ATO fraud (Account Takeover) is a rising threat in today's online business environment. ATO fraud has been around for decades. Despite losses that are already measured in billions of dollars, ATO fraud is yet to reach its peak. The concerning numbers pointed out in this article prove how important it is to understand what ATO fraud is and what you can do to prevent it.
ATO fraud happens when a fraudster gets a hold of the victim's login credentials and uses the account for their own gains. That includes activities such as making online purchases using the stolen account and saved card data, using loyalty credits, selling the account or the extracted data on the dark web, etc.
A typical ATO attack works as follows:
What makes ATO fraud more dangerous than card-not-present fraud is the fact that with a single combination of credentials (e.g., username and password), the fraudster is able to access multiple accounts. The truth is, we are terrible with passwords. We constantly reuse them and make a low effort regarding our online security. Take a look at some interesting stats pointed out in a recent article by DataProt:
The list goes on. This gives us a clear picture of how irresponsibly we behave when it comes to our online presence security. The username and the password have little to no value. But the information behind those credentials is what piques the fraudster's interest.
There are a few different methods fraudsters use in order to get a hold of the user's credentials. More sophisticated methods such as phishing and malware are used to obtain more valuable credentials. It enables the fraudster to take over a victim's bank account, for instance. Other methods use credential stuffing and brute force attacks in order to obtain an account and target eCommerce accounts.
A phishing scam consists of sending a link via email, text message, or even social media containing malware that collects the victim's credentials. This method usually uses well-established website interfaces that the users trust. And while the interface seems familiar and legitimate, there is a fraudster in the background that is harvesting your credentials and accessing your account in order to use it to their own advantage.
Another known method for conducting ATO attacks is purchasing stolen credentials of the dark web in bulk. This information is usually published after a data breach and damages both users and businesses. The most valuable information published after a data breach consists of emails and their corresponding passwords.
For how many accounts do you use your email address and the same password? Think about it. By using automated scripts and bots, the fraudster is able to quickly scan through a multitude of account-based websites. They collect further information such as saved credit card numbers, social security numbers, etc. To see whether your email or phone number is a part of a data breach, check out haveibeenpwned.com.
Malware, or ''malicious software'', is software specifically designed to cause harm and damage in order to gain unauthorized access. By downloading content from sketchy sites, you are at risk of unknowingly installing malware to your device. That malware is able to track everything the user types. Now the fraudster just needs to be patient and wait for you to enter your credentials.
A man-in-the-middle attack is based on intercepting a message and altering it to the fraudster's advantage. By using malware, the fraudster is able to intercept, edit, and resend an altered message sent between the victim's device and the bank's server.
The consequences of an ATO fraud affect both businesses and customers. The fact that the fraudster used legitimate credentials in order to log in to an account makes it that much harder to detect whether it is an unauthorized person behind the username. The fraudsters are getting better and better at mimicking the ''usual'' user behaviour by carefully choosing the amount to be spent, time of login, time of order, and other details visible in the account history.
By the time the rightful owner of the account notices any strange activity, they are probably already locked out of their account because the fraudster rushed to change the vital account recovery details as soon as they gained control of the account. Even if victims manage to retrieve their accounts, their personal information is most probably already compromised.
When talking about businesses whose customers' are victims of an account takeover attack, we need to mention great financial and reputational losses. The financial loss is due to incoming chargeback costs accompanied by inventory costs. The data breach itself ruins the company's reputation with clients, while higher chargeback rates cause problems with issuers and card schemes. Customers lose trust in such businesses and tend to turn to the competition, which means that customer loyalty is also at stake. The overall reputation of the business suffers, and the options for damage-control are scarce when overturning such an unfortunate course of events.
A report from Sift on Digital Trust & Safety Index reveals how ATO fraud progressed and caused losses amounting up to $16.9 billion in 2019. The pandemic-ridden year boosted eCommerce, and users turned to shop online. The increased online presence meant prolific ground for fraudsters to operate on. The report states that ATO attacks surged by 282% between Q2 2019 and Q2 2020.
The impact on businesses is detrimental. Customers who are victims of an ATO attack describe their behaviour and next steps. 40% of users continued using the site but decided to change their credentials. 20% of users continued using the service and contacted the support team in order to solve the issue. Nearly one-third of surveyed customers stated that they abandoned the site where an attack took place and turned to a direct competitor. But losing 28% of your customers is not the only issue. If you consider the average customer's lifetime value and customer acquisition costs, the cost of an ATO attack grows even higher.
The research also reveals that the fraudsters are getting better and more efficient with their time. The period between Q2 2019 and Q2 2020 recorded thought-out waves of ATO fraud. This means that the fraudsters are now using automation and bots. This way they take over as many accounts as possible while burying security teams with alerts and stressed-out customers.
Static passwords proved to be insufficient regarding online payment security. In order to heighten the security measures, implementing MFA (multi-factor authentication) enables your customers to protect their accounts using authentication methods such as biometrics (fingerprint, face-scan). Even if the fraudster gets a hold of the cardholder's pin or password, multi-factor authentication involving biometrics makes it hard, if not impossible, for the perpetrator to fake a fingerprint scan in order to process a fraudulent payment. Strong Customer Authentication (SCA) enabled through 3D Secure 2 solves this issue and provides both security and convenience to the end-user.
The next line of defense is the continuous monitoring of account activity supported by machine learning. ATO fraud requires detection in the earliest stages of the fraud lifecycle. To detect any anomalies in user behaviour, monitoring is a necessity that needs to be present from the moment a user starts their banking session. By tracking customer behaviour and how they interact with the device , monitoring allows the detection of ''normal'' customer behaviour. If monitoring identifies that customer behaviour has certain anomalies and deviations in regard to the ''normal'' behaviour, this might indicate an ATO attack.
Another means of prevention is Dynamic Linking required by the latest PSD2 directive. Dynamic Linking is successful at preventing social engineering attacks because it links each transaction to its amount and its recipient. The authentication code generated for a particular transaction is generated based on the transaction amount, account number, and other predefined details about the transaction. This means that in case of altering any transaction data during the interception (e.g., man-in-the-middle attack), the authentication code will change as well, and the authorization would be unsuccessful.
Fraud prevention in real-time is essential. Determining if requesting a change of email, or phone number is a possible ATO attack is a challenge. The above-mentioned techniques, accompanied by real-time fraud detection, allow for a better risk assessment. It provides a higher level of security, protecting your business and your customers.