As more businesses move their operations online, customers are increasingly required to log in with their usernames and passwords to do everything from browsing to shopping to managing their accounts.
Today, this trend is creating a new problem for the payment industry — namely, account takeover (ATO) fraud.
If criminals ever get hold of a customer’s username and password, they can use that hacked account to glean a lot of that user’s information. That’s because many customers use variations of the same login credentials across a broad range of websites.
Thus, a savvy thief can eventually reverse-engineer:
This is in sharp contrast to stolen credit card abuse in which criminals get away with making a few fraudulent charges. With ATO fraud, the potential damage could be unlimited.
According to Patrick Reemts of security firm, ID Analytics, “If you steal a credit card, you’ve stolen one relationship.” He adds that, “With account takeover, you have the potential to access several relationships they have … The payoff is typically greater.”1
What’s more, whereas credit cards often come with varying levels of liability protection, the same isn’t true when criminals have unrestricted access to bank accounts, retirement savings, and other financial assets.
What’s truly alarming is how hard it is to detect and reverse account takeover fraud.
With a hacked credit card, the problem is usually discovered in a few days. Thereafter, it’s just a matter of canceling that card and (hopefully) getting the charges reversed.
However, with a breached user account or stolen identity, the problem can go undetected for weeks — sometimes months. In fact, many criminals change the email address attached to the hacked account so that victims never receive notifications or alerts from the original merchant.
Once a breach is discovered, however, there are still a lot more headaches to come.
As the customer, be prepared to spend countless hours:
As a merchant, you have to deal with all of the above, as well. Plus, even if you weren’t at all responsible for the breach, you may face potential fees, litigation, and damage to your company’s reputation.
Against this backdrop, what steps can you take to protect your business and customers from account takeover fraud? The answer lies in detection and prevention.
On the merchant side, account hacking can be difficult to detect. Most breaches happen on a case-by-case basis, meaning you’d have to actively monitor every single user account in your system.
To make matters worse, criminals use a broad range of tactics to gain access to usernames and passwords. Some of the more popular scams include viruses, — almost all of which happen on the customer’s side.
However, there are proven strategies for catching the abuse before it negatively impacts your business. For example, many criminals use fake emails to redirect unsuspecting customers to “dummy” sites that are branded to look like your online store:
Another common strategy is to use fraud management filters to help secure your eCommerce website:
The old adage says, “Prevention is better than cure.” It’s always better to try and keep something bad from happening at all then it is to deal with it during and after the event. Read on for prevention tips.
The first step in preventing account takeover fraud involves educating your customers to protect themselves by:
Finally, communicate to your customers to never respond directly to any emails you send — especially those that ask for sensitive details. Instead, users should go directly to your company’s website to manage their accounts.
Unfortunately, not all customers will be as proactive as you’d like them to be. It’s up to you to fill the gaps by:
Requiring more verification steps — especially for online purchases. In addition to credit cards and expiration dates, you should require billing addresses and CVV codes.
No single fraud prevention strategy can keep you and your customers fully protected, 100 percent of the time. In the Internet age, there are simply too many weaknesses and vulnerabilities — most of which are beyond your control.
However, by combining the above strategies, you can make your business less inviting to potential thieves — and thus — more inviting to potential customers.
If you are a merchant and are interested in learning about fraud protection for your retail or eCommerce store, contact our team of payments experts today.
1. “Account takeover fraud rising,” Yahoo! Finance, 22 April 2016
United States (English)