PaymentsJournal
No Result
View All Result
SIGN UP
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
PaymentsJournal
  • Commercial
  • Credit
  • Debit
  • Digital Assets & Crypto
  • Digital Banking
  • Emerging Payments
  • Fraud & Security
  • Merchant
  • Prepaid
No Result
View All Result
PaymentsJournal
No Result
View All Result

Merchants Are Unprepared to Tackle the Threat of ATOs

By Assaf Feldman
July 2, 2020
in Featured Content, Fraud & Security, Industry Opinions, Merchant, Security
0
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Merchants Are Unprepared to Tackle the Threat of ATOs

Account Takeovers attacks (ATOs) are a problem. My company, Riskified, recently commissioned a survey of about 4,000 customers and 425 merchants and found that 66% of merchants and 69% customers are concerned about their accounts getting hacked. But we also found that a surprisingly large percentage of merchants are completely unprepared to tackle ATOs, with 27% of all merchants reporting that they don’t have measures in place to prevent them.  

Account takeovers occur when a fraudster gains access to a legitimate customer’s account, often through stolen login information gained by phishing or a data breach. Once accessed, the fraudster can pose as a legitimate customer, making it harder for merchants to recognize the fraud, and helping fraudsters make off with stolen goods. It’s proven to be a successful tactic – 35% of merchants surveyed reported that at least 10% of their accounts have been taken over in the last year.

So what losses do merchants sustain as a result from an ATO? The obvious answer is chargebacks. Fraudsters love ATOs, and merchants vulnerable to ATOs will eventually have a chargeback problem on their hands. But that’s not all.

Damaging merchants’ brand and future business

To understand the full extent of an ATO’s impact, we must look at what happens to account holders after an attack or, more precisely, what doesn’t happen. Our survey found that of the customers who have been victims of an ATO, only 7.5% say they were contacted about the ATO by the merchant. The other 92.5% learned about it from their credit card company (36.3%), received an order confirmation (26.3%), saw the unauthorized purchase on their account (16.9%) or had their account details or password changed (13.1%).

That’s a terrible customer experience and a huge blow to a merchant’s brand reputation. It’s little wonder that 65% of customers say that they would stop buying from a merchant if their account was compromised. Our survey also found that 54% of customers would delete their account, 34% would go to a competitor, and 33% would tell their friends to stop shopping with the merchant. The revenue losses resulting from an ATO aren’t limited to chargebacks. They include further potential business from a merchant’s account holders and the referrals they could bring.

It’s even more important for merchants to have robust ATO prevention when you consider how much business merchants get from account holders. Sixty-four percent of merchants we surveyed say that at least half of their orders come from account holders, and those account holders spend more (according to 58% of merchants) and shop more frequently (according to 61% of merchants) than guest-checkout users.

Switching to an end-to-end approach

ATOs are hard to prevent effectively because the point at which the fraud occurs gives merchants little data to review. Merchants are working with a login and a password – and not the items purchased and billing and shipping details, for example – so it’s a tough decision based on limited information. Merchants can start by taking into account as much information as possible, such as device and network details, proxy usage, previous logins. They should use all the data points that can help determine in real time if the person accessing the account is the legitimate account holder.

But what’s more important is that merchants understand ATOs from the fraudster’s point of view. For them, the ATO isn’t the goal – stealing customer data or successfully placing an order is. With that in mind, merchants should view ATOs as longer-term events rather than isolated account actions and take steps based on the larger picture, the risk level and customer expectations. With an end-to-end approach, merchants can maximize revenue and minimize customer frustration by viewing account security as a continuum.

If, for example, a customer logs in from a new country and new IP using a unique device, they’re likely to be declined at checkout. That’s a bad customer experience, and it’s far better for the merchant to employ multi-factor authentication at login to verify the customer and approve the purchase rather than decline it at checkout.

But that type of hard verification isn’t always necessary. For account events that fall in a grey area, merchants can wait to see what happens next. If the cart from the initially suspicious login reaches checkout with an order typical of the account holder’s purchase history and shipping to a known address, then merchants can likely safely approve the order and recognize the unfamiliar device for the future.

On the other hand, if a merchant views an account activity as safe, but that’s followed by unusual shopping activity and a high-value cart, the merchant can ask the shopper to verify their identity, potentially preventing a chargeback and the ensuing damage. Viewing transactions from start to finish is invaluable in increasing accuracy.

That’s why it’s also important for merchants to ensure the teams managing the different parts of the shopping journey are communicating and coordinated. This end-to-end approach to tackling ATOs doesn’t just decrease risk for merchants, but results in a better customer experience that helps merchants increase revenue.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
Tags: Account Take OverATOBrand ReputationChargebackCybersecurityFraudFraud PreventionIndustry OpinionsMerchantsSecurity

    Get the Latest News and Insights Delivered Daily

    Subscribe to the PaymentsJournal Newsletter for exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    push notification bank

    From Bland to Beneficial: Using Push Notifications to Reach Business Customers

    May 16, 2025
    recurring payments, PCI Compliance for small business, Fintech for Underserved Small Businesses

    Tariffs May Create an Opportunity in Small-Business Cards

    May 15, 2025
    Using the Card “Beyond” Payments to find the Holy Grail

    Using the Card “Beyond” Payments to find the Holy Grail

    May 14, 2025
    Payments Modernization

    Playing Offense and Defense: Why Now Is the Time for Payments Modernization

    May 13, 2025
    Authorization Rates

    Boosting Revenue for Merchants by Optimizing Authorization Rates

    May 12, 2025
    Why Payment Orchestration is the key to international merchant growth

    Ensuring Payment Decisions Pay for Themselves

    May 9, 2025
    cross-border

    As Businesses Reevaluate Cross-Border Relationships, Financial Institutions Can Help

    May 8, 2025
    Nacha WEB Debit Account Validation Rule Verification Solution, Quovo ACH Payment

    The Brave New Future of the Disappearing Account

    May 7, 2025

    Linkedin-in X-twitter
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Commercial
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Digital Banking
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter
    • About Us
    • Advertise With Us
    • Sign Up for Our Newsletter

    ©2024 PaymentsJournal.com |  Terms of Use | Privacy Policy

    • Commercial Payments
    • Credit
    • Debit
    • Digital Assets & Crypto
    • Emerging Payments
    • Fraud & Security
    • Merchant
    • Prepaid
    No Result
    View All Result