Account takeover fraud is a form of identity theft, wherein a criminal gains access to a registered customer’s account. The criminal then logs in, posing as a known and trusted shopper.
The cost of account takeover fraud tripled last year, reaching an estimated $5.1 billion in the United States.
Several trend-tracking firms have noted a significant rise in this particular form of fraud in the wake of relatively large data breaches in the past year. Javelin Strategy & Research reported the tripling of account takeover (ATO) losses, for example. Separately, PYMNTS.com reported a 45 percent increase in ATO in just the second quarter of last year, and Forter put ATO growth at nearly 35 percent for the first two quarters of 2018.
ATO fraud may be leveling off somewhat now — albeit at much higher levels — but it is common enough to be a significant concern for ecommerce businesses.
While ATO can affect everything from an email service to a bank account, in the ecommerce context the criminals often aim to use stored payment information or add stolen payment card numbers to the account to make fraudulent purchases.
Merchants generally trust registered users making repeat purchases, so in many cases ATO is not initially detected. The stolen payment card information could pass muster, if you will, in the context of a known user account.
Customers and Businesses Suffer
ATO fraud impacts both the customer and the ecommerce business involved.
For the customer, there can be a financial loss, since it may not be easy to recognize ATO fraud in the first place or to recover the cost of the fraudulent orders once detected.
For example, with stolen payment card information it may be a merchant or a bank that first notices the fraud when someone recognizes an unusual order. Perhaps the billing address and shipping address don’t match, and the retailer calls a customer to confirm the order.
ATO fraud impacts both the customer and the ecommerce business involved.
In the case of ATO fraud, however, the transaction might look more normal since it comes from a known customer with a history of making purchases.
For example, a television station in Spokane, Wash., KREM2, reported a case of ATO fraud in May 2018. The victim, Allie Raye, did not notice the fraud until she started receiving order and shipping notices from Amazon.
Once discovered, it was relatively difficult for her to regain control of her Amazon account and stop the fraudulent orders. It took almost three weeks of communication with Amazon, and by that time the criminal had made $1,640 in purchases, including several gift cards, which may have been the real target.
ATO can be costly for sellers too. In the example above, Amazon ultimately refunded Raye the full $1,640. Some of the items were recovered, but Amazon lost money.
Amazon also had to deal with reputation damage. Although it was probably not Amazon’s fault that Raye’s account was hacked, the company appeared unfavorably in the KREM2 news report. Amazon is a large enough company that this may be nothing more than a minor ding to an otherwise good reputation, but small or mid-sized ecommerce businesses could be impacted to a greater extent. If shoppers don’t trust your site, they won’t buy.
Bottom line, “the damage done by ATO occurs on multiple fronts,” wrote the authors of a Sift Science ebook. “Negative PR, legal and compliance implications, a drop in the value of your customers, financial loss, and more.”
Data Security
ATO fraud requires personal data. In most cases, a criminal won’t be able to take over a shopper’s account without at least some of that shopper’s personal information.
The Forter report mentioned above, for example, pointed out that “in early September 2017, Equifax made the announcement that they had been breached and that the personal information of over 143 million [people] … was compromised.”
In the third quarter of 2017, immediately following the Equifax data breach, “there was a 53 percent increase in account takeovers.”
Later, presumably as the stolen data aged and passwords changed, the ATO rate decreased, perhaps, showing just how much impact the data breach had. Thus promoting data security may also help to reduce ATO fraud.
ATO Prevention
There are at least a few things ecommerce businesses can do.
- Beware of store payment methods. While you want to provide customers with an easy way to check out, treat orders that include stored payment methods with extra care. You may want to ask customers to re-enter payment information after any password charge, change of address, or change in device.
- Pay attention to order velocity. If a customer goes from ordering about once a month to ordering several times a day or week, hold the order for review.
- Require varying degrees of authentication. If an account is exhibiting the potential signs of ATO fraud, consider adding a text message or email verification temporarily. Banks, as an example, do this routinely.
- Review orders and call customers. Regularly review orders, and take the time to call customers if you see changes in buying behavior.
- Keep customer data secure. Follow data security best practices, develop a culture of privacy in your business, comply with the Payment Card Industry Digital Security Standard, and embrace the data security practices found in the European Union’s General Data Protection Regulation. Keeping customer data secure will help to reduce ATO fraud.