How to detect and prevent Account Takeover (ATO) fraud

Editorial Team

6 min read
Concerned woman looking at phone

As more businesses move their operations online, customers are increasingly required to log in with their usernames and passwords to do everything from browsing to shopping to managing their accounts. 

Today, this trend is creating a new problem for the payment industry — namely, account takeover (ATO) fraud. 

If criminals ever get hold of a customer’s username and password, they can use that hacked account to glean a lot of that user’s information. That’s because many customers use variations of the same login credentials across a broad range of websites. 

Thus, a savvy thief can eventually reverse-engineer: 

  • Credit card details from Account A. 
  • Social Security numbers from Account B. 
  • Billing addresses from account C.

This is in sharp contrast to stolen credit card abuse in which criminals get away with making a few fraudulent charges. With ATO fraud, the potential damage could be unlimited. 

According to Patrick Reemts of security firm, ID Analytics, “If you steal a credit card, you’ve stolen one relationship.” He adds that, “With account takeover, you have the potential to access several relationships they have … The payoff is typically greater.”

What’s more, whereas credit cards often come with varying levels of liability protection, the same isn’t true when criminals have unrestricted access to bank accounts, retirement savings, and other financial assets. 

What’s truly alarming is how hard it is to detect and reverse account takeover fraud. 

The long-term impact of Account Takeover fraud

With a hacked credit card, the problem is usually discovered in a few days. Thereafter, it’s just a matter of canceling that card and (hopefully) getting the charges reversed. 

However, with a breached user account or stolen identity, the problem can go undetected for weeks — sometimes months. In fact, many criminals change the email address attached to the hacked account so that victims never receive notifications or alerts from the original merchant. 

Once a breach is discovered, however, there are still a lot more headaches to come. 

As the customer, be prepared to spend countless hours: 

  • Calling banks and credit card companies to reverse the damages. 
  • Changing login credentials for each and every site you visit. 
  • Applying for new Social Security numbers, credit cards, driver’s licenses, etc. 
  • Speaking with lawyers, regulators and law enforcement officials. 

As a merchant, you have to deal with all of the above, as well. Plus, even if you weren’t at all responsible for the breach, you may face potential fees, litigation, and damage to your company’s reputation. 

Against this backdrop, what steps can you take to protect your business and customers from account takeover fraud? The answer lies in detection and prevention. 

Step 1: How to detect ATO fraud

On the merchant side, account hacking can be difficult to detect. Most breaches happen on a case-by-case basis, meaning you’d have to actively monitor every single user account in your system. 

To make matters worse, criminals use a broad range of tactics to gain access to usernames and passwords. Some of the more popular scams include viruses, — almost all of which happen on the customer’s side. 

However, there are proven strategies for catching the abuse before it negatively impacts your business. For example, many criminals use fake emails to redirect unsuspecting customers to “dummy” sites that are branded to look like your online store: 

  • You can use Google Alerts to monitor your online presence. You’ll receive an automatic notification whenever Google indexes a site that mentions your company’s name — including dummy sites pretending to be you. 
  • You can also add your email address to your company’s newsletter. If a criminal posing as you ever sends a fake email blast, you’ll receive the fraudulent message and can respond accordingly. 

Another common strategy is to use fraud management filters to help secure your eCommerce website:

  • With velocity filters, for example, you can prevent criminals from testing card numbers against your merchant account by automatically declining suspicious transactions based on several parameters in a set time period. 
  • With threshold filters, you can set minimums and maximums for legitimate purchases. If all the products you sell are over $10, for example, this type of filter would automatically flag a purchase made for $0.50. 

The old adage says, “Prevention is better than cure.” It’s always better to try and keep something bad from happening at all then it is to deal with it during and after the event. Read on for prevention tips.

Step 2: How to prevent ATO fraud

The first step in preventing account takeover fraud involves educating your customers to protect themselves by: 

  • Creating strong, unique usernames and alphanumeric passwords for every site. 
  • Using password management tools such as LastPass and KeePass to keep track of all these unique credentials. 
  • Installing updates, patches, and virus protection on all computers and mobile devices. 
  • Using two-factor authentication instead of just relying on traditional passwords. 

Finally, communicate to your customers to never respond directly to any emails you send — especially those that ask for sensitive details. Instead, users should go directly to your company’s website to manage their accounts. 

Unfortunately, not all customers will be as proactive as you’d like them to be. It’s up to you to fill the gaps by: 

  • Using tokenization and encryption for any data sent over unsecured networks. 
  • Keeping your own IT infrastructure up to date with virus protection, patches, and the latest versions of any software you currently use. 
  • Requiring longer passwords, complete with symbols, upper/lowercase letters and numbers. 
  • Requiring frequent and mandatory password changes for all users. You might also consider making it impossible for customers to use previously created passwords and variations. 

Requiring more verification steps — especially for online purchases. In addition to credit cards and expiration dates, you should require billing addresses and CVV codes. 

A final tip about ATO fraud and account hacking

No single fraud prevention strategy can keep you and your customers fully protected, 100 percent of the time. In the Internet age, there are simply too many weaknesses and vulnerabilities — most of which are beyond your control. 

However, by combining the above strategies, you can make your business less inviting to potential thieves — and thus — more inviting to potential customers.

Interested in learning more?

If you are a merchant and are interested in learning about fraud protection for your retail or eCommerce store, contact our team of payments experts today.

1. “Account takeover fraud rising,” Yahoo! Finance, 22 April 2016

Popular Topics

Recent Stories

Please share your contact information
to access our premium content.