Account Takeover: The Burgeoning Fraud Profession
Data security features frequently in the news headlines these days, in some form or other. Today’s consumers are increasingly protective of their personal data and concerned about its use. Yet an increasing number of apps and websites allow new customers to use external logins (from social media accounts for instance) to set up new accounts.
Consequently, Account Takeover (ATO) fraud has become more lucrative, presenting one of the easiest routes for fraud now that other methods – especially around physical payments – have become less effective as channels have become more secure.
Criminals can also obtain credentials data via the dark web, gleaned from hacking and data breaches. When an app or merchant is compromised, stolen credentials might be used across many different accounts with the same username and password, providing fraudsters with an ideal opportunity to make money fast.
The invisible career ladder in a hidden industry
While ATO can be committed by a standalone fraudster attacking a single computer or account, more seasoned fraudsters often operate on a larger scale. Our experience shows that it is fast becoming a professional process with increasingly sophisticated methods and a hierarchy of participants.
Following is a very common scenario:
- A person with strong computer science skills develops a bot and sells it on – they don’t commit fraud directly, but they may supply to those who do.
- The buyer runs the bot to test whether it can gain the data and access needed to take over accounts.
- They then resell the product and/or the list of verified accounts to another party, who steals using the compromised accounts.
With the endless churn of stolen data on offer, the ‘buy-sell-steal’ cycle is allowing Account Takeover fraud to become an industry unto itself.
Reduced friction adds fuel to the fraud fire
Because merchants don’t have the same level of protections in place as banks, they are increasingly the target of Account Takeover fraud as criminals look to exploit the weakest link and make their money as quickly and invisibly as possible.
At the same time, to remain competitive, many merchants are looking to match the customer experience provided by the world’s leading eCommerce businesses. This includes offering one-click checkouts, stored payment details, saved passwords and fast fulfilment options.
Once a fraudster has hacked a computer and email address, they can reset the password very easily, then change the email and/or shipping address. Again, the process is made easy for customers, but it makes access for criminals quicker and easier too.
Sophisticated fraud methods need sophisticated counter-measures
As fraudsters develop their methods and take advantage of new technologies, the response from merchants must at least evolve at the same pace and in the same direction.
Positive profiling can be an invaluable tool in the fight against Account Takeover fraud. By analyzing the history of a customer across multiple merchants, positive profiling can match up data points such as device ID, IP address, email, shipping address and a wealth of other identifiers – and highlight when new variables show up.
It can also help by flagging behavior that is unusual for that particular customer, or spot practices that are common in ATO. For example, in the fraud chain, it is common for someone to simply log on as the genuine customer to validate the profile or account so they can then sell onwards. This may then be followed by a second login with a change of email or address, followed by a new purchase. When a password and email address is changed in quick succession, this too should raise concerns. In this case, merchants can send confirmation emails to both the old and new email address for a defined period, in case it was not the genuine customer who made those changes.
The power of positive profiling lies in the combination of sophisticated analytics, coupled with cross-sector merchant consortium data and flexible fraud prevention tools. And of course, the more merchants (and other players in the payments ecosystem) are involved in intelligence-sharing, the more effective the fraud screening process becomes.
Collaboration must continue
Consortium data should just be the starting point for broader collaboration across the industry.
From my work with merchants around the world, I have seen first-hand the value of collaboration in creating a more efficient, compliant, safe and profitable environment for the whole ecosystem. I am a very strong believer in the difference that industry co-operation can make in shutting down fraud, and it’s for this reason that I have been serving on the Advisory Board of the Merchant Risk Council (MRC) for the past six years.
Merchant Risk Council brings together the largest eCommerce merchants with solution providers, card schemes, issuers, payment processors and other eCommerce companies to provide networking, education, benchmarking and advocacy opportunities, along with a trusted environment for global merchants to share their experiences. It is a worthwhile and successful endeavour from which the entire industry benefits.
