Fraudsters do not stop targeting organizations at the account set up or application step. Organizations have traditionally believed that if their identity verification and anti-fraud measures are in place for the first contact with a prospective customer or applicant, the account will be safe going forward. However, in an ecosystem with an increasing focus on authentication and card verification, cybercriminals are turning their focus to account takeover (ATO) fraud with increasing voracity.
During the first half of 2018, account takeover fraud incidents rose over 40%, and more alarmingly, account takeover fraud committed from mobile devices rose over 200%. Along with the rise in attacks, there has been a noticeable rise in the cost associated with ATO fraud. In 2017, the cost of account takeover fraud in the United States tripled – costing organizations $5.1 billion with that cost expected to rise above $20 billion by 2020.
What makes account takeover fraud so attractive?
Much of the rise in account takeover attacks can be attributed to the rise in online accounts. The growing popularity of and access to eCommerce technology has prompted retailers to require customers to create an account in order to complete a purchase. In addition to the added security of a username and password, online accounts give customers a sense of convenience. Credit card and shipping information can be stored and used in future one-click purchases.
Unfortunately, it’s these very features that make an account takeover attack attractive to fraudsters. Most online accounts, from eCommerce sites to mobile banking, are primarily controlled with an email address. Companies count on the customer email address to be the key to account maintenance processes like resetting passwords, updating shipping addresses, and updating credit card information. For consumers, this is great. A single point of contact that allows them to manage their account and make frictionless purchases. However, it makes compromised email addressesand personally-identifying information on the dark web more valuable to cybercriminals.
Luckily for businesses fighting fraud, it also makes the email address more powerful.
The importance of account maintenance
Account takeover fraud is easily disguised as routine account maintenance. Fraudsters gain access to a compromised email address and use it to access online accounts and update personal information. Changes like new shipping addresses and credit cards happen periodically. Customers move and bank cards expire, it’s just part of life. Often the giveaway in account takeover attacks is an updated email address.
Once they’ve gained access to the account using the customer’s real email address, fraudsters will set to work updating the account’s email to a new one they control. Think of it like gaining access to a house and immediately changing the locks. Eventually, the customer is likely to realize their email address has been compromised and update the password to regain control. In order to make a profit, fraudsters have to change the information on associated online accounts quickly and ensure the legitimate customer stays locked out.
Once fraudsters have secured their foothold on the account, they can begin making fraudulent purchases or siphoning money from the victim’s bank accounts. Actions that are both profitable for the criminals, and costly for retailers and banks. Customers are protected by chargebacks and fraud processes, so merchants and card providers are on the hook for the cost. Lost revenue, merchandise, and chargeback fees can be devastating for retailers and banks alike.
Fighting back has never been so easy
There are easy steps that organizations that rely on online accounts can take to fight back against account takeover attacks:
- Implement two-factor authentication for account changes
- Use security questions or PIN technology for email changes in online accounts
- Roll out the same anti-fraud measures used for account opening to account maintenance changes
The same fraud prevention techniques you use for account openings, such as the EmailRisk Score, can and should be used for account maintenance too. Using a fraud detection solution backed by a network consortium of fraud data to check new email addresses during account updates will protect your customers without adding friction. Custom account maintenance rules can be deployed to approve legitimate updates automatically. These same rules can automatically disable account updates when the new email address is associated with confirmed fraud or alert customers to suspicious changes that might require additional authentication.
Account maintenance is often overlooked when businesses design their fraud strategy and fraudsters know this. Exploiting existing accounts is profitable and easy for cybercriminals, leaving merchants and card providers on the hook for the ever-growing costs of these attacks. Implementing fraud prevention techniques during account updates is an easy, frictionless way to stop account takeover fraud and protect both your bottom line and your customers’ identities.
Want to get up close and personal with account takeover fraud? Notorious hacker, Brett Johnson, pulls back the curtain on these effortless and profitable attacks in this free ebook, Inside Account Takeover Fraud.