With the advent of technology and the prevalence of online shopping, the term eCommerce fraud has become more general and more vague. Under it, there are numerous types of categories and attacks. Of these, none are more insidious than Account Takeover, aka ATO. It’s more difficult to catch, and the ensuing damages for both merchants and unsuspecting customers go beyond just stolen goods.
When someone becomes a victim of ATO, they lose more than money and login credentials — they lose confidence. Product Manager and Head of ATO at Riskified Alon Shem-Tov said the psychological effects of ATO incidents can be just as costly as the financial aspects.
Many people don’t realize, said Shem-Tov, that ATO is not just about the moment when a fraudster gains control of a consumer’s account and uses it to make a purchase. It’s about the series of events leading up to that as well as a long tail of consequences and mitigations following the incident.
Thus, he said, any company or product claiming to solve the problem of ATO fraud must start at the beginning of the relationship between the customer and the brand (proactive) and follow through on the back end of the incident (reactive). Riskified provides resources for companies that are unsure how to do this, he said.
In a recent interview with PYMNTS, Shem-Tov outlined what businesses, their customers and their security partners need to know about the full lifecycle of an ATO.
More Than Money Lost
Shem-Tov said there are three major consequences of ATOs that often get overlooked.
First, these attacks can have a rolling effect: Once a fraudster gains access to a consumer’s credentials at one eCommerce merchant, he holds the key to a potential myriad of other digital stores at which to exploit them.
Shem-Tov noted consumers tend to use the same login credentials across sites and services, so the fraudster can simply test variants of the same username and password combo across the internet until one works.
If customers are duplicating passwords across merchants, that’s a problem. If they’re using the same password for their bank account, said Shem-Tov, it takes the breach to a whole new level. Now the fraudster is not only able to make purchases with the breached account, they can also essentially steal all of that customer’s funds.
In addition, the fraudster can open new accounts using the name and details collected from the breached account. Furthermore, they can enrich this data using social media accounts. Fraud teams scrutinizing orders made with these details will encounter an actual person with a corresponding digital footprint, which will tip the scale to approve such orders, despite the fact that they are fraudulent.
The second underplayed consequence is the difficulty of getting back what was lost. If a fraudster succeeds in making a purchase with a stolen credit card number, the rightful consumer can file a chargeback to get their money back — but regaining control of their lost PII (personally identifiable information) is essentially impossible.
Finally, Shem-Tov said regaining control of compromised accounts can be a long and complicated process, starting with proving one’s identity to the security and customer service team. It’s likely the fraudster changed the password and security questions on the account, so if the true customer tries to log in, he could end up looking like the bad guy!
Getting Their Hands on Data
There are a few ways in which fraudsters gain access to raw customer data.
First, there are data breaches like the ones at Equifax, Target and other retailers. These breaches can compromise hundreds, thousands and even millions of customers in one fell swoop, resulting in a massive market for stolen credit card details available to any fraudster on the Dark Web. The hackers who gain this information usually then sell it to the end fraudster. The vast majority of fraud attacks result from these data breaches.
Then, there’s classic email phishing which uses social engineering to persuade customers to divulge their personal information. A fraudster may pose as a friend, family member or colleague to carry out this type of attack. If a victim falls for it, it can compromise not only that person’s information, but also that of others in his network.
Finally, there are fraudsters who call customer service and pose as legitimate customers to collect or leverage information.
These methods, however, are only the first step in the ATO process. Not all of the data gathered will be useful — some of it may be out of date, or passwords and security questions may have been changed by customers upon learning of the breach.
Separating the Wheat from the Chaff
Once a hacker has a data haul, said Shem-Tov, he sells the credentials to the highest bidder on the Dark Web. The highest bidder then uses a bot to run automated scripts that test username and password combinations against the breached site to weed out accounts that no longer work.
Once he’s validated which credentials are good, they get bundled and resold on the Dark Web to end customers — fraudsters who will buy goods using the validated credentials.
Only then will the victim start to see classic signs of ATO — but with so much going on before the incident, Shem-Tov said it’s important for the defense to start earlier than the moment of attack.
Nipping Fraud in the Bud
Shem-Tov said the principles behind spotting ATO are similar to those behind traditional fraud detection.
If someone is logged in to an eCommerce site, then the site has seen them at least once before when the account was created. Therefore, said Shem-Tov, it’s possible to have a user profile already in place, even if it’s just bare bones.
A login from an unfamiliar IP address could raise a red flag for fraud defenses to be on the lookout for other unusual behavior. How does the user interact with the site? What is his navigation path, and what does his typing, scrolling or clicking behavior look like compared to other times he’s visited?
These data points are known as behavior analytics, and, according to Shem-Tov, they can help spot bot behavior a mile away.
For example, the login time relative to the browsing session will look very different from a live buyer and an automated application. A user heading straight to the login page can be a telltale sign, said Shem-Tov, because real customers often spend some time browsing before they log in, whereas a fraudster has a short time to choose which item to steal — and a bot isn’t browsing at all.
High keystroke velocity or login attempt velocity can also be a dead giveaway that a bot is trying to gain access where it doesn’t belong, he said.
It Takes All Kinds
Behavioral change and bot activity can both be difficult to detect for their own reasons. Limited history can make it hard to tell what’s “normal” for a user. Even with a good base of data, a legitimate user could appear to be sketchy if he’s logging in while on vacation.
That’s one reason why Shem-Tov said ATO attack prevention must be aggregated and continuous throughout the shopping journey, not just at the point of payment. Attack detection and prevention must begin at the point of login so that, if possible, PII can be kept out of the hands of those who would abuse it, preventing damage before it happens.