities, if banks can mitigate the new risks and threats that arise. Real-time and open payments enable a wealth of new revenue streams; however, the potential for growth must be balanced against maintaining payments security. They cannot break the bank.
What's Your Small Business Banking Bacon?
Every hip recipe has bacon in it these days. So why shouldn’t your digital banking experience be the same? After all, it’s a yummy addition that gives a standard dish that extra flair.
Small business banking has been a prodigious untapped market for over a decade. Banks desperately strive to make revenue from this market, but in most cases, they have struggled to do so.
The ATM Turns 50: Why Evolution Is Key for Its Survival
The ATM turns 50 this year and half a century on ATMs remain popular with consumers worldwide. Banks and building societies more than ever see ATMs as a key channel of communication and interaction with their customers and many are now offering ATM services that go beyond simple cash withdrawal. We spoke with Paul Horlock, Director for Payments at Nationwide, one of the biggest high street financial providers in the UK. Nationwide has been working with ACI Worldwide for over 30 years and currently uses ACI’s BASE24 eps solution to power an estate of around 700 ATMs across the UK.