The Clearsale Blog

As Data Breaches Continue, Merchants Face More Account Takeover Fraud

As Data Breaches Continue, Merchants Face More Account Takeover Fraud

The year 2019 may go down as one of the worst for data breaches and account takeover fraud (ATO). These two types of crime go hand in hand, because fraudsters rely on stolen credentials to hijack consumers’ banking and shopping accounts — and merchants are paying the price.

The numbers for data breaches and account takeovers are dire. Among the data breach victims since the beginning of August: 100 million Capital One credit applicants, 198 million DealerLeads car buyers and almost every person in Ecuador, population 17.3 million. Meanwhile, ATO fraud losses in 2018 were 164% higher than in 2017, when they cost U.S. merchants and banks $5.1 billion, and that trend is expected to continue.

More Stolen Data, More Ways To Break Into Accounts

With so much stolen data available on the dark web, fraudsters have many options for taking over existing consumer accounts. They can hijack any accounts for which user IDs and passwords are exposed, of course. They can also use those credentials — manually or with botnets — to try to gain entry to other shopping, banking and social media sites. This is often easier than it should be, because most people (recent surveys say between 59% and 64%) use the same password for all their online accounts.

If the stolen data includes usernames or email addresses but not passwords, brute-force password cracking tools can generate rapid-fire guesses until they get it right. A botnet can crack an 8-character password in just a few seconds, opening the associated account to hijacking. If the data breach doesn’t expose any account login credentials, that doesn’t mean breach victims are safe from account takeovers.

Many data breaches, including the Capital One and DealerLeads breaches, expose consumers’ phone numbers. Most of us don’t think of phone numbers as sensitive information, but the recent spate of SIM swap attacks means we need to look at phone security differently now. In this type of attack, like the one that hit Twitter founder Jack Dorsey, scammers with a target’s phone number contact the wireless carrier they think is associated with the account. If they guess right, they can impersonate the customer and ask or bribe customer service to remotely change their SIM number to a new device.

Now the fraudster has the victim’s phone number linked to a device they own. That lets them break into the victim’s social media accounts, which may be linked to payment services and retail accounts. But SIM swaps also make it possible for fraudsters to hijack SMS two-factor authentication (2FA) messages and change passwords for email, banking and shopping accounts.

Exploiting 2FA this way allows criminals to take control over virtually every aspect of the victim’s digital life. The victims may find it difficult or impossible to recover their accounts. And because the accounts are associated with good customers, merchants may not realize they’ve been defrauded until the losses have piled up.

Protecting E-Commerce From ATO Fraud

ATO poses a complex challenge for e-Commerce merchants — detecting the fraud without alienating good customers with false declines or making it too difficult for legitimate customers to make purchases. One tactic is to help your customers keep their accounts safe. To do this you can:

  • Require longer passwords for customer accounts, with a variety of character types, to make brute-force password cracking less likely.
  • Require a username that’s not the customer’s email address, to reduce successful credential-testing by criminals working with stolen data.
  • Offer two-factor authentication options besides (or instead of) SMS messaging, like authenticator app codes and codes sent via email. Like all security tactics that add friction during checkout, this requires close monitoring of your conversion rates and quick adjustment if they start to fall.
  • Send customer alerts whenever there’s a contact information or password change request on the account.

Another set of tactics involves adjusting your fraud prevention program to look for ATO warning signs. Screen orders for recent changes in the customer’s email address, phone number, shipping address and shopping behavior. For example, if a longtime customer who normally buys small housewares for delivery to Los Angeles suddenly switches up their contact information and orders a stack of high-value gift cards for delivery to New Jersey, that transaction needs further review.

Fraudsters often use the same shipping address for multiple hijacked accounts and set up fake email addresses on a single domain, so if you see patterns across customer accounts, it’s time to investigate all the affected accounts for possible fraud. You can also use mobile-specific screening measures to compare device, geolocation and behavioral biometric history to the current mobile order. This can help detect ATO fraud enabled by SIM swapping. To avoid rejecting orders from good customers, add or expand your manual review process rather than automatically canceling those transactions.

As long as there are digital security weaknesses that criminals can exploit to access consumers’ accounts, account takeover will be a concern. But by understanding the signs of potential ATO fraud, carefully screening orders and keeping reliable lines of communication open with your customers, you can protect your business from this growing threat.

Original article at: https://retailtouchpoints.com/general/as-data-breaches-continue-merchants-face-more-account-takeover-fraud

You may also like

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

Fraud protection leader recognized by career site for a second time this year

ClearSale Becomes Shopify Plus Certified App Program Partner

ClearSale Becomes Shopify Plus Certified App Program Partner

The fraud protection leader has been selected as a premier app provider for the highly regarded commerce platform.

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover fraud is a huge problem, but most US consumers don’t know about it. Only 36% of US consumers say they are familiar with account hijacking fraud, even though it’s one of the..

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

As more consumer spending shifts to e-commerce, merchants need to strike a balance between fraud protection and customer experience. A recent survey just before business closures swept the U.S...

What does effective B2C marketing look like now? Messaging is only part of the story.

What does effective B2C marketing look like now? Messaging is only part of the story.

As more consumers shop online, many companies are pivoting their marketing strategies to focus on digital channels. But smart marketing now requires more than simply reallocating resources for..

ClearSale and BigCommerce Partner to Prepare E-Commerce Merchants for the Holidays

ClearSale and BigCommerce Partner to Prepare E-Commerce Merchants for the Holidays

Fraud protection leader joins e-commerce platform powerhouse to help merchants accentuate customer experience while preventing fraud this seasonMIAMI, FL (September 11, 2020) -- Global fraud..

Survey: Men Experience More Online Shopping Fraud

Survey: Men Experience More Online Shopping Fraud

Male shoppers are more likely to experience online shopping fraud than female shoppers. New research from ClearSale of over a thousand U.S. consumers that shop online at least once every few..

The Four Ways Fraudsters Try to Snag Online Shoppers - and How You Can Avoid Them

The Four Ways Fraudsters Try to Snag Online Shoppers - and How You Can Avoid Them

The COVID-19 pandemic has got more Australians shopping online, leaving them increasingly vulnerable to scammers poised to take advantage. Understanding the four key ways these fraudsters can..

Canadians Concerned About Fraud when Shopping Online: Survey

Canadians Concerned About Fraud when Shopping Online: Survey

A new survey suggests Canadians are much more concerned about the safety of online shopping compared with consumers in the United States.

Want to write
for our blog?

Please review our writers' guidelines
https://www2.clear.sale/press/clearsale-guest-blog-guidelines
and then email guestwriter@clear.sale with your pitch!

Subscribe to our blog