Want to improve customer service and reduce fraud? Download our guide: The Six-Step Guide to Leveraging Machine Learning for Payments Intelligence
Related Blog Posts
An Executive’s Guide to the Top Five Fraud KPIs
Key performance indicators (KPIs) are a commonly used term across many industries. For KPIs to be a valuable way to measure success, they need to be properly defined, capable of being adjusted and connected to one another. When it comes to use of KPIs in fraud management, this is particularly important. With this in mind, let’s take a closer look at the different fraud KPIs, along with how they should ideally interact.
Real-Time Payments: A Mix of Simple, Smart and Secure Will Be Crucial for Further Adoption
In our global payments report, we predicted that 2020 would be Prime Time for Real-Time. And that was before the COVID-19 pandemic accelerated the adoption of real-time and digital payments around the world, which quickly became a necessity in keeping citizens safe and businesses afloat. During the recent ACI Edge Virtual event for banks and intermediaries, we discussed the challenges of real-time adoption with some of the industry’s leading experts. I caught up after the event with Lisa Neary, head of payments at Co-op Bank UK, Ian Gausden, head of real-time payments at Mastercard, Vincent Brennan, head of group payments and business continuity management at Bank of Ireland and Enrico Albertelli, head of payments and digital banking solutions at Nexi.
Merchants Don’t Need a Payments Gateway, They Need a Payments Hub
The term “payments gateway” over-simplifies what it takes to process a payment. The terminology comes from the early days of online payment processing, but has now entered the vernacular for all aspects of merchant payments, including online, mobile and in-store.
How to Recession-Proof Your Retail Business in 2021
2020 has been a challenging year for retailers, many of which who were — understandably — unprepared to deal with the pandemic. With millions of people in the U.K. in lockdown, consumers and businesses have had to change the way they work and live, and the way they shop and pay.
What Will the World of Post-Pandemic Payments Look Like? [Dave Birch Q&A]
Dave Birch is a leading global authority on payments and digital identity, who is no stranger to predicting what the future of financial services has in store. After delivering the keynote presentation at our recent ACI Edge Virtual: Banks & Intermediaries, we gathered some insights from Dave on what the world of payments could look like, post pandemic.
12 Ways Americans Changed How They Pay in 2020
ACI experts recently shared their predictions and industry expectations for billing and payments in 2021 and beyond. As we close out 2020, let us look back at just how much billing and payments have changed this year:
Comment DXC Technology et ACI Worldwide adressent-ils les enjeux règlementaires en Europe?
En Juillet dernier, Le conseil de gouvernance de l’ECB a pris une décision importante concernant le futur des paiements en Europe. En demandant aux PSP participants au système TARGET2 de se connecter à TIPS avant Novembre 2021. Dans le même temps les ACH domestiques devront effectuer le transfert de leurs comptes techniques vers TIPS.
Adding Fuel to the Fraud Fire
Payments fraud is a widespread and difficult issue in the fuel segment. Fuel dispensers are a common target for certain types of fraud – and fuel merchants often lack visibility into the level and impact of that fraud.
EBAday 2020: Reaping the Full Potential of Real-Time Payments
Real-time payments are growing rapidly worldwide. In fact, according to ACI’s Prime Time for Real-Time report, more than half a trillion real-time payments transactions will be processed over the next five years. ACI’s Dean Wallace, director solution leadership, Real-Time and Digital, recently took part in an EBAday panel to discuss what businesses need from banks to reap the full potential of real-time payments, how fintechs can assist and how collaboration can be advanced on a global scale. I caught up with Dean to discuss the latest insights.
The Role of Regulation, Collaboration and Competition in Pushing Forward Payments Modernization
While geographic regions have taken their own approaches to payments modernization, they all face some common challenges – a principal one being adoption of real-time payments, which is central to successful payments modernization projects. I spoke to some of the top minds tackling real-time payments adoption in key markets, including the U.S., Canada and the U.K.