Why account takeover is becoming a favorite tool for e-commerce fraudsters
Account takeovers occur when fraudsters steal login information to pose as trusted customers and seize control of their online accounts. Once they successfully make small changes to the customer’s account information — such as adding a new user or requesting another card — they can quickly initiate unauthorized purchases and money withdrawals.
Account takeovers can also inflict long-term damage to a brand’s reputation, as consumers blame the company for allowing criminals to access their accounts. At the same time, companies realize that excessive scrutiny of every account change runs the risk of inconveniencing good customers and generating excessive operational expenses.
The number of account takeovers hit a four-year high in 2017, with losses that surged 120% — to $5.1 billion — in just 12 months, Javelin reported. Experts predict those numbers will increase as clever fraudsters devise new ways to steal information and sneak past company defenses.
But why is account takeover such an attractive tool for fraudsters? And why are e-commerce and online retailers at a higher risk for this type of fraud than other types of businesses?
Any scrap of personal data opens the door
Unlike other types of fraud, criminals don’t necessarily need access to the most sensitive types of information, such as Social Security numbers, to launch account takeovers. Many kinds of personal information that can be connected to account data in some circumstances may suffice — even seemingly benign details like a full name or email address.
Traditionally, banks and credit card providers have been the biggest target of account takeovers, but improvements in security measures have spurred a rise in attacks on e-commerce and online retail accounts. E-commerce chargebacks due to fraud are expected to reach $30 billion by 2020, according to a TotalRetail report, which is a significant increase over an estimate of just under $7 billion in 2016.
Basic information like full names, locations and phone numbers are easier to obtain from public accounts or social media profiles than more sensitive personal data. This information can then be matched to sensitive data gleaned from more sophisticated methods, such as phishing schemes or bots. Botnet attacks, which quietly infect a computer network with malicious software, are especially dangerous because they plug in common passwords and usernames to rapidly take over a high volume of accounts.
Why legacy systems are no match
Most detection systems are no match for the increased sophistication and unpredictable nature of account takeover fraud. To truly combat it requires a complete, real-time understanding of normal and abnormal account activities across a company — and even better, the wider industry. Most traditional tools are focused on account compromise fraud and aren’t designed to meet this need.
Anomaly detection solutions are better, comparing the activities of account holders against a baseline of normal behavior. But most don’t allow for comprehensive cross-company or cross-industry comparisons, and those that do rarely attach identities to the information, making it difficult to track the same customer.
E-commerce fraud solutions that can track both the identity and digital footprint of a particular user are best equipped to detect abnormal behavior at the user-level, helping you identify fraudsters who may be impersonating a customer whose identity has been compromised.
Discover how you can prevent fraud without insulting good customers by filling out the form below.