Data breaches now occur at such an alarming rate that not a week goes by without news breaking about the exposure of even more sensitive consumer details. Nearly 13.5 billion records have been lost or stolen since 2013, and the amount of compromised personally identifiable information (PII) increased 72% between the first half of 2017 and the first half of 2018 alone.
These breaches can have serious ramifications for retailers because criminals use stolen PII to hack into pre-existing e-commerce accounts and take additional financial details or loyalty points — a type of fraud known as account takeover (ATO), which has increased 31% year-over-year. The spike in ATOs is partially because access to an online account often has more value than a stolen credit card. For instance, many people reuse account information across websites, so a single stolen password can give fraudsters authentic-looking access to an entire online identity.
ATO methods are constantly changing as e-commerce merchants catch on to popular scams and devious fraudsters develop new approaches. To claim the upper hand in this vicious cycle, online retailers first need to know who ATO criminals are before they can figure out how to protect their customers and bottom lines from this growing avenue of attack.
What does an e-commerce fraudster actually look like, and how can they be caught?
Criminals are practical people running a business to generate revenue, so — similar to legitimate business people — they’re hyper-focused on ROI. That’s why in most cases, an ATO fraudster will attempt an attack, capitalize on it and repeat it if it was successful. In fact, Forter’s recent ATO whitepaper found that more than 80% of account takeovers are carried out by less than 10% of fraudsters targeting the site. That means that a relatively small group (compared to the number of people that attack a site overall) is responsible for the overwhelming majority of ATOs.
This is the case because fraudsters specialize at finding and exploiting certain vulnerabilities. For instance, fraudsters will often hack into existing and trusted accounts and go on to steal PII or use attached payment methods. Merchants should be able to flag an account takeover as soon as it happens, instead of only at the point of transaction. This is a serious problem because retailers that add rewards programs without the proper safeguards, often face the unintended consequence of attracting more criminals, with Forter seeing an increased risk of ATO by as much as 200%.
This tenacity means that criminals are always looking for loopholes that avoid the security systems in place. One way to do this is to use passwords stolen in data breaches to log into legitimate online accounts and fool antiquated fraud prevention systems, including manual reviewers, into thinking all is well.
A good example of a more advanced method is the uptick in instances of illegal number porting that T-Mobile recently reported. Number porting occurs when a fraudster has a victim’s number moved temporarily to a device they control so that they receive the SMS verification code sent by a merchant. The criminal, of course, can then use the information in the text to access the account, often undetected.
Fraudsters who focus on ATO attacks know how to be efficient by launching attacks at scale. Entering stolen account information can be done quickly and effectively by programming automated bots to do the dirty work, and trawling for information to outwit security questions is easy when searching for keywords on social networks. Forter found that bots are capable of performing upwards of 100 attacks per second, making it easier and faster for fraudsters to commit nearly limitless account takeover. Similarly, the success of scams like number porting can be leveraged across multiple accounts that belong to the same genuine user, completing multiple crimes in one fell swoop.
Protection against ATOs must also operate at any scale, or online retailers won’t be able to stop specialized, sneaky criminals from successfully committing fraud.
They’re Team Players
Fraudsters are often pictured as lone wolves executing nefarious activities alone from the safety of their basements, but 20-30% of ATOs are actually conducted by fraud rings. This is because there are so many ways online accounts can be exploited that ATO is particularly likely to be perpetrated by groups of criminals working together. Individuals that are part of a fraud ring can maximize the number of hits they attempt, share vulnerabilities they’ve found, or divide jobs among themselves to utilize different kinds of expertise. One member of the ring might specialize in acquiring data, another in automation, and yet another in social engineering research.
Fraud prevention systems must be extremely sensitive to connections between users in order to spot these fraud rings at work and shut them down — even when those concerned are doing their best to conceal their real devices, locations and intentions.
E-commerce merchants must protect their business and their customers from exploitation by criminals who specialize in niche ATO fraud methods. These fraudsters are becoming more sophisticated by the day, use automation to efficiently attack online retailers at scale, and work in teams. The key to identifying them, is knowing how good customers behave during every touch point they have with an online platform instead of just during the checkout process.
Knowing thy fraudster isn’t easy, and knowing thy customer has perplexed retailers for centuries, but both are essential for e-commerce companies looking to succeed in our increasingly digital world.