Account Takeover Fraud a Growing Problem for Ecommerce

Account takeover fraud is a form of identity theft, wherein a criminal gains access to a registered client’s account. The offender then logs in, posing as a trusted and known shopper.

The cost of account takeover fraud tripled this past year, reaching an estimated $5.1 billion in america.

Several trend-tracking firms have noticed a substantial rise in this specific kind of fraud in the aftermath of relatively massive data breaches in the last year. Javelin Strategy & Research reported that the tripling of account takeover (ATO) losses, for instance. Separately, PYMNTS.com reported a 45 percent boost in ATO in just the second quarter of this past year, and Forter place ATO growth at almost 35 percent for the first two quarters of 2018.

ATO fraud could be leveling off somewhat now — albeit at substantially higher levels — but it’s common enough to be a substantial concern for ecommerce companies.

While ATO can impact everything from an email service into a bank account, in the ecommerce circumstance the offenders often aim to utilize stored payment info or include stolen payment card numbers to the account to make fraudulent purchases.

Merchants generally trust registered users making repeat purchases, so in most cases ATO isn’t initially detected. The stolen payment card information could pass muster, if you will, in the context of a known user account.

Customers and Companies Suffer

ATO fraud affects both the client and the ecommerce industry involved.

For the client, there may be a monetary loss, because it might not be simple to recognize ATO fraud in the first place or to recover the cost of the fraudulent orders once detected.

By way of instance, with stolen payment card information it could be a merchant or a lender that first finds the fraud when someone admits an unusual purchase. Maybe the billing address and shipping address do not match, and the merchant calls a customer to confirm the order.

ATO fraud affects both the client and the ecommerce industry involved.

In the event of ATO fraud, but the transaction might appear more normal as it comes from a known customer with a history of earning purchases.

By way of instance, a television station in Spokane, Wash., KREM2, reported a case of ATO fraud in May 2018. The sufferer, Allie Raye, didn’t see the fraud until she began receiving order and sending notices from Amazon.

Once detected, it was relatively hard for her to regain control of her Amazon account and prevent the fraudulent orders. It took almost 3 weeks of communicating with Amazon, and from that time the offender had made $1,640 in purchases, including many gift cards, which might have been the actual target.

ATO can be costly for sellers too. In the case above, Amazon finally reimbursed Raye the full $1,640. A few of the items were recovered, but Amazon lost cash.

Amazon also had to manage reputation damage. Even though it was probably not Amazon’s fault that Raye’s account was hacked, the business appeared unfavorably from the KREM2 news report. Amazon is a big enough company that this might be simply a minor ding to an otherwise very good standing, but small or midsize ecommerce companies could be affected to a greater extent. If shoppers do not trust your website, they won’t purchase.

The point is,”the harm done by ATO happens on multiple fronts,” wrote the authors of a Sift Science ebook. “Negative PR, compliance and legal implications, a fall in the value of your clients, financial loss, and much more.”

Data Security

ATO fraud requires personal information. Typically, a criminal will not have the ability to take over a shopper’s account without at least some of the shopper’s personal details.

The Forter report mentioned previously, by way of instance, pointed out that”in early September 2017, Equifax made the statement that they had been breached and that the personal information of over 143 million [people]… was endangered.”

In the third quarter of 2017, immediately after the Equifax data breach,”there was a 53 percent growth in account takeovers.”

Afterwards, presumably since the stolen data passwords and aged changed, the ATO rate decreased, possibly, revealing just how much influence the information breach had. Thus promoting data protection may also help reduce ATO fraud.

ATO Prevention

There are a few things ecommerce companies can do.

  • Beware of shop payment methods. While you wish to provide customers with a simple way to test out, treat orders which include stored payment methods with additional care. You might want to request customers to re-enter payment information after any password fee, change of address, or change in device.
  • Pay attention to order speed. If a client goes from ordering about once a month to ordering a few times per day per week, hold the order for inspection.
  • Require varying levels of authentication. If an account is displaying the possible indications of ATO fraud, think about including a text message or email confirmation temporarily. Banks, for instance, do so routinely.
  • Review orders and telephone clients. Regularly review orders, and take some opportunity to call clients if you see changes in purchasing behaviour.
  • Keep customer information secure. Follow information security best practices, develop a culture of privacy in your company, comply with the Payment Card Industry Digital Security Standard, and adopt the information security practices found in the European Union’s General Data Protection Regulation. Maintaining customer information secure will help reduce ATO fraud.

Leave a Reply

Your email address will not be published.