UK consumers experienced fraud losses on UK-issued cards totalling over £670 million in 2018. However, there’s a new threat on the horizon, as data breaches continue to dominate. In 2018 alone, 150 million email addresses and passwords were compromised through MyFitnessPal, the personal information of 52.5 million Google+ users was intercepted, and over 10 million personal data records were hacked from UK retailer, Dixons Carphone.
This exposure of personal information led to a 45% increase in account takeovers (ATOs) – when fraudsters gain access to online customer profiles and conduct illegal activities such as making purchases, altering personal details or leveraging loyalty schemes. To a fraudster, stolen account credentials generate greater value, as they can be repurposed.
Fraudsters are exploiting the strong links between online accounts and a user’s wider digital identity. Consumers who log in to retail services through social media or re-use passwords for multiple profiles are especially susceptible to these attacks. Ultimately, ATOs negatively impact merchants – whether it’s taking away from the bottom line through card chargebacks, or reducing the lifetime value of a customer because of lost trust. To protect themselves from this growing threat, retailers cannot afford to monitor the transaction stage alone – they must understand how to detect fraud early on in a customer journey.
Traditionally, cybercriminals will access an account through stolen user credentials and conduct transactions with the account’s default payment method. The order is then shipped to an address of the fraudster’s choice, which can be either direct delivery or delivery via a mule. Online merchants will typically avoid declining such a purchase if the account has a good reputation, due to the risk of frustrating a seemingly loyal customer.
Rejecting a legitimate transaction can result in reputational damage for merchants, with good consumers opting to use alternative retailers.
Another common variety of ATO is where the cybercriminal takes things a step further by gaining access to a customer’s account, and altering the payment method with stolen financial details. E-commerce profiles that don’t have a default payment method attached can be utilised to make purchases. This is an especially effective attack method, as many online merchants don’t have the means to identify changes in payment methods, meaning criminals can avoid detection for an extended length of time while repeatedly exploiting a vulnerable account.
Detection becomes even harder when an account with a good reputation is hacked and combined with the stolen financial details from another credible account.
Retailers are increasingly offering benefits to loyal and returning customers, but loyalty programmes such as reward points can, unfortunately, attract unwanted attention. Fraudsters view these schemes as ‘free money’ which can be leveraged once a vulnerable account is exploited. Loyalty ATO comes with only a small chance of detection by the customer, given that the majority of shoppers don’t keep track of their rewards as they would their bank balance.
Fraudsters will employ sophisticated methods to exploit consumer accounts on a greater scale with the use of bots. Criminals can run code to automate the attack process, which streamlines their operation and allows each step of an attack – from log-in, to altering account credentials, and leveraging loyalty programmes – to be fully automated. Advanced models can even mimic consumer behaviour; a system becomes acclimatised to multiple visits by a bot before a purchase is attempted, leading to a greater chance of order authorisation.
Understanding the threats and vulnerabilities is the first crucial step to defending against ATOs.
Despite fraudster methods becoming increasingly sophisticated, online merchants can deploy equally sophisticated countermeasures. To accurately identify ATO attacks, retailers need to look beyond the point of transaction and evaluate the customer journey end-to-end. They can maximise the accuracy of their fraud detection by analysing each action against past behaviours, from both the account in question and the wider consumer base.
Undertaking this process manually by reviewing the thousands of data points associated with each customer action would lead to high rates of inaccuracy, and would also increase friction in the path to purchase, resulting in increased drop-off rates and impacting revenue.
To protect a loyal consumer base and ensure shopping baskets aren’t abandoned, identifying fraudulent transactions needs to be done in real-time. This requires a fully-automated process that can create and process a nuanced, holistic view of consumer behaviour.Despite steps to protect e-commerce with incoming regulation focused on the point of transaction – such as PSD2 – the risk of ATOs is likely to continue rising. Cybercriminals are masters at adapting to the changing parameters of e-commerce payments. To protect their businesses, their customers, and their bottom line, retailers must adopt innovative techniques to ensure they keep one step ahead.