The Clearsale Blog

As Data Breaches Continue, Merchants Face More Account Takeover Fraud

As Data Breaches Continue, Merchants Face More Account Takeover Fraud

The year 2019 may go down as one of the worst for data breaches and account takeover fraud (ATO). These two types of crime go hand in hand, because fraudsters rely on stolen credentials to hijack consumers’ banking and shopping accounts — and merchants are paying the price.

The numbers for data breaches and account takeovers are dire. Among the data breach victims since the beginning of August: 100 million Capital One credit applicants, 198 million DealerLeads car buyers and almost every person in Ecuador, population 17.3 million. Meanwhile, ATO fraud losses in 2018 were 164% higher than in 2017, when they cost U.S. merchants and banks $5.1 billion, and that trend is expected to continue.

 

More Stolen Data, More Ways To Break Into Accounts

With so much stolen data available on the dark web, fraudsters have many options for taking over existing consumer accounts. They can hijack any accounts for which user IDs and passwords are exposed, of course. They can also use those credentials — manually or with botnets — to try to gain entry to other shopping, banking and social media sites. This is often easier than it should be, because most people (recent surveys say between 59% and 64%) use the same password for all their online accounts.

If the stolen data includes usernames or email addresses but not passwords, brute-force password cracking tools can generate rapid-fire guesses until they get it right. A botnet can crack an 8-character password in just a few seconds, opening the associated account to hijacking. If the data breach doesn’t expose any account login credentials, that doesn’t mean breach victims are safe from account takeovers.

Many data breaches, including the Capital One and DealerLeads breaches, expose consumers’ phone numbers. Most of us don’t think of phone numbers as sensitive information, but the recent spate of SIM swap attacks means we need to look at phone security differently now. In this type of attack, like the one that hit Twitter founder Jack Dorsey, scammers with a target’s phone number contact the wireless carrier they think is associated with the account. If they guess right, they can impersonate the customer and ask or bribe customer service to remotely change their SIM number to a new device.

Now the fraudster has the victim’s phone number linked to a device they own. That lets them break into the victim’s social media accounts, which may be linked to payment services and retail accounts. But SIM swaps also make it possible for fraudsters to hijack SMS two-factor authentication (2FA) messages and change passwords for email, banking and shopping accounts.

Exploiting 2FA this way allows criminals to take control over virtually every aspect of the victim’s digital life. The victims may find it difficult or impossible to recover their accounts. And because the accounts are associated with good customers, merchants may not realize they’ve been defrauded until the losses have piled up.

 

Protecting E-Commerce From ATO Fraud

ATO poses a complex challenge for e-Commerce merchants — detecting the fraud without alienating good customers with false declines or making it too difficult for legitimate customers to make purchases. One tactic is to help your customers keep their accounts safe. To do this you can:

  • Require longer passwords for customer accounts, with a variety of character types, to make brute-force password cracking less likely.
  • Require a username that’s not the customer’s email address, to reduce successful credential-testing by criminals working with stolen data.
  • Offer two-factor authentication options besides (or instead of) SMS messaging, like authenticator app codes and codes sent via email. Like all security tactics that add friction during checkout, this requires close monitoring of your conversion rates and quick adjustment if they start to fall.
  • Send customer alerts whenever there’s a contact information or password change request on the account.

Another set of tactics involves adjusting your fraud prevention program to look for ATO warning signs. Screen orders for recent changes in the customer’s email address, phone number, shipping address and shopping behavior. For example, if a longtime customer who normally buys small housewares for delivery to Los Angeles suddenly switches up their contact information and orders a stack of high-value gift cards for delivery to New Jersey, that transaction needs further review.

Fraudsters often use the same shipping address for multiple hijacked accounts and set up fake email addresses on a single domain, so if you see patterns across customer accounts, it’s time to investigate all the affected accounts for possible fraud. You can also use mobile-specific screening measures to compare device, geolocation and behavioral biometric history to the current mobile order. This can help detect ATO fraud enabled by SIM swapping. To avoid rejecting orders from good customers, add or expand your manual review process rather than automatically canceling those transactions.

As long as there are digital security weaknesses that criminals can exploit to access consumers’ accounts, account takeover will be a concern. But by understanding the signs of potential ATO fraud, carefully screening orders and keeping reliable lines of communication open with your customers, you can protect your business from this growing threat.

Original article at: https://retailtouchpoints.com/general/as-data-breaches-continue-merchants-face-more-account-takeover-fraud

You may also like

Critical Pandemic Lessons in Mobile Payment Fraud Prevention

Critical Pandemic Lessons in Mobile Payment Fraud Prevention

As the world pivoted to online shopping, work, and learning last year, the timeline for mobile usage growth jumped ahead by two to three years in the first half of 2020. Many retailers rolled out..

QR Code Payments Are Convenient, Great for Distancing, and Targets for Fraud

QR Code Payments Are Convenient, Great for Distancing, and Targets for Fraud

QR code payments have finally caught on in the U.S. after lagging behind adoption in China and other Asian markets. Why the change? The need for contactless payments brought on by the pandemic..

Advance Strategies to Eliminate Ecommerce Chargebacks

Advance Strategies to Eliminate Ecommerce Chargebacks

What can we expect e-commerce to look like throughout 2021? There's still a lot of uncertainty in the economy, but some strong trends emerged last year that merchants can build upon now as..

Not-For-Profits and Charities Are High-Risk Targets for Costly BIN-Bashing Fraud. Here’s What to Do About It

Not-For-Profits and Charities Are High-Risk Targets for Costly BIN-Bashing Fraud. Here’s What to Do About It

By Ralph Kooi, Australia Country Manager, ClearSale and Matt Humphries, Head of Sales and Marketing, Bambora

As UK Stores Target a Global Audience, Here’s What You Need to Know About Security

As UK Stores Target a Global Audience, Here’s What You Need to Know About Security

The sharp rise of eCommerce has eliminated shopping borders and it's not unusual for hackers to target stores not in their local country to avoid outing themselves.

What You Need to Know in Ecommerce

What You Need to Know in Ecommerce

The past year or so has changed how we shop and how we think. As the world changes and as consumer behaviour changes with it, as merchants we must start to ask ourselves, very seriously, will our..

A1 Retail's 2021 Buyer's Guide: The Future of Retail

A1 Retail's 2021 Buyer's Guide: The Future of Retail

The eCommerce market grew exponentially in 2020, with online retail sales surging due to the pandemic. And since eCommerce sales are expected to continue on an upward trajectory in 2021, I believe..

Businesses Need to Start to Understand the Changing Customer

Businesses Need to Start to Understand the Changing Customer

It is ever more apparent that consumer attitudes and behaviors are shaping the future of retail. To add to this, considerable disruption has taken place in retail as a result of the pandemic,..

Five Habits We Can Learn from Chess that Apply to Crisis Leadership

Five Habits We Can Learn from Chess that Apply to Crisis Leadership

Chess was the breakout game of 2020, as teens and young adults stuck at home flocked to live games by chess experts on Twitch. Between top players on social media and the popularity of the Netflix..

Want to write
for our blog?

Please review our writers' guidelines
https://www2.clear.sale/press/clearsale-guest-blog-guidelines
and then email guestwriter@clear.sale with your pitch!

Subscribe to our blog