Account Takeover: The Burgeoning Fraud Profession
Data security features frequently in the news headlines these days, in some form or other. Today’s consumers are increasingly protective of their personal data and concerned about its use. Yet an increasing number of apps and websites allow new customers to use external logins (from social media accounts for instance) to set up new accounts.
Consequently, Account Takeover (ATO) fraud has become more lucrative, presenting one of the easiest routes for fraud now that other methods – especially around physical payments – have become less effective as channels have become more secure.
Criminals can also obtain credentials data via the dark web, gleaned from hacking and data breaches. When an app or merchant is compromised, stolen credentials might be used across many different accounts with the same username and password, providing fraudsters with an ideal opportunity to make money fast.
The invisible career ladder in a hidden industry
While ATO can be committed by a standalone fraudster attacking a single computer or account, more seasoned fraudsters often operate on a larger scale. Our experience shows that it is fast becoming a professional process with increasingly sophisticated methods and a hierarchy of participants.
Following is a very common scenario:
- A person with strong computer science skills develops a bot and sells it on – they don’t commit fraud directly, but they may supply to those who do.
- The buyer runs the bot to test whether it can gain the data and access needed to take over accounts.
- They then resell the product and/or the list of verified accounts to another party, who steals using the compromised accounts.
With the endless churn of stolen data on offer, the ‘buy-sell-steal’ cycle is allowing Account Takeover fraud to become an industry unto itself.
Reduced friction adds fuel to the fraud fire
Because merchants don’t have the same level of protections in place as banks, they are increasingly the target of Account Takeover fraud as criminals look to exploit the weakest link and make their money as quickly and invisibly as possible.
At the same time, to remain competitive, many merchants are looking to match the customer experience provided by the world’s leading eCommerce businesses. This includes offering one-click checkouts, stored payment details, saved passwords and fast fulfilment options.
Once a fraudster has hacked a computer and email address, they can reset the password very easily, then change the email and/or shipping address. Again, the process is made easy for customers, but it makes access for criminals quicker and easier too.
Sophisticated fraud methods need sophisticated counter-measures
As fraudsters develop their methods and take advantage of new technologies, the response from merchants must at least evolve at the same pace and in the same direction.
Positive profiling can be an invaluable tool in the fight against Account Takeover fraud. By analyzing the history of a customer across multiple merchants, positive profiling can match up data points such as device ID, IP address, email, shipping address and a wealth of other identifiers – and highlight when new variables show up.
It can also help by flagging behavior that is unusual for that particular customer, or spot practices that are common in ATO. For example, in the fraud chain, it is common for someone to simply log on as the genuine customer to validate the profile or account so they can then sell onwards. This may then be followed by a second login with a change of email or address, followed by a new purchase. When a password and email address is changed in quick succession, this too should raise concerns. In this case, merchants can send confirmation emails to both the old and new email address for a defined period, in case it was not the genuine customer who made those changes.
The power of positive profiling lies in the combination of sophisticated analytics, coupled with cross-sector merchant consortium data and flexible fraud prevention tools. And of course, the more merchants (and other players in the payments ecosystem) are involved in intelligence-sharing, the more effective the fraud screening process becomes.
Collaboration must continue
Consortium data should just be the starting point for broader collaboration across the industry.
From my work with merchants around the world, I have seen first-hand the value of collaboration in creating a more efficient, compliant, safe and profitable environment for the whole ecosystem. I am a very strong believer in the difference that industry co-operation can make in shutting down fraud, and it’s for this reason that I have been serving on the Advisory Board of the Merchant Risk Council (MRC) for the past six years.
I will be exploring the topic of Account Takeover fraud further at MRC Vegas 2019, as part of an expert panel examining the trends in ATO, the methods used by fraudsters and how merchants can mitigate them.
Merchant Risk Council brings together the largest eCommerce merchants with solution providers, card schemes, issuers, payment processors and other eCommerce companies to provide networking, education, benchmarking and advocacy opportunities, along with a trusted environment for global merchants to share their experiences. It is a worthwhile and successful endeavour from which the entire industry benefits.
Attending MRC Vegas 2019? Find out more about our real-time fraud prevention solution for merchants, or hear Erika Dietrich share further insights in a panel discussion 'Fraud Strategies to Successfully Tackle ATO' at 11:15am on Weds, March 20.
