Account takeover (ATO) fraud is a growing headache for the payment industry. As companies increasingly focus on online methods of doing business, customers are using usernames and passwords to do a range of things, from online shopping to managing their bank accounts. Unfortunately, with every new account a customer creates, the opportunity for malicious entities to commit account takeover fraud increases.
As account takeover fraud often makes use of social engineering and other methods that are not preventable by service providers, it is almost impossible for businesses to prevent directly, and difficult for them to verify if an account has been taken over. After all, if a fraud has all the necessary information to pass security checks, how can a service provider determine that the person asking to gain access to an account isn’t trying to commit fraud themselves?
How Account Takeover Fraud Can Happen
The easiest way for a criminal to take over an account is by getting hold of someone’s username and password. Data breaches are unfortunately common, and lists of usernames and passwords are routinely sold or leaked onto the Internet. Criminals can take advantage of this because many of us use the same username and password across multiple sites, so even though the site that suffered the data breach may have tightened its security and forced its users to pick new passwords, there will still be other services the criminals can try.
There is also a cumulative nature to account takeover fraud. For example, many services now require two-factor authentication and allow users to select the method they want to authenticate through, such as text message, email, or authenticator app. A criminal who has come into possession of your username and password will not be able to get around two-factor authentication, but if your email account is not similarly protected and uses the same username and password pair, they could authenticate the login in precisely the same manner you would.
With access to enough accounts, the fraudster can reverse engineer a more complete profile of their victim. A billing address from here, a social security number from there. And, with enough information, the damage they could do to a bank account or credit score—not to mention the stress to the victim—is practically limitless.
Account Takeover Detection
This is where things get tricky, and why this problem is such a headache for the payment industry. Because the methods by which the account was stolen were essentially the normal behaviors of a legitimate customer, it is very difficult for merchants and service providers to identify without making life inconvenient for their real customers. For the most part, merchants become aware of account takeover fraud when the victim makes them aware.
It is possible for banks to employ certain means of detecting suspicious activity. For example, if a customer suddenly makes a withdrawal from an ATM in Turkey mere hours after purchasing something in Chicago, it’s a safe bet something amiss. Merchants don’t have that level of information on their customers, however.
Preventing Account Takeover Fraud
Because detecting account takeover fraud is not a viable prospect for merchants and payment processors, the focus then switches to preventing it in the first place.
2FA (Two-Factor Authentication)
A big part of this is increased security, and that has seen many banks adopt a version of two-factor authentication that requires the user to have a username and password in addition to a special device that authenticates once the user has inserted their bank card and entered their pin. Suffice it to say; if a thief has your bank card and pin, account takeover fraud should not be your primary concern.
There is also a push to educate users, since most instances of this kind of fraud are enabled by customers not being savvy with their information. You will often see notices saying things like “We will never ask you for your password” in emails.
When fraudsters get hold of username and password pairs, they don’t hop from site to site trying to manually log in with each stolen pair, they use bots. CAPTCHA—as well as other bot mitigation methods—can dramatically reduce the number of fraudulent login attempts.
While account takeover fraud may seem to be a customer problem on the face of it, the fallout often affects the merchant. It could be support costs as customers try to find out what has happened, or in ill-will from a customer who doesn’t understand how things happened, or financially from having to issue refunds of fraudulent purchases. In most cases, it is better for service providers and merchants to do what they can to help prevent this type of fraud than leave their customers to fend for themselves.