Just a few years ago, retailers who could prevent CNP fraud at checkout were ahead of the game. But the game changes fast, and today’s fraudsters are able to perpetrate highly sophisticated attacks that require equally sophisticated tools to detect them.
Among the most devious types of fraud Riskified sees today are Account Takeover (ATO) attacks, which in 2016 led to $2.3 billion in losses – well over a third of the total fraud losses that year. In addition to being hard to detect, ATOs can have enormous consequences beyond chargebacks and stolen goods: Customers often leave their credit card details saved in their store accounts, trusting merchants to guard them. And in the event of a successful ATO, merchants are left to deal with the fallout of having personally identifiable information–PII– stolen, which reflects very poorly on the brand.
So how can merchants identify these fraud attempts and stop ATO attacks from negatively impacting their customers and reputation?
What exactly is an ATO – and how does it happen?
Whenever a bad actor gains access to another party’s legitimate account, this is called an ATO.
These occur most commonly as a result of data breaches – cyber criminals hacking into information systems and stealing data. But stolen credential data tends to be incomplete and unorganized, so these criminals use bots to sift through the loot. A bot is a simple software application that automates a task. Hackers use bots to ‘credential phish’ – test logins and passwords automatically at an extremely high speed until they successfully login, thereby validating the credentials they’ve stolen. Compounding the damage of the breach is people’s tendency to use the same login information across multiple platforms: a verified set of credentials could be used to access several accounts.
Once hackers have a bundle of verified credentials, they can either use them themselves or sell them on the darkweb. The surprising affordability of this data on the open market is an unnerving testament to its abundance, as well as the efficiency of credential phishing: logins to Paypal accounts with a balance of $500 cost only $6.43, and Uber account logins cost under four dollars.
A fraudster with login credentials has countless ways to perpetrate an attack. One tactic that gets a lot of press is the ransom attack, in which fraudsters access individual’s or company’s data and threaten to either destroy it or make it public, unless the victim pays.
But ransom attacks are less common in eCommerce. When fraudsters target a retailer they’re more likely to just attempt to order goods from your store with stolen credit card details or with the legitimate account owners’ loyalty points.
The ideal cases for the fraudster are
1) that they’ve obtained credit card details of the same person who owns the account, or the customer saved their credit card details on the site.
2) there is already some kind of credit in the account they can use to shop, for instance frequent flyer miles or a cash rewards account (this MO is known as loyalty fraud).
But most of the time fraudsters aren’t lucky enough to have these options, and they’re likely to just use a card belonging to someone other than the account owner, hoping that the legitimate credentials will be enough for the merchant to approve the order; it’s so crucial to merchants to provide loyal customers with a smooth shopping experience that they’ll be very reluctant to request verification from a customer they have history with.
If a fraudster is trying to steal physical goods, she might change the shipping address on file. More savvy fraudsters go for digital goods like gift cards, since they know they can steal them without raising any red flags: it’s a pretty legitimate shopping pattern to have a gift card sent to an email other than the one on file (ostensibly, as a gift).
All of these MOs, unfortunately, tend to be pretty effective. Traditional fraud detection systems simply aren’t equipped to detect bad actors logging in to good customer’s accounts, sometimes from the customer’s own device. Protecting goods and PII from these type of attacks requires changing the way you think about CNP fraud.
First steps to detect and prevent ATO attacks
First, it’s important to realize that catching an ATO attack at checkout is not ideal as the rightful owner of the account will still need to be alerted of the breach so that they change their login credentials. The fallout of having personal information compromised could be devastating to a customer, and you can be sure they’ll think twice about shopping with the retailer next time.
That said, catching the fraudster and declining the order is still better than paying a chargeback. To catch an ATO attack at checkout, retailers’ fraud detection system must be able to detect changes in user behavior, such as shoppers logging in from a different geographic location than usual (as identified by IP) and identifying potentially fraudulent browsing patterns.
Far better for both the retailer and consumer is to prevent fraudsters from logging in to the customer’s account in the first place. This not only prevents chargebacks, this will protect their brand reputation and their customers’ private information.
The most critical part of catching bad actors at the point of login is processing data and making decisions in real-time; legitimate shoppers won’t tolerate more than a second or two of wait time when they try to log in to an eCommerce site. In other words, manually reviewing data is not a viable option.
And what data should you be reviewing at this point? Just like you would at the point of sale, your fraud solution should look at the geographic IP address and device the browser is using, and compare these to historical data about the customer in real time. Of course, mismatches here shouldn’t automatically lead to blocking the customer; they could have gotten a new phone or are traveling, but in conjunction with other data points (like how many attempts it takes to get the password right) they could be a red flag.
A vital job for your review system at the point of login is bot detection. If you’re able to identify that the user is a bot, based on parameters like keystroke velocity and mobile device orientation sensors, it becomes far more likely that this login is either an ATO attempt or credential phishing. While identifying human fraudsters in possession of real credentials is vital, it’s only one part of the equation. Equally important is cutting off phishing attacks at the source, so credentials are never compromised in the first place.
Though it’s no small task, detecting bots and bad actors is only half the battle: then you have to decide how to act. Determining which attempts to block, which to allow, and which to verify, is a careful balancing act. Ideally only a narrow range of ‘grey’ login attempts should be asked to authenticate their identity; so that most good customers gain access without any additional friction, while login attempts you’re certain are bots or fraudsters are blocked instantly.
Building a system to deal with a range of risk scenarios, and different types of identity-verifying measures (texts, captcha, emails, email-based login alerts, security questions and so on) is a complex task. For more information about creating a verification policy, as well as more in-depth insights about these attacks, get a free copy of Riskified’s guide to detecting and preventing ATOs.