Related Blog Posts
The Race to Real-Time Payments in Europe
Instant payments have quickly morphed into the new norm, and as individual European nations forge a real-time, digital-first payments environment, they raise the bar for all financial institutions conducting business in the Eurozone. It’s no longer a question of “what’s the business case?” but a matter of how instant payments players can take advantage of the opportunities now being created.
Local Perspectives: Real-Time Realities Across Asia-Pacific in 2019
Money20/20 Asia returns to Singapore this week, attracting payments professionals from around the vast APAC region – and beyond. The real-time and open imperative is one of the reasons why all eyes are on Asia-Pacific when it comes to payments, so I caught up with ACI payments experts representing three of the key countries within the region, to take the pulse of real-time schemes that are in varying stages of maturity.
Instant and Open Payments for Consumer Purchases – Lessons Learned From India and Beyond
Did you know that 65% of merchants want to accept instant payments? That’s because they know the customer experience (CX) benefits will drive growth for their business, and they recognize that this payment type will save their business money.
What it Means for a Bank to be Real-Time Ready – It’s More Than Just Payments
Banks are quickly learning that real-time enablement of the business is more than just a technological upgrade – there is a wider challenge of transforming services and customer experience. Although the banking world faces this challenge with some trepidation, there are success stories from other industries that have overcome legacy technologies and transformed frustrating and opaque customer experiences.
Putting Malaysia on the Path to Payments Innovation
The public launch of the DuitNow instant credit transfer service, in December 2018, provides just a taste of what lies ahead as Malaysia’s Real-time Retail Payments Platform (RPP) is progressively rolled out. Fueled by Bank Negara’s (BNM) increasing support for e-payment platform development, there has been a steady increase in mobile wallet and digital payment usage, setting the stage for 2019 to be a year of transformation for the payments industry in Malaysia.
The Potential of 'Request to Pay' to Revolutionize Payments
How often have you been in a situation where you realize in the middle of the month that you’re late paying an important bill? And then hit with a wave of dread as you check your bank account with trepidation to see if you can pay? Many of us are lucky to not be in that situation regularly, but most of us have been there at some point, and likely know others who are regularly confronted by this situation.
Monetizing Real Time and Open Payments A Global View from Leading Banks
Payments experts from Bank of Montreal, Lloyds Bank and Rabobank lead a discussion on #NewPayments use cases.
During Sibos 2018, I was lucky enough to moderate a panel of payments experts from around the globe, including banking leaders representing three key phases of the real-time evolution; early adoption, go-live and ‘wave 2.’ Here, I’d like to share insights from these experts, outlining the challenges and rewards for banks in the new real-time and open payments ecosystem.
All I Want For Christmas (Or Any Holiday) Is… Instant Payments Gratification
Mark, some of us are fast approaching the end of the holiday shopping season, some of us are fast approaching that time of year when we consume too much egg nog, and some of us are fast approaching too many viewings of Die Hard or It’s a Wonderful Life or Love Actually or Christmas in Connecticut (I’ve disclosed too much about myself). To segue slightly more than slightly, I was at Target over the weekend, braving the holiday shopping crowds, to buy toilet paper, paper towels and tissues… and I took advantage of the 5% off that I get from using my Red Card. I surveyed the throngs of other consumers in the nearby checkout lines and not once did I see another store card. During this, the biggest shopping season of the year, why wouldn’t consumers use loyalty/rewards cards when making purchases?
Instant Payments in Italy – And Beyond: Lessons from Il Salone dei Pagamenti
ACI was invited back to Il Salone dei Pagamenti – Italy’s premier payments event organized by the Italian Banking Association (ABI) – to participate in a panel, “SEPA Inst – the Future.” As expected, the session was packed with stats and advice for a more efficient roll out of instant payments – in Italy and beyond.
Request for Pay – What Does It Mean For Financial Institutions?
What do banks – one with $60B+ in assets, one a mid-size regional bank, and one, a small innovative credit union – have in common with payment networks and the ‘Big 4’ consulting firms? They were all part of the first ACI #PaymentsForBreakfast event in North America! The theme was real-time payments, but the focus was more specifically on Request for Pay.