Can Retailers Push Back Against Surging Account Takeovers?

Account takeovers are becoming bigger business for criminals — or, at least, the business of preventing account takeovers in the digital retail and payments realm is becoming an increasing focus of companies and security experts. Further proof of that came recently from a young company based in San Francisco called Castle, which helps eCommerce operators such as Touch of Modern and Rue La La to defend against that type of fraud.

Castle, founded in 2015, said it has raised $9.2 million in a Series A round of funding that involved Index Ventures, Y Combinator, First Round Capital, F-Prime Capital Partner and other investors. That brings the company’s total round of funding to $11.6 million. The new capital will help fuel hiring and other growth, the company said.

The specific problem the company aims to solve is one that is increasingly familiar to other digital and eCommerce operations.

“We also saw that consumers were being asked again and again to take responsibility for their security through robust passwords and other security measures,” Johan Brissmyer, CEO and founder, said in the funding announcement. “We recognized that there was an opportunity to turn every online company into a security guardian who could keep their users safe.”

Account Takeover Growth

In a recent PYMNTS Smarter Payments Tracker from late 2018, Dave Endler, co-founder and president of security and fraud prevention solutions provider SpyCloud, said that fraudsters are increasingly turning to account takeovers. These attacks can often have far-reaching and long-term implications for those affected.

For that research report, Endler discussed the rise of account takeovers, and what companies and consumers can do to combat them. He told PYMNTS that account takeovers are often easier to pull off compared to other cyberattacks, causing more fraudsters to use the technique.

He added that these attacks are also more difficult to detect and stop.

“It’s much more straightforward for a criminal to compromise someone’s payment account that could be linked to a credit card than for them to try to steal or gain access to use that credit card,” Endler said, adding that the tools that make these attacks possible are “accessible to people who don’t necessarily have a lot of technical acumen.”

Fraud Prevention Innovation

That increasing risk is driving innovation, as PYMNTS has also documented. Such innovation strives to balance one of the central tensions found in eCommerce and digital payments in 2019: how to onboard and authenticate consumers as quickly and seamlessly as possible — or, how to guide them from browsing to buying — while also protecting them and the institution from fraud. After all, fraudsters are smart and experienced enough to, say, defeat those security-question defenses, and there is no doubt that countless user name and password combinations, along with other stolen data, are widely available on the digital black market.

According to security experts and reports, account takeover generally was most used for high-end products such as designer fashion, drones and other expensive electronics, luxury perfumes and cosmetics. In recent years, however, it has been growing rapidly in the $100 to $500 transaction range, causing the method to spike across many more transactions in apparel and consumer electronics.

Fraud Case Study

Among the current targets of this fraud method is Touch of Modern, a members-only eCommerce operation that sells fashionable men’s apparel and other products, and which now uses Castle technology to guard against account takeovers.

According to a case study, after “a series of high-profile breaches including LinkedIn, Yahoo, and others … [Touch of Modern] started seeing more and more brute-force attacks, as hackers were trying those password lists on their site.

“On an average day, for example, the dozen-person support team might handle a thousand tickets—but when an attack came in, there might be another thousand people to reach out to, doubling their daily workload.”

“We were also slow in responding because there was a delay in seeing the impact on our servers and actually identifying that an attack was happening,” said Touch of Modern CTO and co-founder Steven Ou.

The landscape of fraud and the work of fraud prevention keeps changing. A recent PYMNTS webinar, in fact, discussed the importance of looking past the chargeback rate to calculate the true cost of fraud, and to build better fraud prevention teams. Account takeovers promise to be a big part of those efforts and conversations over the foreseeable future.